The Mbna Fan Club Thread

[vint1954]

This is confirmed in Principle 2 of the Data Protection Act, which states:

"2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes."

 

I emphasise the term "specified and lawful purposes" as in ‘those specified within the contract’, and no more. I also emphasise the term "shall not be further processed".

 

I have taken the matter up with the Credit Reference Agencies, and they had claimed that they had a

“legal right” to maintain this type of adverse entry for up to six years. When I challenged them to quote me the exact Statute that includes this so-called “legal right”, they remained remarkably quiet. Only after my continued insistence of disclosure did they eventually concede that, whilst they have no statutory right, it is

 

As mentioned earlier, the words are surleybond's'

 

Hi Vint

 

I have not yet contacted them with your info above that you kindly gave me today.

 

However, I did get a response today from my previous contact as follows:

 

Thank you for your e-mail received 22 October 2009.

 

Abbey credit cards were administered by MBNA up until 2006. I am assuming from your comments that you are not disputing the fact that you were in possession of a card and that funds were advanced to you.

 

For your information I have copied below an extract from advice we have received from the Information Commissioner regarding the issue of unenforceable credit agreements:

 

The question of whether a legal liability exists in relation to a credit agreement is quite separate from the question of whether such a liability may be enforced by the creditor.

Where a liability does exist, creditors have a legitimate interest in sharing relevant information about that liability, including information about whether the amount due has been repaid. Such information may properly inform responsible lending decisions, regardless of whether the liability is enforceable.

 

However they need your signed approval to report data. If an agreement exists, but is unenforcable due to missing or mistated prescribed terms, then possibly they can post data. However where they can find no agreement, they cannot. Boils down to do they have your signature in a box on an agreement that says they will record data.

 

Responsible lending decisions are dependent upon lenders receiving accurate information about individuals’ ability (and/or inclination) to repay their debts.

Not your problem and a very poor argument.

 

Where a credit agreement clearly existed and credit has been provided to the debtor, but the debtor is not obliged to repay the loan due to the provisions of the Consumer Credit Acts, this does not mean that there was no agreement in the first place. It simply means that there was no enforceable regulated agreement.

 

Again, signed agreement please.

 

It follows that, where the existence of the agreement is not in doubt, we consider it to be appropriate for information about the agreement, including any failure by the debtor to repay his or her debt, to be recorded with the credit reference agencies. Where a ‘debtor’ disputes the existence of any credit agreement, enforceable or otherwise, we would ask to see evidence of the agreement and of its terms. This might include evidence of the provision of the credit facility or of a history of payments made by the debtor.

 

This shows that the ICO are not in touch with the provisions of the act. The act clearly states that the data subject must give permission.

 

You may also wish to refer to the recent case of McGuffick v Royal Bank of Scotland.

 

They had a signed agreement.

 

If you have any further queries, please feel free to contact me directly either by e-mail at [email protected], by telephone on 0115 8286485 or by writing to me at the following address:

 

Directors' Office, Experian, PO Box 8000, Nottingham, NG80 7WF

 

Yours sincerely

 

Please advise my next move. Many thanks.

Vint

[vint1954]

quote: Please advise my next move. Many thanks

 

http://www.consumeractiongroup.co.uk/forum/debt-collection-industry/222663-cras-ocs-credit-ref.html

 

Have a read of my thread here. The process that surleybonds used is described in detail.

[AA99]

What's the general opinion, of an enforceable agreement, been passed round the DCA's a few times, a fair full and final settlement figure? 10% of actual spent:confused:

[alisindebt]

OK, letters were sent as above.

 

Lowell's gave no response so I emailed letter number 2 today.

 

CapQuest are complete idiots as they fail to see that they cannot deal with a prior disopute with an OC, so second letter sent today also. They just seem to employ (insert word of your choice) who press standard template buttons on a keyboard without considering the consequences.

 

Second letters have also been marked "Notice before action". In both cases the local MPs are also involved, also OFT, Cosumer direct, TS, and the bankign Ombudsman.

 

I shall get those entries removed from my CRA files very soon now!!!

 

Hi Vint

 

Having sent to off letters 1 and 2, today i got a reply from Lowell's, actually now from Red, another of their "group".

 

Basically this is what they are saying when I say to them they do have have the original CCA, it has been lost, but they still keep a CRA entry about my 10500 pounds:

 

As Lowell Portfolio 1 Ltd are now the Data Controller for the debt, we are able to record this information as the default is registered to reflect true and accurate information on how your account has been conducted.

 

In view of the above and in accordance with Schedule 2, paragraph 2(a) of the Act that deals with the exceptions to any request under section 10, Lowell Portfolio 1 Ltd or Lowell Financial Ltd are not prepared to cease processing your data in respect of the debt claimed from MBNA on the basis this is required for the performance of the said contract to which you are a party.

 

I therefore wrote back to them as follows, but wonder what else I can do?

 

Thank you for your letter dated 19th October 2009, received today.

However, I note that you have failed to respond to my request under the Data Protection Act 1998.

 

You have confirmed in writing that you do not have an original Consumer Credit Agreement for the alleged account and you do not hold the signed authority that I have requested.

 

You will be aware that the Data Protection Act 1998, requires you to hold signed authority from myself to process such data that does not fall within the public domain.

 

I must remind you that remind you of the fines that can be imposed by the Information Commissioners Office for handling my data without permission. Recent fines to companies have reached£50k.

 

I also remind you of recent awards of compensation for complicity in besmirching a data subjects credit worthiness, as referenced in my previous email, Durkin v HFc £8k.

 

Please remove your unlawful entry on my credit reference accounts.

In connection with this, I require you to comply with the notice below, which was served originally on October 26th 2009:

 

Statutory notice under section 10 of the Data Protection Act 1998.

You are required to cease processing any data in relation myself with immediate effect. This means you must remove all information regarding this account from your own internal records and from my records with any third parties and credit reference agencies.

 

Please confirm that you have complied with my request under section 10 of the Data Protection Act. Failure to do so will result in further action being taken through the courts and/or regulatory bodies.

 

I look forward to your due diligence in this matter.

[alisindebt]

Hi Vint

 

Having sent to off letters 1 and 2, today i got a reply from Lowell's, actually now from Red, another of their "group".

 

Basically this is what they are saying when I say to them they do have have the original CCA, it has been lost, but they still keep a CRA entry about my 10500 pounds:

 

As Lowell Portfolio 1 Ltd are now the Data Controller for the debt, we are able to record this information as the default is registered to reflect true and accurate information on how your account has been conducted.

 

In view of the above and in accordance with Schedule 2, paragraph 2(a) of the Act that deals with the exceptions to any request under section 10, Lowell Portfolio 1 Ltd or Lowell Financial Ltd are not prepared to cease processing your data in respect of the debt claimed from MBNA on the basis this is required for the performance of the said contract to which you are a party.

 

I therefore wrote back to them as follows, but wonder what else I can do?

 

Thank you for your letter dated 19th October 2009, received today.

However, I note that you have failed to respond to my request under the Data Protection Act 1998.

 

You have confirmed in writing that you do not have an original Consumer Credit Agreement for the alleged account and you do not hold the signed authority that I have requested.

 

You will be aware that the Data Protection Act 1998, requires you to hold signed authority from myself to process such data that does not fall within the public domain.

 

I must remind you that remind you of the fines that can be imposed by the Information Commissioners Office for handling my data without permission. Recent fines to companies have reached£50k.

 

I also remind you of recent awards of compensation for complicity in besmirching a data subjects credit worthiness, as referenced in my previous email, Durkin v HFc £8k.

 

Please remove your unlawful entry on my credit reference accounts.

In connection with this, I require you to comply with the notice below, which was served originally on October 26th 2009:

 

Statutory notice under section 10 of the Data Protection Act 1998.

You are required to cease processing any data in relation myself with immediate effect. This means you must remove all information regarding this account from your own internal records and from my records with any third parties and credit reference agencies.

 

Please confirm that you have complied with my request under section 10 of the Data Protection Act. Failure to do so will result in further action being taken through the courts and/or regulatory bodies.

 

I look forward to your due diligence in this matter.

 

Also Experian emailed back today as follows:

 

We do not need your 'signed approval' or consent to process data about you and I draw your attention to guidance previously issued by the Information Commissioner on this matter:

 

http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/credit_%20agreements%20-%20data_%20sharing.pdf

[AA99]

Our MBNA Acc.3 has been in dispute since September 2008, passed to 1stCredit in March 2009, DHS (Debt Help Services) had it in October 2009, then 1stCredit sent a 'make us an offer' letter, and today got a letter from Connaught Collections UK Ltd:eek: There's tiny writing at the bottom of the letter saying

 

Our company has the sole control of your account. Payment must be sent to this office. DO NOT PAY A DOORSTEP COLLECTOR, without first gaining our authority.

 

It's quite tedious isn't it:confused:

[alisindebt]

Our MBNA Acc.3 has been in dispute since September 2008, passed to 1stCredit in March 2009, DHS (Debt Help Services) had it in October 2009, then 1stCredit sent a 'make us an offer' letter, and today got a letter from Connaught Collections UK Ltd:eek: There's tiny writing at the bottom of the letter saying

 

 

 

It's quite tedious isn't it:confused:

 

THEY PLAY A SIMPLE GAME OF WEARING YOU DOWN BY DOING THIS AND PASSING FROM ONE COLLECTOR TO ANOTHER.

 

OK, let's play! Wait a couple of weeks (you don;'t want to respond too fast, just try and drag it out slowly, it wears them down also!), then use a standard letter such as this, personalised for your circumstances:

 

ACCOUNT IN DISPUTE

Dear Sir or Madam,

Account number: XXXX XXXX XXXX XXXX

 

I must admit that I am rather bemused as to why this account has been passed to yourselves, as it is in dispute with the **original creditor/DCA** and has been since DATE 2007.

Not only is this a breach of OFT collection guidelines, but also in breach of the Consumer Credit Act 1974 and Data Protection Act 1998

 

My last letter from **original creditor/DCA** was DATE and intimated that my complaint would be

resolved on **DATE**, this obviously hasn’t happened.

As **original creditor/DCA** are now in default of my Consumer Credit Act request, OFT Collection Guidelines, *Subject Access request and have also breached *s10 Data Protection Act request , I consider this account to be in SERIOUS DISPUTE.

 

As you are aware while my Consumer Credit Act request remains in default enforcement action is NOT permitted, under s127 this constitutes a complete defence at law.

 

Consequentially any legal action you pursue will be averred as both UNLAWFUL and VEXATIOUS.

 

Now I would respectfully suggest that this account is returned to the **original creditor/DCA** for resolution of these defaults and breaches, as **New DCA** cannot lawfully pursue any enforcement activities.

 

If **New DCA** chooses to ignore my dispute and attempt enforcement, I will initiate legal action and file reports with the appropriate authorities, including, but not limited to, Trading Standards, Office of Fair Trading, Information Commissioners Office, Financial Ombudsman Service and possible court action.

 

After taking advice, I am of the opinion that any continued pursuit is in violation of the Administration of Justice Act 1970 section 40 as well as breaching a number of the OFT Collection Guidelines

 

I hope that this will not be necessary and an acceptable solution can be accomplished.

 

I would appreciate your due diligence in this matter.

I look forward to hearing from you in writing.

 

Yours faithfully

[vint1954]

Also Experian emailed back today as follows:

 

We do not need your 'signed approval' or consent to process data about you ???????????? How about the Data Protection Act then. They do not need your permission to hold data in the public domain, but the OC clearly does need signed permission to hold and process data about you. and I draw your attention to guidance previously issued by the Information Commissioner on this matter: That document assumes that there is an agreement in force, signed by the Data Subject. The DPA is clear.

 

http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/credit_%20agreements%20-%20data_%20sharing.pdf

Vint

[vint1954]

Ask them to point you to the part of the DPA that allows the OC and them to process your data without permission.

[vint1954]

Try also looking at the DPA box that you signed on earlier agreements. It usually only refers to marketing.

[alisindebt]

Try also looking at the DPA box that you signed on earlier agreements. It usually only refers to marketing.

 

Hi Vint

 

I am obviously rattling their cage as I received this email in reply to one that I sent earlier today. As yest, I have not replied using your posts from today. before I do so,please comment on their email, many thanks as always, but I can smell their blood already!

 

Dear XXXX

 

Thank you for your e-mail received today.

 

The Data Protection Act 1998 sets out six conditions under which companies can process personal information. Consent is only one of these conditions. No one condition carries greater weight than any other and all the conditions provide an equally valid basis for processing.

 

Information is shared with the credit reference agencies under conditions 1 and/or 2 and/or 6(1) of Schedule 2 of the Data Protection Act 1998. You may wish to clarify this point with the Information Commissioner's Office.

 

The case of Tournier v National Provincial and Union Bank of England also set out four conditions where a bank can legally disclose information about its customer. Again, consent is only one of these conditions and all of the conditions provide an equally valid basis for disclosure.

 

If you do not adhere to the terms and conditions of an agreement that you enter into, then it is considered to be in the banks legitimate interests to share that fact regardless of whether you consent to them doing so. They are allowed to do this on the basis of paragraph 6(1) of Schedule 2 of the Data Protection Act 1998 and this is further supported in law by the case of Tournier v National Provincial and Union Bank of England.

 

I trust that the above clarifies our position. Having queried the accuracy of the entries that you wished to dispute, we have fulfilled our legal obligations and complied with your rights under Section 159 of the Consumer Credit Act 1974 and the Data Protection Act 1998. In view of this we will not be answering any further correspondence from you in connection with this matter.

 

Any other queries that you may have about your report will be dealt with in accordance with Section 159 of the Consumer Credit Act 1974.

 

Yours sincerely

 

 

 

 

Mr L J Hancock

Consumer Compliance Executive

Directors' Office

[alisindebt]

Vint

 

Here is my response to them:

 

Thank you for your email of yesterday.

 

I note that you have unilaterally decided not to discuss the issues that I have brought to your attention. I am not satisfied with the answers that you have so far provided and you appear not to adhere to your own guidelines in which Experian say:

 

Working with Experian’s other regions and our Head of Global Corporate Responsibility, we have defined six essential responsibilities and these provide the framework and direction for our Corporate Responsibility (CR) strategy and objectives.

We have a responsibility to:

Use and protect data properly, respecting all the relevant laws, helping evolve industry guidelines and new legislation and ensuring a culture of compliance with the highest standards of integrity.

You do not need my permission to hold data in the public domain, but Lowell's clearly do need my signed permission to hold and process data about me. You know that there is no CCA in existence and you are therefore processing data about me unlawfully.

 

I also draw your attention to the phrase that you used in your previous email: "and I draw your attention to guidance previously issued by the Information Commissioner on this matter."

 

The document to which you refer assumes that there is an agreement in force, signed by the Data Subject. In this case, you have it in writing that the document does not exist and I attach a copy of the correspondence from Lowell's stating so.

 

The Data Protection Act is clear on this point and I am surprised that you trying to evade this issue and hiding irrelevant behind template responses designed to frighten off the uninformed consumer.

 

I must remind you that remind you of the fines that can be imposed by the Information Commissioners Office for handling my data without permission. Recent fines to companies have reached£50k.

 

I also remind you of recent awards of compensation for complicity in besmirching a data subjects credit worthiness, as referenced in my previous email, Durkin v HFc £8k.

 

Since you have variously misquoted the law in an attempt to get rid of my complaint, I am going to ask you a simple question and, respectfully, would like an answer:

 

Point out to me the part of the Data Protection Act that allows Lowells and Experian to process my data without permission in the absencde of a signed Contract (CCA).

 

This issue will not go away, so I suggest that if you are unsure of the law, you take appropriate legal advice rather than reply on template letters supplied by your department.

 

Regards

[Capricorn1601]

I like it

[SteveH2508]

Money Central - Times Online - WBLG: The 10 worst credit cards, and the 10 best - as voted by customers

 

MBNA second worst - Oh Dear!

[vint1954]

Here is my response to them:

 

Thank you for your email of yesterday.

 

I note that you have unilaterally decided not to discuss the issues that I have brought to your attention. I am not satisfied with the answers that you have so far provided and you appear not to adhere to your own guidelines in which Experian say:

 

Working with Experian’s other regions and our Head of Global Corporate Responsibility, we have defined six essential responsibilities and these provide the framework and direction for our Corporate Responsibility (CR) strategy and objectives.

We have a responsibility to:

Use and protect data properly, respecting all the relevant laws, helping evolve industry guidelines and new legislation and ensuring a culture of compliance with the highest standards of integrity.

You do not need my permission to hold data in the public domain, but Lowell's clearly do need my signed permission to hold and process data about me. You know that there is no CCA in existence and you are therefore processing data about me unlawfully.

 

I also draw your attention to the phrase that you used in your previous email: "and I draw your attention to guidance previously issued by the Information Commissioner on this matter."

 

The document to which you refer assumes that there is an agreement in force, signed by the Data Subject to enable the sharing of data, as apposed to holding data. In this case, you have it in writing that the document does not exist and I attach a copy of the correspondence from Lowell's stating so.

 

The Data Protection Act is clear on this point and I am surprised that you trying to evade this issue and hiding irrelevant behind template responses designed to frighten off the uninformed consumer.

 

I must remind you that remind you of the fines that can be imposed by the Information Commissioners Office for handling my data without permission. Recent fines to companies have reached£50k.

 

I also remind you of recent awards of compensation for complicity in besmirching a data subjects credit worthiness, as referenced in my previous email, Durkin v HFc where £8k damages were awarded. The judge had estimated £116k as the loss suffered, however Durkin had only claimed £8k.

 

Since you have variously misquoted the law in an attempt to get rid of my complaint, I am going to ask you a simple question and, respectfully, would like an answer:

 

Point out to me the part of the Data Protection Act that allows Lowells and Experian to process my data without permission in the absencde of a signed Contract (CCA) with the original creditor, and what signed concent do you as a third party possess, from me the data subject, to enable you to share my data with a Credit Reference Agency or indeed any third party.

 

This issue will not go away, so I suggest that if you are unsure of the law, you take appropriate legal advice rather than reply on template letters supplied by your department.

 

Regards

Good to go.

[AA99]

Originally Posted by alisindebt

Here is my response to them:

 

Thank you for your email of yesterday.

 

I note that you have unilaterally decided not to discuss the issues that I have brought to your attention. I am not satisfied with the answers that you have so far provided and you appear not to adhere to your own guidelines in which Experian say:

 

Working with Experian’s other regions and our Head of Global Corporate Responsibility, we have defined six essential responsibilities and these provide the framework and direction for our Corporate Responsibility (CR) strategy and objectives.

We have a responsibility to:

Use and protect data properly, respecting all the relevant laws, helping evolve industry guidelines and new legislation and ensuring a culture of compliance with the highest standards of integrity.

You do not need my permission to hold data in the public domain, but Lowell's clearly do need my signed permission to hold and process data about me. You know that there is no CCA in existence and you are therefore processing data about me unlawfully.

 

I also draw your attention to the phrase that you used in your previous email: "and I draw your attention to guidance previously issued by the Information Commissioner on this matter."

 

The document to which you refer assumes that there is an agreement in force, signed by the Data Subject to enable the sharing of data, as apposed to holding data. In this case, you have it in writing that the document does not exist and I attach a copy of the correspondence from Lowell's stating so.

 

The Data Protection Act is clear on this point and I am surprised that you are trying to evade this issue and hiding irrelevant information behind template responses designed to frighten off the uninformed consumer.

 

I must remind you that remind you of the fines that can be imposed by the Information Commissioners Office for handling my data without permission. Recent fines to companies have reached(space) £50k.

 

I also remind you of recent awards of compensation for complicity in besmirching a data subject's credit worthiness, as referenced in my previous email, Durkin v HFc where £8k damages were awarded. The judge had estimated £116k as the loss suffered, however Durkin had only claimed £8k.

 

Since you have variously misquoted the law in an attempt to get rid of my complaint, I am going to ask you a simple question and, respectfully, would like an answer:

 

Point out to me the part of the Data Protection Act that allows Lowells and Experian to process my data without permission in the absencde of a signed Contract (CCA) with the original creditor, and what signed concent do you as a third party possess, from me the data subject, to enable you to share my data with a Credit Reference Agency or indeed any third party.

 

This issue will not go away, so I suggest that if you are unsure of the law, you take appropriate legal advice rather than reply on template letters supplied by your department.

 

Regards

 

A little proof-reading (in green)

[alisindebt]

Thanks for the proof reading!

[alisindebt]

Good to go.

 

Oh dear!! My goodness, what can the matter be?

 

We have rattled the cage of the good people at Experian over this.

 

Just received an angry email from the person who is apparently reading all this at Experian-how frightening! Don't read on if you are easily upset by angry men in suits. This nasty reply has to be XXXX rated. Talk about throwing your toys out of your cot, hahahahaha. This is what he is ranting on about:

 

T

hank you for your e-mail received 4 November 2009.

 

I would refer you back to my previous correspondence where I have already answered the questions you have asked.

 

The condition under which Lowells and Experian can process your information is Paragraph 6(1) of Schedule 2 of the Data Protection Act 1998:

 

"The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case because of prejudice to the rights and freedoms or legitimate interests of the data subject."

 

This is further supported in law by the case of Tournier v National Provincial and Union Bank of England.

 

The document I referred you to from the Information Commissioner's Office did not assume that there was an agreement in force, signed by the Data Subject. The document specifically states:

 

"The complaints maintain that the agencies only have permission to hold account information for the duration of a credit agreement and that once the agreement ends so does the consent to process information about it."

 

"The complainants’ argument is based on the assumption that the credit reference agencies need consent to process account information. This is not the case."

 

I can assure you that I am not using template responses. I am also fully aware that you are receiving advice on how to respond to my correspondence from various individuals on consumer forums.

 

For clarity, the individual who drafted the original template letters you quoted did not achieve the result you appear to be attempting to attain.

 

I have not misquoted the law and I would suggest that you seek professional legal guidance should you wish to pursue this matter further.

 

I am fully aware of the case of Durkin v DSG Retail Limited and HFC Bank PLC but fail to see the relevance?

 

The case of Durkin held that a lender had a duty of care to investigate, in the event of a dispute, whether or not information supplied by the customer was correct in relation to a debtor-creditor-supplier agreement under Section 12 of the Consumer Credit Act 1974. This was in relation to a dispute between the debtor and supplier.

 

Your correspondence thus far has not highlighted any inaccuracies in the data supplied to us. You have also previously stated that you had an Abbey National credit card and defaulted.

[alisindebt]

Oh dear!! My goodness, what can the matter be?

 

We have rattled the cage of the good people at Experian over this.

 

Just received an angry email from the person who is apparently reading all this at Experian-how frightening! Don't read on if you are easily upset by angry men in suits. This nasty reply has to be XXXX rated. Talk about throwing your toys out of your cot, hahahahaha. This is what he is ranting on about:

 

T

hank you for your e-mail received 4 November 2009.

 

I would refer you back to my previous correspondence where I have already answered the questions you have asked.

 

The condition under which Lowells and Experian can process your information is Paragraph 6(1) of Schedule 2 of the Data Protection Act 1998:

 

"The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case because of prejudice to the rights and freedoms or legitimate interests of the data subject."

 

This is further supported in law by the case of Tournier v National Provincial and Union Bank of England.

 

The document I referred you to from the Information Commissioner's Office did not assume that there was an agreement in force, signed by the Data Subject. The document specifically states:

 

"The complaints maintain that the agencies only have permission to hold account information for the duration of a credit agreement and that once the agreement ends so does the consent to process information about it."

 

"The complainants’ argument is based on the assumption that the credit reference agencies need consent to process account information. This is not the case."

 

I can assure you that I am not using template responses. I am also fully aware that you are receiving advice on how to respond to my correspondence from various individuals on consumer forums.

 

For clarity, the individual who drafted the original template letters you quoted did not achieve the result you appear to be attempting to attain.

 

I have not misquoted the law and I would suggest that you seek professional legal guidance should you wish to pursue this matter further.

 

I am fully aware of the case of Durkin v DSG Retail Limited and HFC Bank PLC but fail to see the relevance?

 

The case of Durkin held that a lender had a duty of care to investigate, in the event of a dispute, whether or not information supplied by the customer was correct in relation to a debtor-creditor-supplier agreement under Section 12 of the Consumer Credit Act 1974. This was in relation to a dispute between the debtor and supplier.

 

Your correspondence thus far has not highlighted any inaccuracies in the data supplied to us. You have also previously stated that you had an Abbey National credit card and defaulted.

 

I forgot to mention that Experian tend to come down on the side of the banks (for obvious reasons). The email above said he was "aware" that I got advice on here (sorry, is that not allowed Experian?) and that I "stated that I had an Abbey National credit card." oh my god, how bad of me!!

 

Strange how one sided this is. He forgot to mention that I had got all my illegal credit card charges refunded by Abbey and that I am also reclaiming unlawful PPI charges on the same account. There was one other little thing he forgot to mention.......now.....what was it........? Oh, yeah, there is no CCA as they never kept records back that far and Lowell's happily bought the account from Abbey without checking that all the paperwork was in order. Yes, Abbey s--t all over Lowell's when they sold them this account.

[vint1954]

Oh dear!! My goodness, what can the matter be?

 

We have rattled the cage of the good people at Experian over this.

 

Just received an angry email from the person who is apparently reading all this at Experian-how frightening! Don't read on if you are easily upset by angry men in suits. This nasty reply has to be XXXX rated. Talk about throwing your toys out of your cot, hahahahaha. This is what he is ranting on about:

 

T

hank you for your e-mail received 4 November 2009.

 

I would refer you back to my previous correspondence where I have already answered the questions you have asked.

 

The condition under which Lowells and Experian can process your information is Paragraph 6(1) of Schedule 2 of the Data Protection Act 1998:

 

They cannot ignore the law!

 

"The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case because of prejudice to the rights and freedoms or legitimate interests of the data subject."

 

Legitimate purposes maybe, but all that we have read leads to the conclusion that the data subject has to have given permission, or that there is an enforcable agreement in place. They have to operate under the law of the land, not guidence from a quango.

There has to be a legitimate reason to hold financial data and without a contract, there can be no legitimate reason. Why do courts instruct the removal of data, when a contract or agreement cannot be found. Why do credit companies seek your approval on their forms, to report data about you if it is not required.

 

This is further supported in law by the case of Tournier v National Provincial and Union Bank of England.

 

HOW?

Tournier v.

National Provincial and Union Bank of England

was a landmark 1924 legal case in the

United Kingdom

. It established the conditions under which banks owed confidentiality to their clients, allowing four circumstances wherein banks were not required to guard privacy: where compelled by (1) law, (2) public duty, (3) the interest of the bank, or (4) where the client had consented, even implicitly, to disclosure.

[1]

In this case the bank disclosed to its customer's employer the fact that one of the customer's unpaid cheques was drawn in favour of a bookmaker's account. As a result, the customer's employer did not renew his contract with the customer. The Court of Appeal held that the bank was guilty of breach of confidentiality, which was an implied term in the customer's contract with his bank.

 

The document I referred you to from the Information Commissioner's Office did not assume that there was an agreement in force, signed by the Data Subject. The document specifically states:

 

Guidence not law

 

"The complaints maintain that the agencies only have permission to hold account information for the duration of a credit agreement and that once the agreement ends so does the consent to process information about it."

 

"The complainants’ argument is based on the assumption that the credit reference agencies need consent to process account information. This is not the case."

 

Oh yes it does, through the OC.

 

I can assure you that I am not using template responses. I am also fully aware that you are receiving advice on how to respond to my correspondence from various individuals on consumer forums.

 

For clarity, the individual who drafted the original template letters you quoted did not achieve the result you appear to be attempting to attain.

 

Well, Surleybonds did actually. 2 backed down right away, the third when an N1 was issued.

 

I have not misquoted the law and I would suggest that you seek professional legal guidance should you wish to pursue this matter further.

 

I am fully aware of the case of Durkin v DSG Retail Limited and HFC Bank PLC but fail to see the relevance?

 

The case of Durkin held that a lender had a duty of care to investigate, in the event of a dispute, whether or not information supplied by the customer was correct in relation to a debtor-creditor-supplier agreement under Section 12 of the Consumer Credit Act 1974. This was in relation to a dispute between the debtor and supplier.

 

Yes, wher there was an agreement in force.

 

Your correspondence thus far has not highlighted any inaccuracies in the data supplied to us. You have also previously stated that you had an Abbey National credit card and defaulted.

Oh Dear, why does the Experian man register and post here.

[vint1954]

Even a university understands the need to get permission to hold data!

 

Consent forms are forms that are used to obtain the permission of the data subject for their personal information to be used for a particular purpose. A consent form can be used at the point of collection (as part of the collection text) or later, if the particular purpose was not explicitly mentioned when the information was collected. They are sometimes called permission forms.

[vint1954]

And the NHS veiw on DPA.

 

NHS SOUTH WEST

 

INFORMATION AND LIBRARY SERVICES DEVELOPMENT

 

 

 

BRIEFING FOR NHS LIBRARIES ON THE DATA PROTECTION ACT 1998

 

 

1] Disclaimer

 

 

These notes have been produced as a guide to the changes in Data Protection legislation as they may affect NHS libraries. ILSD accepts no liability for any loss or damage resulting from their use. Further guidance notes can be found on the Information Commissioner’s Website at: www.dataprotection.gov.uk

 

 

2] What’s new

 

 

The Data Protection Act 1998 is based on an EC directive and came into force in March 2000. The Act is founded on eight principles and compliance is more about adhering to the principles rather than keeping to specific systems. There are several new concepts such as that of the Data Controller, i.e. the person, people or organisation responsible for setting out why and how personal data is processed. “Data processors” are defined as people who process the data other than the Data Controller or their employees. A new role of “Information Commissioner” also replaces that of the former Data Protection Registrar. The old registration process has been scrapped in favour of a simplified “notification” system and most manual records are now subject to the Act.

 

3] What data is covered?

 

The Act is broader in scope than the 1984 Act and covers not only personal data held in digitised records, but also manual records (including written records of telephone transactions) where information relating to individuals is “held in a relevant filing system”. CCTV is also covered. From 24th October 2001 the only exemptions that apply are to records that existed before 24th October 1998 and manual data “not held in a relevant filing system”. There is a transition period until 23 October 2007 for data held in a “relevant filing system” on 24th October 1998 allowing certain exceptions, but most of the provisions of the legislation already apply to it.

 

What is “a relevant filing system”? This is open to interpretation and advice from the Information Commissioner’s Office is that although this is a “grey area”, manual issue and inter-library loan systems which file forms under author or journal title, could be considered included, especially if there are relatively small numbers of records in them. Under the spirit of the Act and its underlying principles, libraries are advised to treat such records as covered by the Act.

 

With the new Act, holding a person’s name and some other piece of information which could identify them, means that the data is subject to the Act.

 

4] Rights of individuals

 

 

Individuals have powerful rights which include being entitled to apply to gain access to any data held about them. They may also be entitled to claim substantial compensation. Data controllers can be fined not only if the content of records does not comply with the Act, but also if adequate systems are not in place for compiling and accessing records.

 

People should be informed what data is held about them, how and why it is held and who can access it. If the use for the personal data a library requests is obvious (e.g. a requester’s name and address for an inter-library loan) then it is not thought essential to put a data protection statement on every form. As long as data subjects are informed about what they legally need to know, the means of informing them is less important. Ticher (3) has some examples of how this may be done and these include notices, prominent notices about the use of CCTV, and putting relevant information in a “welcome letter”.

 

5] Responsibilities of data controllers

 

 

Data controllers have to decide what data is held, how and why it is held and who can access it. They are responsible for notifying this to the Information Commissioner and for describing how a database will be kept secure. NHS organisations normally have a Data Protection Compliance Officer who is responsible for this “notification” on behalf of their organisation, and librarians should check with them that data held by the library service is adequately covered by the parent organisation’s registration. Manual processing of data is exempt from notification.

 

Data controllers can only hold personal data if certain conditions are met, one of which focuses on obtaining consent. It is good practice to seek consent to hold personal data but it is not required in every case as there are conditions laid down which define “fair” processing. It is probably not essential for libraries to obtain written permission to process personal data where a person requests a service which necessarily involves the library requiring their name and contact details, e.g. an inter-library loan request. By supplying it for that purpose they are effectively giving permission. Permission would be needed if the use for the data was not obvious. Also if library users are internal to the library’s parent organisation they have probably given adequate permission upon joining the organisation. However, libraries can probably best ensure compliance with the law by a] registering users who require those services where records containing personal data are kept, and b] obtaining permission to store and process personal data at the time of registration. Information which must be given to the “data subject” can then be supplied at the same time.

 

6] What data can and cannot be used

 

 

Data controllers are only permitted to process data for the purposes notified. “Sensitive” data (such as information about personal health, race, religion, political views, criminal offences, trade union membership etc.) can only be held under strict conditions. This will probably not significantly affect libraries but it is something about which librarians should be aware, particularly with respect to written records of staff appraisals.

 

Data obtained from outside the EC is covered by the Act, the law in the country where it is processed applies. (Data should only be transferred outside the EC if the destination country has adequate legislation.)

 

6] How might the new Act affect NHS libraries specifically?

 

 

a] It is wise to ensure that consent is obtained from, and adequate information given to people whose personal data the library will be processing. (See paragraph 5 above.)

 

b] One of the Data Protection Principles is that measures need to be taken to ensure against unauthorised processing, loss, destruction of, or damage to personal data. Check:

· That any records, loan slips, request forms, registration cards etc. are inaccessible to library users;

· That data screens at library reception cannot be read by library users;

· Security of boxes where requests, forms etc. are posted (could they be stolen or opened?);

· Security of files of registration forms, requests, loans etc. (could they be stolen or opened?);

· That names of previous borrowers on loan slips which are retained inside library books are rendered unreadable, as it is possible that systems which file requests/loan records by author or title constitute a “relevant filing system”;

· That any files containing staff data are secure and offices/work areas where personal data are stored are not left unattended unless the data is locked away;

· That any paper records containing personal data (other than data not stored in a “relevant filing system”) are treated as confidential waste and burnt or shredded;

· That staff have been properly trained and continue to be aware of what they can and cannot do and of their responsibilities with respect to data security generally;

· That data security procedures are regularly reviewed;

· Whether e-mails containing personal data could be encrypted to improve security.

 

c] Under the Data Protection Principles, staff should only be given access to as much data as they need to do their jobs. Library managers will need to consider ways to achieve this. (For example, do library assistants need to have access to people’s home addresses?)

 

d] Data must be “accurate”. Transactions recorded by library staff (e.g. requests taken down over the phone) have therefore to be accurate because failure to record transactions properly could breach the Act.

 

e] Data must also be “adequate, relevant and not excessive”. It must be demonstrated that it is necessary to hold any personal data and the practice of keeping “nice to have” but non-essential data should be discontinued. For example, do home addresses for all library users need to be obtained?

 

f] Data should be “kept up to date” where necessary and “not held longer than necessary”. Library managers will need to ask if personal information will be needed again, and if it would matter if it wasn’t available. If the answer to both questions is “yes” then it will probably be deemed legal to retain it. If records are to be kept can they be anonymised? (e.g. Keep a survey report but destroy the original forms. Can the library system anonymise loan data after so long?) Remember too that destruction of records is regarded as “processing” under the act so that too has to be “fair” and secure. Library managers will need to decide how long it is reasonable to retain data, e.g. overdue and fines details. If a user relies on you to retain, for example, search requests, and you destroy them, that could be regarded as unfair. However, the biggest issue, especially for those without automated systems, is finding adequate means to ensure that user registers are kept up to date. This will need to cover how and how often to verify existing records; how to ensure changes which have been notified by users are included and how to regularly weed out records for people who have left.

 

g] Data can only be processed for the purposes specified and for which consent has been obtained. There are restrictions on “direct marketing” which although rather unclear and largely applying to commercial organisations, could be construed as applying to activities such as inviting independent sector subscribers to renew their library membership or inviting registered users to free events. It is therefore advisable to ask people’s permission to use their data for such purposes at initial registration. They should however be offered the facility to “opt out” and means will need to be provided to ensure that this request is honoured.

 

h] People have a right to see data held about themselves, and that includes all performance review and personnel records. It is therefore advisable to follow your Personnel Department’s instructions about holding any files, and it is good practice to ensure that staff are advised about any complaint made against them before it is recorded on their personal file.

 

i] Fair processing means that covert monitoring of staff should be avoided. People therefore should be informed if CCTV is in operation. This could be done for example, by posting a notice and/or putting a note in the library guide etc. Monitoring and processing of monitoring data is also subject to the data protection principles so adequate procedures will need to be established and documented about how, for example, CCTV tapes are viewed.

 

7] What should library managers do? – A checklist for action.

 

 

1. Examine all manual and electronic records, including those held in branch libraries and records of telephone transactions, to decide if they contain any personal data. (See section 2 for exceptions.)

 

2. Prepare for “notification” by writing down:

· Description of the data held.

· The purpose for holding it.

· Who has access.

· How long it will be held for.

 

3. Establish adequate measures (policies and procedures) to ensure the security of those systems or databases containing personal data (these too have to be described in the “notification”).

 

4. Ensure that all these are included in, or covered by your parent organisations formal notification to the Information Commissioner.

 

5. Establish adequate means for obtaining “data subject’s” consent to hold and use personal data. (Personnel records for your staff should have been covered by your parent organisation)

 

6. Train your staff:

· About the Act.

· About any new procedures.

· About how any new procedures affect their working practices.

· About data security.

· About everyone’s personal liability under the Act.

 

7. Review when anything changes (e.g. introduction of new systems, services etc.).

 

 

 

Val Trinder, January 2002

 

 

References

 

 

1] Data protection act 1998. HMSO, 1998. Also available from www.hmso.gov.uk/acts.htm

 

2] www.dataprotection.gov.uk last viewed on 12th December 2001.

 

3] Ticher, P. Data protection for library and information services. London: Aslib-IMI, 2001. ISBN 0 85142 467 8.

 

4] Simplified guide to the data protection act 1998: to assist businesses holding personal information on customers, suppliers, directors, shareholders or others. Nottingham: Experian Information Services Division, n.d. www.uk.experian.com/motor/samples/databk.pdf last viewed on 9th January 2002

 

5] The data protection act 1998. JISC Senior management briefing paper 9. JISC ASSIST, 1999.

[vint1954]

Type this into Google, Mr Experian.

 

the need for a data subjects permission to process financial data

 

You will soon see that everyone else deems that you need express permission, to hold and process a persons sensitive data. You may not need permission directly from the data subject, but you sure as hell do through the OC and you have a duty of care to make sure that the data you hold and post is accurate and legally able to be supplied by the OC.

[AA99]

Loving all this info Vint! However, it would also be very useful to put it in this thread

 

http://www.consumeractiongroup.co.uk/forum/debt-collection-industry/222663-cras-ocs-credit-ref.html

[vint1954]

Loving all this info Vint! However, it would also be very useful to put it in this thread

 

http://www.consumeractiongroup.co.uk/forum/debt-collection-industry/222663-cras-ocs-credit-ref.html

Done.

 

Always do as I am told.