CRA's & OC's - Credit ref reporting - Discussion

[vint1954]

Thread to discuss the legality of handling personal data. New thread started to separate this from the Credit agreements thread.

 

Just a few points to start.

 

1. Argument that no signed CCA means no authority for OC and therefore CRA's to process data, register defaults etc.

 

2. Argument that the signing of an application form, allows only credit checks up to the point of contract, to esablish credit worthyness to open account. Beyond this further permission is required.

 

3. Posted by andrew1. The durkin case. RICHARD DURKIN v. DGS RETAIL LIMITED+HFC BANK PLC, 26 March 2008, Sheriff J K Tierney

 

4. Is Durkin applicable in England?

 

5. Standard letters.

 

If you want to add points in a new post here, I will add them above, then they can be deleted.

 

Vint

[cashins]

Hi Vint

 

Been following this threadby Pinky69.

 

http://www.consumeractiongroup.co.uk/forum/debt-collection-industry/196312-invalid-default-notices.html

 

Although headed up invalid default notices, you will see that action is actaully contemplated/being brought on cases where no agreement exists, not the dodgy DN's themselves, with some success so far.

 

David

[vint1954]

Hi Vint

 

Been following this threadby Pinky69.

 

http://www.consumeractiongroup.co.uk/forum/debt-collection-industry/196312-invalid-default-notices.html

 

Although headed up invalid default notices, you will see that action is actaully contemplated/being brought on cases where no agreement exists, not the dodgy DN's themselves, with some success so far.

 

David

Hi,

 

Thanks, I have bben following pinky's thread. Most illuminating.

[vint1954]

Letter 1

To Original creditor c.c to CRA’s

The Data Controller.

Mouse Bank

Cookoo land

Dear Sirs.

Ref: Account number xxxxxxxxxxxxxxxxxxx

It has come to my attention, that you have processed financial information about myself, to several credit referencing agencies.

You will be aware that the Data Protection act 1998, an act of parliament, requires you to hold signed authority from myself to process such data, that does not fall within the public domain.

Can you please supply me with a signed copy of my consent, given to you for the purposes of allowing you to process such data.

Please respond to this request within 7 days.

Yours.

 

Comments welcome as always. Any parts of the act to back this up, most welcome.

[vint1954]

Letter 2

To Original creditor

The Data Controller.

Mouse Bank

Cookoo land

Dear Sirs.

Ref: Account number xxxxxxxxxxxxxxxxxxx

Further to my letter to you, dated xx xx xxxx, you have failed to respond to my request under the Data Protection Act 1998.

If you do not hold the signed authority that I have requested, then you will need to advise me accordingly.

As you yet to respond to this request and while this matter is in limbo, I require you to comply with the notice below.

Statutory notice under section 10 of the Data Protection Act 1998.

You are required to cease processing any data in relation myself with immediate effect. This means you must remove all information regarding this account from your own internal records and from my records with any third parties and credit reference agencies.

Please confirm that you have complied with my request under section 10 of the Data Protection Act.

I would remind you of the penalties involved in ignoring this request and the above notice. I would refer you to the recent judgement in Durkin v DSG retail & HFC Bank Plc.

I will grant you a further 7 days to respond.

Comments welcome as always. Any parts of the act to back this up, most welcome.

[andrew1]

Well done Vint, there are lots of these threads on the forum, but one particular one which caused a stirr was this one: http://www.consumeractiongroup.co.uk/forum/legalities/20118-default-hell.html which is worth bringing to the uninitiated's attention.

[vint1954]

Letter 2a

 

To CRA’s

 

The Data Controller.

Mouse Bank

Cookoo land

 

 

Dear Sirs.

 

Ref: Account number xxxxxxxxxxxxxxxxxxx

 

Further to my letter to xyz bank, dated xx xx xxxx, coppied to you, I maust advise that xyz bank, have failed to respond to my request under the Data Protection Act 1998.

 

As xyz bank have failed to respond to this request and while this matter is in dispute, I require you to comply with the notice below.

 

Statutory notice under section 10 of the Data Protection Act 1998.

 

You are required to cease processing any data in relation myself with immediate effect. This means you must remove all information regarding this account from your own internal records and from my records with any third parties and credit reference agencies.

 

Please confirm that you have complied with my request under section 10 of the Data Protection Act.

 

I would remind you of the penalties involved in ignoring this request and the above notice. I would refer you to the recent judgement in Durkin v DSG retail & HFC Bank Plc.

 

I have granted xyz bank a further 7 days to respond, however in this intervening period, can you please supply me with the authority document bearing my signature, that has been supplied to you, to enable the legal processing of my data. I naturally assume that your duty of care means that you will have obtained this document, prior to processing any data about myself. The consequences of not doing so would be unthinkable. As you are aware, distributing data that is not in the public domain, without the signed authority of the Data Subject, is a criminal offence.

 

Yours.

 

Comments welcome as always. Any parts of the act to back this up, most welcome.

Edited September 29, 2009 by vint1954

[vint1954]

Well done Vint, there are lots of these threads on the forum, but one particular one which caused a stirr was this one: http://www.consumeractiongroup.co.uk/forum/legalities/20118-default-hell.html which is worth bringing to the uninitiated's attention.

Great find andrew1. On it as we speak.

[vint1954]

Following andrew1's find, this from the great SurlyBonds. Much missed on this forum.

 

Okay people... you're all looking at lots of paperwork (which is fine), but there's a little nugget of shiny stuff embedded deep within the bowels of the Data Protection Act 1998.

 

Ladies and Gentlemen, a little known fact about the Data Protection Act and credit reference agencies and automated searches:

 

You are legally entitled, under Part II, Section 12 (1) of the Data Protection Act to insist that no agency can use your data for automated purposes including... and I quote from the said Act...[drumroll]...

 

(1) An individual is entitled at any time, by notice in writing to any data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller which significantly affects that individual is based solely on the processing by automatic means of personal data in respect of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct. ...[tada...takes deep bow]

 

Okay, what does it mean in English...

Whilst credit ref agencies can store the data, you (and only you...not them... YOU, the "individual"/data subject/etc) can decide if you want that data to be included in any automated processes which includes the automatic reference transactions that banks and Co. send through for ref checks.

 

You may, if you so wish, ...(and the agencies can't do diddly-squat about it)... insist that your data is excluded from the automation process, and that it can only be utilised within manual reference purposes... which by the way, none of the agencies have the ability to process.:grin:

 

If you think I'm joking, I've done it for all three of the ref agencies, and they've all had to remove all my data from the automation process because I threatened them with a Court Order if they failed to do so.

 

So, what happens in reality. Well, maybe try what I did...

 

1) Send them a recorded delivery letter along these lines...

"Dear Sirs,

 

This is a formal notice, served under the provisions of Chapter 29 of the Data Protection Act 1998 in requesting that you conform to my demand for a change in the manner in which you hold and process subject data about me.

 

As you are no doubt aware, Part II, Section 12 (1) of the said Act allows all data subjects the right to insist on the removal of any and all data from automated processes in repsect of matters relating to them. I have reproduced that clause for your information, in case you do not have a copy to hand:

[insert clause from above in quotes].

 

You will note the exact language of the Act, in that such a request may be made in relation to a number of different reference checks "which significantly affects that individual", and the Acts specifically cites

"credit worthiness" as one of those examples.

 

Recent checks on my file have caused severe complications, and now "significantly affect" my everyday life, and that of my family. An additional point to note is that issues of this nature that adversely affect "normal family life" are in breach of the Human Rights Act.

 

Therefore, you have seven days from receipt of this letter to remove all such data from your system where it is referenced and processed via automated processes. You will obviously need to transfer it to your manual process system and alert your customers that my data can no longer be searched via an automatic process.

 

I look forward to receiving your confirmation that the above change has been made to my file at the end of that seven day period.

 

To that end, I look forward to receiving your confirmation by close of business of ...[date it nine days hence to give them time].

 

Yours, etc"

 

I did this to Experian, Equifax and myCallCredit last month. Equifax argued the toss initially, then I issued an N1 Court Form against them, and as soon as they got that they capitulated. By the way, they also had to pay the Court fee. :grin:

 

Of course, they don't actually have anything on their system that can manage a manual intervention on a credit check, so they have to bar all the data from being read.

 

The other tact is the contractual issue, and this is even easier.

 

Background, last year I cancelled my contract (after 2 years) with Orange to switch to another telecom. Orange (conveniently) forgot to cancel my contract and tried charging me up to 3 months of additional monthly tariffs.

I refused to pay, Orange got arsey, so I threatened them with a counter if they tried the recovery route, with copies of my letters and the Rec Deliv numbers of my cancellation letters.

A letter from them the next week... "blah, blah, as a gesture of goodwill, we have cancelled the £30 owed...etc.". OWED!!!! I'll give them firkin "owed" - cheeky bar stewards. Anyway, after I calmed down...

 

I noted about a month later that Orange had put three months of unpaid bills onto my credit files, so I had an "Up to 3 months late" marker on my file which is just about up there with a CCJ or default. I told them to adjust the data, they refused, so I sent the following within letters to Experian, Equifax and MyCallCredit:

 

"...As to the Orange account staying on my file for six years, you should note that this was not a defaulted account at all. I gave Orange notice to switch to another provider and they didn't process my cancellation in time. I then refused to pay the months after my notice of cancellation. They have now recognised this by asking all the agencies to remove the alledged late payment information..."

 

The agencies got hold of Orange who then cleared the 1,2 and 3 markers BUT left the account as default/settled.

 

The agencies all wrote back saying that they could keep such a reference on the file for up to six years.

 

I then sent the following to all three:

 

"... As to the Orange account staying on my file for six years, you should note that this was not a defaulted account at all and, even if it was, you are no longer permitted to hold such data on my file.

 

Upon signing my contract with Orange, I only gave Orange my permission to log my account dealings whilst the contract was in place. If you read the wording of that contract it states quite clearly that I "give permission for Orange to supply credit reference agencies with information relating to the conduct and payment history of my account." I neither agreed to any other purposes, nor did I agree for that clause to include the term "in perpetuity".

 

Additionally, the contract also states that "this agreement may be cancelled by either party in writing".

 

That contract is now (very) cancelled (and has been for some time now) and therefore they have no signed mandate or permission to instruct you to retain or store data on me.

 

Schedule I, Part 1 "The Principles" of the Act states, quite clearly in Clause 5:

 

"5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes."

 

So, you will kindly remove the entire record, or I will issue a Formal Notice on this matter. If you fail to comply with that Notice, then I will apply for an N1 County Court Order against you, which will result in you accruing Court fees and any other legal expenses and disbursements. This will also lead to a complaint to the Information Commissioners Office as to your suitability to hold a Data Protection licence when you are clearly holding data that is no longer relevant to the account, the account information provider or the data subject, and is being held after a contract has been terminated, by whatever means, whether by default or cancellation."

 

The entry was removed within two days.

 

So, my friends, we have a few extra strings to our bow on this front, go spread the gospel...Credit Report Click link to open in new window.

Edited October 12, 2009 by vint1954

[vint1954]

So, Letter for removal of your data from automated processing.

 

Automated data handling letter, courtesy of Surly Bonds

Send them a recorded delivery letter along these lines...

 

The Data Controller

XYZ CRA

 

"Dear Sirs,

 

This is a formal notice, served under the provisions of Chapter 29 of the Data Protection Act 1998 in requesting that you conform to my demand for a change in the manner in which you hold and process subject data about me.

 

As you are no doubt aware, Part II, Section 12 (1) of the said Act allows all data subjects the right to insist on the removal of any and all data from automated processes in repsect of matters relating to them. I have reproduced that clause for your information, in case you do not have a copy to hand:

 

You will note the exact language of the Act, in that such a request may be made in relation to a number of different reference checks "which significantly affects that individual", and the Acts specifically cites

"credit worthiness" as one of those examples.

 

Recent checks on my file have caused severe complications, and now "significantly affect" my everyday life, and that of my family. An additional point to note is that issues of this nature that adversely affect "normal family life" are in breach of the Human Rights Act.

 

Therefore, you have seven days from receipt of this letter to remove all such data from your system where it is referenced and processed via automated processes. You will obviously need to transfer it to your manual process system and alert your customers that my data can no longer be searched via an automatic process.

 

I look forward to receiving your confirmation that the above change has been made to my file at the end of that seven day period.

 

To that end, I look forward to receiving your confirmation by close of business of ...[date it nine days hence to give them time].

 

Yours, etc"

Edited October 12, 2009 by vint1954

[vint1954]

Just a note, letters 1 & 2 designed to start to get specific data removed.

 

Letter above regarding automated data handling will remove all data, good and bad, from an automated search.

[citizenB]

subbing to this.

[London000]

So, Letter for removal of your data from automated processing.

 

Automated data handling letter, courtesy of Surly Bonds

Send them a recorded delivery letter along these lines...

 

The Data Controller

XYZ CRA

 

"Dear Sirs,

 

This is a formal notice, served under the provisions of Chapter 29 of the Data Protection Act 1998 in requesting that you conform to my demand for a change in the manner in which you hold and process subject data about me.

 

As you are no doubt aware, Schedule II, Section 12 (1) of the said Act allows all data subjects the right to insist on the removal of any and all data from automated processes in repsect of matters relating to them. I have reproduced that clause for your information, in case you do not have a copy to hand:

 

You will note the exact language of the Act, in that such a request may be made in relation to a number of different reference checks "which significantly affects that individual", and the Acts specifically cites

"credit worthiness" as one of those examples.

 

Recent checks on my file have caused severe complications, and now "significantly affect" my everyday life, and that of my family. An additional point to note is that issues of this nature that adversely affect "normal family life" are in breach of the Human Rights Act.

 

Therefore, you have seven days from receipt of this letter to remove all such data from your system where it is referenced and processed via automated processes. You will obviously need to transfer it to your manual process system and alert your customers that my data can no longer be searched via an automatic process.

 

I look forward to receiving your confirmation that the above change has been made to my file at the end of that seven day period.

 

To that end, I look forward to receiving your confirmation by close of business of ...[date it nine days hence to give them time].

 

Yours, etc"

 

 

Hi Vint,

 

It is a good one and If you wouldn't mind I should start using my copy-paste buttons:D

DD

[lickthewallfatboy]

this thread is brilliant

 

vint-I tried to add some rep to you,but I need to spread some more around first!!

 

so take this as a big thank you matey!!

[angry cat]

For your information Vint!

 

http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/default_tgn_version_v3%20%20doc.pdf

 

AC

[vint1954]

So, Letter for removal of your data from automated processing.

 

Automated data handling letter, courtesy of Surly Bonds

Send them a recorded delivery letter along these lines...

 

The Data Controller

XYZ CRA

 

"Dear Sirs,

 

This is a formal notice, served under the provisions of Chapter 29 of the Data Protection Act 1998 in requesting that you conform to my demand for a change in the manner in which you hold and process subject data about me.

 

As you are no doubt aware, Part II, Section 12 (1) of the said Act allows all data subjects the right to insist on the removal of any and all data from automated processes in repsect of matters relating to them. I have reproduced that clause for your information, in case you do not have a copy to hand:

 

You will note the exact language of the Act, in that such a request may be made in relation to a number of different reference checks "which significantly affects that individual", and the Acts specifically cites

 

Hi Vint,

 

It is a good one and If you wouldn't mind I should start using my copy-paste buttons:D

DD

More than welcome. The automated data handling letter, courtecy of SurlyBonds.

 

Be aware, that creditors who cannot get a ref on you, may smell a rat.

Edited October 12, 2009 by vint1954

[vint1954]

For your information Vint!

 

http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/default_tgn_version_v3%20%20doc.pdf

 

AC

Thanks for that AC, some interesting reading on Defaults.

 

I think that 41 kind of substantiates my thought that CRA's have a duty of care to ensure that data is accurate, not just by confirmation that the OC says so.

[vint1954]

It is as much about numbers as anything. If enough go down the path and also lodge complaints with ICO, then it acheives more prominance.

[vint1954]

this thread is brilliant

 

vint-I tried to add some rep to you,but I need to spread some more around first!!

 

so take this as a big thank you matey!!

No problem.

 

First step taken. Letter one off in the post tonight.

[lickthewallfatboy]

 

Be aware, that creditors who cannot get a ref on you, may smell a rat.

 

happy to say that is irrelevant in my case,as I have moved out of the credit rat race

[vint1954]

More from SulyBonds. Do we know why he does not post anymore?

 

Basic things to remember about this whole process:

 

a) Remember that the three Credit Reference Agencies (CRAs), Experian, Equifax and CallCredit were not constituted by an Act of Parliament. They hold no official Govt. power even though they like to think they do.

 

b) The CRAs are corporations who simply have the technology to store vast amounts of data and have been doing so for years.

 

c) The banks and lenders supply them with information about your accounts not because they are legally allowed to, but simply because YOU agreed to it via your contract.

 

d) CRAs are allowed to hold any data about you that is deemed in the public interest or in the public domain. Things like Bankruptcy Orders and Discharges, CCJs, IVAs, etc. are public information, and you cannot stop CRAs holding this information. You can ask them to mark them as settled, but they do have legal right to hold JUST these on their records because there are actual Laws that allow them to do so, and judges have signed the Orders in all these types of cases. However, agreement 'defaults' do NOT come under those Laws, unless they have been progressed to a CCJ, etc.

 

e) Civil contract details cannot be stored unless you agree in writing. The Data Protection Act states clearly that your account information is personal data and only you have the right to determine who may collate, process and disclose it.

 

f) When CRAs reply with “it’s our legal right” they are talking nonsense. The legal to which they refer is simply the ‘lawful right’ because you gave permission. That permission can be withdrawn at any time according to your rights under the Data Protection Act.

You can see more about this in the copy of the Experian letter also here in the sticky section, where thay actually admit that they have no legal authority and that there is no six year 'rule'.

 

g) You are also allowed to tell any Data Controller (a company that processes or stores your data) to cease to process your data in any fully-automated process. The Data Protection Act states quite clearly that this includes processes that e.g. “affect your creditworthiness”. The actual clause is in the template letter.

 

h) If you decide to opt-out of auto-processing, then you may opt back in again later.

 

i) To ask a Data Controller to do anything you want them to do, including requesting bank statements, you send what is called a Data Subject Notice – you are known in the Act as the Data Subject – i.e. the person to whom the data refers.

 

j) Data is anything on computer disk, paper, etc., that can identify you as a individual person. “all 34-year-old architects” is not personal data, but “Mr A N Other, a 34-year-old architect from 16 Acacia Avenue, Anytown, AnyPostalCode” is personal data as it can identify a particular person.”

 

k) Your contract and all transactions relating to the running and administration of your account is deemed your personal data, as these may be subsets referenced by an account number that, in turn, can be linked to you.

 

l) All Data Controllers have a duty to protect your data, and must hold a Data Protection Act licence (issued by the Information Commissioners Office) to hold and process data. However, this licence does not allow them to disclose data without your express written permission – it is a criminal offence to do otherwise, except for reasons of national security, taxation, health, etc.

 

There is loads more on the Data Protection Act specifics and I might edit and add to this post as time goes by. The above is to give you the basics and the understanding of how to use this in the method below.

 

The Default removal method.

 

My contention is simple…

1) Data Controllers (e.g. the banks, CRAs) have no legal right to collate, store, process or disclose your data without your permission, except data clearly in the public domain.

 

2) But, you give that right to them when you sign your contract – most paperwork includes clauses such as “You allow us to disclose details about the conduct of your account to CRAs, etc….”.

 

3) That contract becomes Law under contractual LAW…however it is still under the ultimate authority of English Law. Any disputes have to be negotiated or referred to Court for a decision.

 

4) Once the contracts ends, nearly all the clauses also end. The lender does have some rights to prove monies owed and then pursue them lawfully, but my argument is essentially that other clauses all end, and the lender cannot arbitrarily choose to assume that the disclosure of Data clauses can carry on. This is a proposed change of contract that they are trying to impose and is therefore unfair and unenforcable under the UTCC Regs.

 

5) If they then continue to disclose data about you to a CRA, they are doing so without your permission, as your permission expired in the termination of the contract.

 

6) You can then serve them with a Statutory Data Subject Notice asking them to desist from doing so.

 

7) The Data Controller then has 21 days in which to conform to your request, or write to you giving lawful reasons as to why your request should be exempted. To do so, he would have to prove a legal Statute, a Common Law case, etc… but none exist. So, they simply turn around (especially the CRAs) and say that they have a “legal right”. They don’t…they are simply stating that they believe that they have a ‘lawful right’ under the contract Law that you agreed when you signed the contract.

They also use other nonsense expressions such as “under credit law”, “six-year permissions”, etc… There is no credit law permission, and the Data Protection Act over-rules contractual Law when it comes to your rights.

The six-year ‘rule’ that they so liberally quote, is them simply getting confused with County Court orders… such as bankruptcy, CCJs, that only a judge can sign.

NOTE: Banks and CRAs cannot sign Court orders.

 

8 ) If the Data Controller fails to show reasonable cause to try and exempt your Notice, then you may go straight to the Information Commissioners Office and ask them to enforce your Notice. You will need to put all the correspondence together with a covering letter.

 

9) You may apply for compensation, only if the incorrect data has caused you financial loss, or other significant inconvenience whilst the incorrect data was used in a process that affected you.

 

10) You can also go straight to the Court and issue a Court Claim to ask a judge to enforce your Notice. You will have to pay a fee, but you can claim this back from the Data Controller if you win. You can also apply for compensation on your Claim – again reasonable costs, damages, etc.

 

11) Damages claims have to be very clear that they caused inconvenience and hardship or distress, so use sparingly. At the end of the day, your primary mission is to remove what you consider is adverse data, not start going off on one for compensation, so stick to your basics first.

 

 

Finally, a few simple rules, that will help your case appear more professional:

1) Check your spelling and grammar – it is shocking to see some very basic mistakes, and it doesn’t give a very good impression if you make basic errors like your and you’re, there and their, etc.

 

2) Send ALL letters (without exception) via Recorded or Special Delivery, and keep a copy, and keep the Post Office receipts and stamped labels. They CANNOT argue if you can prove they got the letter. If you fax anything, keep the send confirmation sheet (sometimes called the transmission journal) – press the button the machine to print one.

 

3) If you phone anyone to discuss the case, use a program like SkyLook (available on this website) to record your calls. Note that it is NOT illegal to record your own telephone conversations – even though the uneducated Muppets in call centres try telling you otherwise. After all, they often record your conversations!

 

The best of British luck, and let’s see if some more wins start coming through – I am working on other aspects of the Data Protection Act and will keep you informed as to how they progress. And remember, that most of this really gets down to who blinks first... they know they don't have a prayer, which is why they are coming up with grasping-straws excuses. Be prepared to take it to Court, or at least the Information Commissioners Office...who knows, we could even end up with a case law in our favour if it went to the right Court.

 

So, to the letter itself…

 

The following was an amalgamation of several previous letters that I had sent for my own cases. This version was written for a friend who is having hell with a bank that adamantly refused to remove a default, and the CRAs involved had written back with many stupid replies that didn’t mean anything, or answer the issue.

 

Within 72 hours of it being received at their Head Office, we received a letter saying that they were happy to remove the default from the credit files, although denied any liability for distress, or breach of duty in relation to the Data Protection Act.

 

 

The Company Secretary

GrabItAll Bank plc

Large Ugly Building with nice view of Thames

Somewhere in London

Postcode

[must go to their company registered address!]

 

[Date]

 

 

Dear Sir,

 

Re: Formal notice to desist from processing or disclosing personal subject data

 

I have recently conducted an audit of my personal credit reports supplied by Experian, Equifax and CallCredit.

 

It is noted that there exists, within all three files, an entry referenced as “xxxxxxxxxxxxxx plc” indicating a former xxxxxxxx Loan (now closed) of £x. This is recorded as “In Default” albeit showing a settlement date of dd/mm/ccyy.

 

I am contesting that xs’ continued processing of my data is an unwarranted act and I enclose a Statutory Notice to that effect, which is deemed served as of the date noted on the Royal Mail's Recorded Delivery service audit.

 

My written permission allowing x to continue processing, or disclosing, my personal subject data was revoked upon termination of that original contract and I hereby reiterate that revocation. I also do not recall receiving any such Notice of Default being served on me, as required by the conditions of the Consumer Credit Act 1974. Unless the Bank can provide a true copy of the said Notice, then I consider that any default entry on my credit files to be wholly unwarranted.

 

However, if you can supply the copy, then I also contest xs’ continued processing on the following grounds.

 

As you are aware, I am afforded principled rights under the Data Protection Act (Data Protection Act), Schedule 1, Part 1 ("The Principles") in relation to the manner in which my data is collated, stored and processed. Of particular note, are Principles 3, 4 and 5:

 

“3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

 

4. Personal data shall be accurate and, where necessary, kept up to date.

 

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”

 

In my case, x is still processing data after the cancellation of the contract, whether or not this is a simple renewal process of the default flag, daily or by other timing factor. As that contract is no longer in situ, then my written permission has also ceased from the date of cancellation.

 

This is confirmed in Principle 2 of the Data Protection Act, which states:

"2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes."

 

I emphasise the term "specified and lawful purposes" as in ‘those specified within the contract’, and no more. I also emphasise the term "shall not be further processed".

 

I have taken the matter up with the Credit Reference Agencies, and they had claimed that they had a

“legal right” to maintain this type of adverse entry for up to six years. When I challenged them to quote me the exact Statute that includes this so-called “legal right”, they remained remarkably quiet. Only after my continued insistence of disclosure did they eventually concede that, whilst they have no statutory right, it is

“standard industry practice” but they added that they are “allowed to by Law”. After further challenges, they finally admitted that unless this was a County Court issue, their term actually referred to contractual Law, but continued to emphasise that it was “standard industry practice to record default entries for six years.”

 

As a highly-educated company secretary for a major PLC, may I respectfully presume that you likewise recognise that “standard industry practice” does not correlate with “legal right”?

 

Further investigation has also led me to conclude that the only six-year data ‘retention rule’, to which they may adhere to, is in relation to information in the public domain, e.g. Bankruptcy Orders/Discharges, IVAs, CCJs, etc. These are kept in the public domain for six years. But, these are sealed orders issued by a judge through the Courts who oversee the ultimate jurisdiction in all matters relating to Law, be it the criminal code or the Common Law. It is not up to Credit Reference Agencies, or lenders, to decide legal issues.

 

In addition, the agencies may also hold information that is deemed ‘in the public interest’ for the avoidance of credit fraud or deliberate repayment avoidance; I refer, of course, to CIFAS and GAIN entries on a credit file. My former account was not subject to any such marker, nor is my former civil contract with x a public matter.

 

After scrutiny of all the relevant legislation, including the Consumer Credit Act (As Amended), the various Financial Services Acts and the Data Protection Act, etc., it is clear that there is absolutely no legislation that allows a lender or supplier (e.g. x) to collate, process or distribute any other information unless there is express written permission from the data subject.

 

In fact, Section 10 of the Data Protection Act awards the real authority, regarding privacy of data, to the data subject, not the Data Controller. The Act is also very clear as to the rights of the data subject in respect of withdrawing permission to continue data processing and disclosure:

 

10. - (1) Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons-

 

(a) the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and

 

(b) that damage or distress is or would be unwarranted.

 

However, there are some exclusion provisions for Data Controllers, and Section 10 does continue with various exceptions to subsection (1) above, and these are quoted, in full, below:

 

10. - (2) Subsection (1) does not apply-

 

(a)in a case where any of the conditions in paragraphs 1 to 4 of Schedule 2 is met,

or

(b)in such other cases as may be prescribed by the Secretary of State by order.

 

To paragraph (b), I can only presume that x has not applied to HM Secretary of State for an order allowing you an exclusion, which leaves x with the only remaining possibility of requesting an exemption under paragraph (a).

 

So, we must turn to the exemptions permitted in paragraph (a) to find where xs’ Data Controller may invoke his perceived exemption to the Data Protection Act, namely, those listed in paragraphs 1 to 4 of Schedule 2. I have reproduced these exemption paragraphs, in full, below:

 

“1. The data subject has given his consent to the processing.

2. The processing is necessary-

(a) for the performance of a contract to which the data subject is a party, or

(b) for the taking of steps at the request of the data subject with a view to entering into a contract.

3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

4. The processing is necessary in order to protect the vital interests of the data subject.”

 

It is my contention that xs’ supposed right of obtaining an exemption is not contained within any of these paragraphs. I have followed each in turn with my notation to give a clearer explanation, should there be any lack of clarity.

 

1. The data subject has given his consent to the processing.

 

That consent was terminated upon the cessation of the contract and, as stated earlier, I reiterate the revocation herein, and by the attached Statutory Notice.

 

2. The processing is necessary-

(a) for the performance of a contract to which the data subject is a party, or

(b) for the taking of steps at the request of the data subject with a view to entering into a contract.

 

For (a), there is no contract being performed, and for (b), x and I are not entering into any form of contract, and certainly not at my request.

 

3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

 

According to the Information Commissioners Office (I.C.O.), exemption 3 includes all other statutory obligations for which the interests of national security and welfare override personal privacy.

 

These obligations allow for the provision of data to Official agencies and organisations, e.g. disclosure to crime prevention agencies (Police, Intelligence Services, etc), official Government agencies (DVLA, DSS, Passport Agency, etc.) and health authorities, etc., and for any other purpose not agreed within a civil contract.

 

We all know that the three major credit reference agencies are not Government bodies, nor official agencies, but for-profit companies, even though they like to think they are official. None of these three agencies are listed in the appropriate Data Protection Act Schedule that names the specific organisations that are permitted any such exemption rights.

 

4. The processing is necessary in order to protect the vital interests of the data subject.”

 

With reference to the I.C.O. again, this is interpreted as anything that affects the data subject as a matter of life and death. This clause is included in the Data Protection Act to permit data, like medical records or contact details, being disclosed in emergency situations. I do not believe that my former account details could be described as anything like a matter of life or death.

 

So, it is clear to see that there is neither statutory provision permitting xs’ Data Controller to assume continued processing rights of my data at his discretion, nor any exemption. I can then only assume that x is relying on the Common Law, and contractual law, as determined by the contract that both parties originally agreed.

 

However, the contract that I originally signed with the bank, only gave x permission to process data during the term of that contract. I think it is fair to assume that you agree that the contract was terminated some years ago, whether or not a Default Notice was served.

 

The contract neither included any other permission, nor did it imply that your perceived 'rights' to process my data would be ‘in perpetuity’. There was also no clause contained within the contract that stated that x had any arbitrary right to continuing processing data for up to six years after the ending of the contract.

 

Also, I cannot recall any clear statement that gave my express permission for x to continue disclosing my subject data to third parties after the end of the contract. You are no doubt aware that any non-agreed disclosure of personal data to third parties, without express written permission, is a criminal offence under Section 35, of the Data Protection Act.

 

However, if I am mistaken, and the contract did, indeed, specify unlimited time extensions, then you must provide me with a copy of those signed terms indicating where I have agreed to them. This should be sent to me as one of your enclosures, if you wish to contest the enclosed Statutory Notice. You should be aware that you have, by statute, twenty-one days in which to either comply with my Notice, or give written notice stating your reasons and why you consider the Notice unjustified.

 

In summary, in relation to this former loan contract, I am formally instructing you, as an authorised officer of the Bank, from this day onwards, to:

1) cease to continue storing, processing or communicating my data;

2) remove all such data from automated process systems, as per the provisions of Part II, Section 12 (1) of the Data Protection Act, namely:

(1) An individual is entitled at any time, by notice in writing to any data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller which significantly affects that individual is based solely on the processing by automatic means of personal data in respect of which that individual is the data subject for

the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct.

 

Of particular note is the Acts own term “his creditworthiness”;

 

3) cease to disclose any data to any third party including, but not restricted to, Equifax plc, Experian Ltd and Callcredit plc; and

 

4) instruct Equifax plc, Experian Ltd and Callcredit plc to remove all data pertaining to your records on me, to the extent that no data entry in relation to x Bank plc will exist on my credit files.

 

Any failure on your part to adhere to these statutory timescales will automatically be interpreted as your non-compliance with the legal procedure. In that case, you will be expected to unconditionally comply with my Statutory Notice or I shall have no alternative but to refer the matter to the Court to seek an Order to that effect. Should it be necessary to refer the matter to the Court, then I shall also apply for Court fees and legal costs against the Bank. I shall also reserve the right to seek redress for damages as per the remit of the Data Protection Act.

 

 

I trust that I have made my position clear, and that x will now make a serious effort to understand its legal obligations and effect the changes requested. Should you be in any doubt as to the Banks obligations as a Data Controller, then I would advise that you consult your corporate counsel.

 

 

In any event, I shall expect a written confirmation from you acknowledging the contents of this letter within 5 working days, as per the requirements of section 15.3 of the Banking Code.

 

Yours faithfully,

 

 

 

 

 

 

 

 

 

 

 

 

Statutory Notice pursuant to Sections 10 and 12

 

 

 

of The Data Protection Act 1998.

 

 

Data Subject Notice

 

 

 

 

To: The Data Controller

GrabItAll Bank plc

Large Ugly Building

Somewhere in London SomePostalCode

[replace with registered company address]

 

 

Data Subject: [your title and full name]

 

 

Address: [your full postal address inc. postcode]

 

Whereas I have been a customer of x Bank plc and whereas I consented in my contract with you to the disclosure by you of certain data to third parties, at no time did I consent and neither was it within the contemplation of the parties to the contract that I did consent to the processing by you of that data in any manner which would be unfair or inaccurate or which in any way would breach The Data Protection Act 1998.

 

Therefore, take notice that I require that you cease from processing within twenty one days of the receipt by you of this Notice, or else that you do not begin to process any personal data of which I am the subject insofar as that processing involves the communication or passing of personal data of which I am the subject to any third party and insofar as the said data relates wholly or in part to the implementation by you of alleged defaults or contractual breaches or breaches contrary to The Common Law.

 

This Notice is given on the grounds that the processing or continued processing by you of the said data will be likely to affect my credit rating and my reputation and cause substantial damage and/or substantial distress to me and my family members in addition to that which has been caused to date. And that as the processing of the said data in the way referred to in this Notice would violate both the Principles and Data Subject’s rights of The Data Protection Act 1998, to do so would be both unwarranted and unlawful.

 

Signed

 

 

 

[sign it in pen]

 

 

[put your title, initials and surname]

 

Dated this [something -th] day of [month], in the year two thousand and [year].

 

[vint1954]

Should have found this earlier. SurlyBonds has already done the work:)

[lexis200]

Yeah but you found it vint:D

[felixflyer]

Has anyone actually stopped the CRS'a processing their data? How did this affect your ability to get a mortgage/bank account etc?

[lexis200]

people have felixflyer, but after a hell of a lot of hard work, and often a court appearance.

 

This is unacceptable in the majority of cases where the entries should by rights (our legal ones, not their made up ones) have been removed in the first instance.

 

I'm not sure if having defaults is as bad today as it was a couple of years ago due to the current financial climate (and vastly more defaults floating around now), but I couldn't tell you if it would make a difference to getting a mortgage. I can't think getting a bank account would be affected too much by it though - it's not like you're borrowing from them with an account?

 

I think the stopping of automated processing of your data and only allowing manual access is a bit of a double edged sword. As pedross and a couple of others have mentioned, it may well be a bit of a red flag to a potential lender if they see you have info but that you have effectively hidden it.

 

That said it can't be worse than having it up for all to see!

 

One thing I'm wondering about though vint - if you do get them to put it all down as manual access, does that just cover things like defaults/arrears etc, but things like ccj's/bankruptcy would be left visible?

 

I only ask as that would affect how they view it. If they really can't see anything then you could be hiding ccj's etc. If however that stuff has to stay visible then they will know (without bothering to look) that the worst you could have is a default.

 

Any ideas on that one?