Credit Ref Agency reply to DPA s.12 request-help please

[JamesJ]

Sorry James,

I don't quite understand. Do you mean the reference number of the letter that is greyed out on Surlys Sticky post?

 

Yes, if we've changed a policy following contact with the ICO I'd like to know more. Or the director's name so I can pop over tomorrow.

[Tinkerbelle]

Because lenders have agreed to share data for six years not four.

 

Not with me they haven't. The contract also clearly does not state that they have to do this. So in effect you are processing "unlawful" data are you not?

[JamesJ]

are the lenders not expected to carry out these practices laid down on there own , with out me having to remind them? and also this must surely apply to the cras as well, of which you are an employee and spokes person?

 

I'm sorry, can you please quote whatever you're referring to as there are several conversations going on here and it's hard to keep up? Cheers.

[jamesbond]

"SurlyBonds

 

I don't know. I cannot tell you what a lender (or his lawyer) might think. You'd have to ask them. If you are so convinced you are right, why is it so important that I personally agree with you? "

 

Jamesj, as a spokespeson for experian, does it not follow that if we can get the issue across to you, then maybe this could be given to the attention of the other directors and perhaps we could reach a satisfactory conclusion on the many problems that are facing us as both consumers and data providers of experian?

[JamesJ]

Not with me they haven't. The contract also clearly does not state that they have to do this. So in effect you are processing "unlawful" data are you not?

 

No. Consent simply allows data to be shared, DPA sets the rules for sharing the data. DPA doesn't say six years either, but it does say data can be kept for no longer than is reasonable and six years is considered reasonable - although clearly not by some of you guys.

[JamesJ]

SurlyBonds

 

I don't know. I cannot tell you what a lender (or his lawyer) might think. You'd have to ask them. If you are so convinced you are right, why is it so important that I personally agree with you?

 

Jamesj, as a spokespeson for experian, does it not follow that if we can get the issue across to you, then maybe this could be given to the attention of the other directors and perhaps we could reach a satisfactory conclusion on the many problems that are facing us as both consumers and data providers of experian?

 

I will put your question to our legal team tomorrow.

[jamesbond]

but it also says we can withdraw our permission to use that data, and clearly the lenders or the cras, do not exercise our rights in this issue

[JamesJ]

Signing off now. I'll try to check back tomorrow.

[Tinkerbelle]

That's a shame. Just as it was getting interesting!

 

Welll we hope you come back soon and answer a few more of our questions.

 

Thank you for your time.

[JonCris]

I keep saying this but like most such agencies the CRA's have fallen into the trap of thinking they are quasi legal entitities whos role is to serve the public good. Therefore what they decide must by their very nature be within the laws of the land.

 

I got news for them they are not & it isn't.

 

A culture has taken hold because the consumer has been left in the dark as to his/her rights until now. The CRA's are very limited in the rights they tell the consumer he has. eg has any CRA ever advised a consumer that under the Data Protection Act they can stop their data being used. No! I wonder why & thats only the tip of the iceberg

 

The way they conduct much of their business is not only in breach of UK law but also the HRA & now they are begining to be found out

[Number6]

Sorry, post cancelled.

 

(how does one delete a post?)

 

Pete

[Number6]

Might be useless but I just found this on the North Tyneside local gov website. It's their "view" on the Data Protection Act. I find their comment on the sixth principle to be interesting.

 

Data Protection Act 1998 – The Principles explained

Introduction

There are eight guiding principles to the Data Protection Act 1998 (Data Protection Act) which the council must adhere to when processing personal data. The Data Protection Act defines processing as obtaining, organising, adapting, accessing, using and deleting.

 

1. First Principle

“Personal data shall be processed fairly and lawfully”

In order to comply with the first principle; one of the following conditions from Schedule 2 must be met if personal data is being processed:

 

1. The ‘data subject’ has given their consent

 

2. The processing is necessary -

a. For the performance of a contract to which the data subject is party, or

b. For the taking of steps at the request of the data subject with a view to entering a contract

 

3. The processing is necessary to comply with legal obligation

 

4. The processing is necessary in order to protect the vital interests of the data subject

 

5. The processing is necessary for the Administration of justice

 

6. The processing is necessary for the legitimate interests of the data controller (except where unwarranted because of prejudice or legitimate interests of data subject)

 

2. Second Principle

‘Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with those purposes’

To comply with the second principle, the council must inform the Information Commissioner of all the purposes for which it processes personal data. If the reasons for processing this information are changed, both the Information Commissioner and the Data subject must be informed.

 

3. Third Principle

‘Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.’

It is the council’s responsibility to ensure that personal data is adequate enough to distinguish between data subjects with similar details. The council must also ensure that the information processed about a data subject is relevant and not excessive.

 

4. Fourth Principle

 

‘Personal data shall be accurate and, where necessary, kept up to date’

Where the council obtains information either directly from the data subject or via a third party, it must ensure the accuracy of the data. If the data subject informs the council of a (factual) inaccuracy, the data must be amended to reflect this. In order to maintain accuracy, it is the responsibility of the data subject to to inform the council of any changes.

 

5. Fifth Principle

 

‘Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes’

The council should not retain information for longer than it is required to fulfil the purposes for which it is collected. Legislation and business requirement based retention schedules are used to enforce this across directorates.

 

6. Sixth Principle

 

‘Personal data shall be processed in accordance with the rights of data subjects under the act’

The data subject has the right to request any information processed by the council relating to them, they also have the right to request their personal data to be rectified, blocked or erased. It is the responsibility of all staff in the council to be aware of the data subjects rights and to respond to such requests.

7. Seventh Principle

 

‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’

The council must have contingency plans to cope with or manage any unforeseen events, which may effect the processing of personal data. All staff must be aware of how the contingency plans effect them as well as knowing what security issues accompany data processing.

 

8. Eighth Principle

 

‘Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data’

If data is to be shared with an organisation outside the European Economic area, the council must assess adequacy by looking at the following issues:

1. The nature of the data.

2. The country of origin.

3. The country where the data is being sent.

4. The purpose for which the data is processed.

5. The security measures in place

A transfer can take place if any of the following conditions are met:

1. If the data subject grants permission

2. If it is required in the performance of a contract

3. If the data subject makes a request in order to enter into a contract

4. In the conclusion or performance of a contract in the data subjects interest

5. Under the order of the Secretary of State

6. Under the approval of the Information Commissioner

7. As part of legal proceedings/advice

 

Exemptions

 

The processing of some personal data may be exempt from certain sections of the act.

• Subject Information Provisions

Where a Subject Access Request is made, personal data may not be disclosed to the individual

• Non- Disclosure

Exemption allows for processing of information, which are exempt from the act

• The exemptions

1. National Security

2. Crime and Taxation

3. Health, Education and Social Work

4. Regulatory Activity

5. Journalism

6. Research

7. Information available to the public

8. Disclosure required by law

[Number6]

I also still maintain that 1.1 is suspect on the basis that it's almost impossible to give consent freely (if you don't sign the consent you don't get no loan)

 

So on that basis I contend that 1.1 does not effectively exist.

 

Pete

[jimfishybob]

James,

 

Firstly, thanks for coming back. Sadly, work got in the way of me taking part in this conversation but I would appreciate it is you could answer the following question.

 

If I had a default, (settled or not), from, say, 4 years ago. There was no court judgement involved. There was no 'in-perpetuity' clause in the contract relating to data processing OR data controlling and the contract was terminated on the basis of this default. Which specific statute or act would allow you to go on processing, (or controlling), this data for the following six years.

 

Please don't reply with a paragraph explaining your position, simply the statute or act and it's verse and chapter numbers will suffice.

 

Many Thanks

 

Jim

[Glenn UK]

If we're holding public personal data for six years it makes sense to hold private personal data for the same amount of time.

 

Not sure if this is addressed further down in the thread but this nonsense.

 

A person acquires a serious debt problem for which they acquire a ccj could logically be for thousnads and thousands of pounds, the courts decide that this stays on the persons record for six years.

 

Then theres someone has a late payment for say a catalogue and perhaps ends up with a default over a fiver. Are you saying that the fiver and ccj have the same bearing on society?

 

As much as I have my doubts about the UK justice system in theory at least the thief who steals a fiver is dealt differently from the thief who steals five thousand pounds.

 

In the CRA business however, each are effectively treated with the same measure ie a record retained for six years on thier file.

 

One of the abilities and i must say the distinctions between professions and the rest, is that professionals working for a professsional company can make suitable distinctions rather than simply following a prescribed set of rules.

 

Generally 'rules' are useful to act as the guidance for wise men and the observance of fools.

 

Just an observation.

 

GLenn

[Guest Alison82]

I'm very surprised you couldn't get a decent mortgage with a credit report blemished only by one small-value four-year-old satisfied mail order default. Were you using an independent mortgage broker or an IFA?

 

I wasn't talking about me! Again this was an example

[andrew1]

My son has a finance status as clean as a whistle except for a default lodged by Hutchinson for a telephone that didn't work. He refused to pay and they defaulted him. The debt has since been repaid in full but under protest. He is 3o yrs of age, never had financial difficulties, been in full time employment with the same company for 7 yrs, he has just applied for a first time mortgage with Nationwide and refused because of this stupid default which they refuse to remove despite the phone rarely working. He then applied to HSBC who gave him the motgage once we had shown them the statutory notice to remove it but it is going to cost him over £1500 over three years above what he would have paid with Nationwide. THAT is how dangerous this whole issue is.

[JamesJ]

Not sure if this is addressed further down in the thread but this nonsense.

 

A person acquires a serious debt problem for which they acquire a ccj could logically be for thousnads and thousands of pounds, the courts decide that this stays on the persons record for six years.

 

Then theres someone has a late paymewnt for say a catalogue and perhaps ends up with a default over a fiver. Are you saying that the fiver and ccj have the same bearing on society?

 

As much as I have my doubts about the UK justice system in theory at least the thief who steals a fiver is dealt differently from the thief who steals five thousand pounds.

 

In the CRA business however, each are feectively treated with the same measure ie a record retained for six years on thier file.

 

One of the abilities and i must sday the distinctions between professions and the rest, is that professionlas working for a professsional company canmake suitable distinctions rather than simply folloiwng a prescribed set of rules.

 

Generally 'rules' are useful to act as the guidance for wise men and the observance of fools.

 

Just an observation.

 

GLenn

 

Yes but there's a subtle difference. Lenders do not share credit account data to penalise people. The factual information is shared so that, when you apply for credit, participating lenders can consult a CRA and check your borrowing behaviour over the past six years, including how much you currently owe on credit. Most of the account info we hold is completely up to date and helps people get credit quickly and easily when they want it and can afford it.

[JamesJ]

I wasn't talking about me! Again this was an example

 

Fair enough, but I don't think it's a very good example because the outcome you depict is, in my experience, unlikely. Lenders are always looking for good creditworthy customers and many would overlook such as blip, particularly if provided with a reasonable explanation.

[dayglo]

Good afternoon James,

Is it true that your employers asked you not to post on here recently? If this was true, has anything changed that means they are happy for you to post here?

[pford]

so JamesJ if a bank defaults my account in may 2003 they can put the default on your files in november 2005 some two and a half years later now thats not legal and you reckon you information is upto date?

[SurlyBonds]

Yes but there's a subtle difference. Lenders do not share credit account data to penalise people. The factual information is shared so that, when you apply for credit, participating lenders can consult a CRA and check your borrowing behaviour over the past six years, including how much you currently owe on credit. Most of the account info we hold is completely up to date and helps people get credit quickly and easily when they want it and can afford it.

 

A lot of it is neither up-to-date, nor accurate, and in relation to the contractual aspects, is either in breach of the contract terms or irrelevant in relation to the "public interest".

 

As per andrew's example above, the issuing of a default to CRAs is a ridiculous state of over-processing to which he has no appeal process.

 

I reiterate my earlier post:

"If we're holding public personal data for six years"

"public personal data" = ordered so, by a Court, after a hearing by a judge, having heard both arguments, and with parties allowed to make representation... and even then an appeal mechanism, and further facilities to overturn decisions in light of new evidence.

Judgements made after due diligence of the English Law, e.g. County Courts Act, Consumer Credit Act, Insolvency Act (Enterprise Act), etc... laws laid before Parliament, passed via a democratic process over 800 years old, argued, debated by those MPs duly elected by us, the people, then put before the Lords to apply the rationale behind those Acts.

That, my dear Watson, is called lawful democracy with due representation of the people affected by such judgements.

 

"it makes sense to hold private personal data for the same amount of time".

"private personal data" = at the sole discretion of a for-profit, share-capitalised organisation and their fellow fat-cat cronies.

 

Hmmmm.... now where in the dictionary did I see that word "equitable"???

 

 

Interesting that you have not replied to that post.

 

So, in light of these two very distinct methods, do you still contend that a bank's arbitrary say-so to issue a default notice should be allowed to hinder someone's credit file, which not only affects their credit rating, but can lose them their job, if they work in certain industries.

[dayglo]

Yes, if we've changed a policy following contact with the Information Commissioners Office I'd like to know more. Or the director's name so I can pop over tomorrow.

 

Hi James,

I would have pm you the data but I guess you have that option disabled.

an e-mail from me would identify me and enable you to link my offline world to my online world. I'm reluctant to do that.

 

the director in question had a famous 'half hour' comedy show named after him

[JamesJ]

My son has a finance status as clean as a whistle except for a default lodged by Hutchinson for a telephone that didn't work. He refused to pay and they defaulted him. The debt has since been repaid in full but under protest. He is 3o yrs of age, never had financial difficulties, been in full time employment with the same company for 7 yrs, he has just applied for a first time mortgage with Nationwide and refused because of this stupid default which they refuse to remove despite the phone rarely working. He then applied to HSBC who gave him the motgage once we had shown them the statutory notice to remove it but it is going to cost him over £1500 over three years above what he would have paid with Nationwide. THAT is how dangerous this whole issue is.

 

Of course I sympathise, but I would never advocate withholding payment to a lender (in this case network provider) because of a problem with the goods.

[JamesJ]

Hi James,

I would have pm you the data but I guess you have that option disabled.

an e-mail from me would identify me and enable you to link my offline world to my online world. I'm reluctant to do that.

 

the director in question had a famous 'half hour' comedy show named after him

 

He is not a director, he's a Consumer Compliance Executive in the Directors' Office.