Credit Reference Agencies Formal request to stop processing Data - Refused!!

[nicklea]

tigercub,

 

Further to HS's link I would also give you this as well:-

 

The Data Controller

Name of company

 

Notice Pursuant to Section 10, Data Protection Act 1998

Account No: xxxxxxxx

 

Dear Sir,

 

Take notice that I require you to cease entirely from processing, or else that you do not begin to process, any personal data of which I am the subject within 28 days of the receipt by you of this notice.

 

This includes particularly, but is not limited to, any processing involving the communication or passing of personal data of which I am the subject to any third party insofar as the said data relates wholly or in part to any alleged agreement between us.

This Notice is given on the ground that there is no signed agreement in existence that entitles you to process my personal data. If it is your contention that such an agreement exsists then I request that you supply me with a copy of the signed agreement as I am of the belief that no such signed agreement exists. Without this signed agreement you cannot process my data as I have not given my consent.

 

Further, the processing or continued processing by you of the said data will be likely to affect my credit rating and my reputation and cause substantial damage and/or distress to me in addition to that which may already have been caused and that as the processing of the said data in the way referred to in this notice would violate the first, fourth and sixth principles of the Data Protection Act 1998 to do so would be unwarranted.

 

If you fail to respond to this notice within the prescribed timescale I will make an application to the court under Section 10(4) Data Protection Act that you be ordered to comply with this notice.

 

 

If you have a read of section 10 you will understand why certain phrases have been used in this letter

[nicklea]

Hello Nicklea,

 

Thanks for your answer. The fact that they are taking data and more importantly publishing it must mean that they are processing the data surely. This played a key role in my case with the DWP last week - the detail of what constitutes processing data. Publishing it in a Credit File has to be processing it - in any libel cases it is the publisher of the data, not the processor who gets sued. In this case the processor and publisher are one and the same.

 

I look forward to your views on this one. Neither of us want the OP to go down the wrong lines!

 

Tingy,

 

Yes, Experian are processing data and are therefore Data Controllers. However, the important thing to remember is that the OP is attempting to prevent this by using section 12 DPA. But section 12 just deals with automated decision making.

 

Experian and the other CRAs are NOT making any decisions about the OP so they are not caught by section 12 and if the OP goes to court solely relying on section 12 then I would suggest that they do not stand a chance and will end up with a large costs bill from the other side.

 

The companies that would be making automated decisions are any creditors that the OP applies to for credit. If he requests it then they must comply with section 12. Examples would be banks, credit card companies, catalogue companies, mobile phone companies etc

 

One way forward I would suggest is section 10 DPA as above. Also give further consideration to the excellent point that surfer01 made, questioning if, once an agreement has been terminated whether, even if there was an enforceable agreement, that any rights to process data survive beyond the termination.

[nicklea]

Almoast forgot, I didn't mention it as I thought it was obvious. But I've learnt - never assume anything.

 

 

The section 10 notice goes to the original creditor or the debt purchaser if the debt has been sold.

[Tingy]

Tingy,

 

Yes, Experian are processing data and are therefore Data Controllers. However, the important thing to remember is that the OP is attempting to prevent this by using section 12 DPA. But section 12 just deals with automated decision making.

 

Experian and the other CRAs are NOT making any decisions about the OP so they are not caught by section 12 and if the OP goes to court solely relying on section 12 then I would suggest that they do not stand a chance and will end up with a large costs bill from the other side.

 

The companies that would be making automated decisions are any creditors that the OP applies to for credit. If he requests it then they must comply with section 12. Examples would be banks, credit card companies, catalogue companies, mobile phone companies etc

 

One way forward I would suggest is section 10 DPA as above. Also give further consideration to the excellent point that surfer01 made, questioning if, once an agreement has been terminated whether, even if there was an enforceable agreement, that any rights to process data survive beyond the termination.

 

Hi Nicklea,

 

Thanks for your reply and I agree that going to court relying on Section 12 would not be sensible. Anyway, we now have two good letters, one from HS that is a formal version of exactly what I originally stated, and the one from you which I note is carefully worded.

 

Hopefully with these two letters the OP can achieve his original aim without any need to go to court. It will be very interesting to see how the CRA's respond. My lurking doubt is something in agreements / contracts that you sign giving them permission to share your data with CRA's and for them to process it accordingly. Unfortunately I haven't got a copy of one to hand, but this would be my worry. It is still worth a go, and there is still a further route that could be taken using Common Law, but as I'm sure you know, you have to really know what you're doing to go that route. I have a huge interest in Common Law and have used it several times successfully, but not over anything like this, though I'm sure it could be.

 

Thanks as always for your ongoing help,

 

Tingy

[nicklea]

tingy,

 

Just to reiterate - the section 10 notice doesn't go the CRA it goes to the original crditor or debt purchaser.

 

It will only be effective if there is no signed agreement in existence. If there is an agreement then it is obvious that consent was given. If there is no agreement then they have no evidence of your having given consent.

[Bazooka Boo]

Nothing ventured nothing gained I say, S10 is defo the way as has previously been explained, well brought to CAGgers attention by fuzzybobble when the rules changed in April this year..

http://www.consumeractiongroup.co.uk/forum/showthread.php?254802-No-CCA-Processing-your-data-Get-them-a-huge-fine

[bigshoes...bigsocks]

subbing.

[Tingy]

Nothing ventured nothing gained I say, S10 is defo the way as has previously been explained, well brought to CAGgers attention by fuzzybobble when the rules changed in April this year..

http://www.consumeractiongroup.co.uk/forum/showthread.php?254802-No-CCA-Processing-your-data-Get-them-a-huge-fine

 

Just read the whole thread - really interesting thank you! Sadly no definite conclusion for RI as yet, or not that is published, so we don't know the outcome of his challenge.

 

What worries me is that despite the penalties being introduced, nothing seems to have changed with the DCA's and the CRA's which would indicate to me that they have not been adversely affected by the change in the law.

[tigercub]

Good morning all just to add further to the threads above - with regards to section 10 notice and when I have had time to go over my previous correspondance with them and the DCA I have already informed the creditor to stop processing data which has blatently been ignored to the point that the original creditor sold the debt on to a DCA unlawfully without any notice of assignation & NO termination notice they also sold the debt before the rectification date on the default notice rendering the account Unlawfully rescinded - This has been ignored by both the original creditor and the DCA to the point that the info on the CRA no shows that the DCA has taken over the account and is currently defaulting the account on a month to month basis - this is the main reason I wish to have the data removed from the CRA as the info should not be on there in the first place as they have no legal right to the debt or to process my data.

 

With regards to Section 10 for anyone that is interested please find below a draft letter on the subject:

 

Notice pursuant to s.10 of The Data Protection Act 1998.

 

Re: account no. XXXXXXXXX

Account holder. XXXXXXXXX

Address. XXXXXXXXXXXXXXXXXXXXXXXXX

Whereas I have been a customer of XXXXXXX Bank since XXXYEARXXX and whereas I consented in my contract with you to the disclosure by you of certain data to third parties, at no time did I consent and neither was it within the contemplation of the parties to the contract that I did consent to the processing by you of that data in any manner which would be unfair or inaccurate or which in any way would breach The Data Protection Act 1998

Therefore Take Notice that I require that you cease from processing within 7 days of the receipt by you of this notice or else that you do not begin to process any personal data of which I am the subject insofar as that processing involves the communication or passing of personal data of which I am the subject to any third party and insofar as the said data relates wholly or in part to the implementation by you of charges which have been applied to my account in respect of defaults or contractual breaches and where the said charges which have been levied at a rate which is in excess of the administrative costs incurred by you as a consequence of the said defaults or breaches contrary to The Common Law.

This Notice is given on the grounds that the processing or continued processing by you of the said data will be likely to affect my credit rating and my reputation and cause substantial damage and/or substantial distress to me and my family members in addition to that which may already have been caused and that as the processing of the said data in the way referred to in this notice would violate the fourth, first and sixth principles of The Data Protection Act 1998 to do so would be unwarranted.

[jimbo45]

Hi all

I thought one of the main provisions of the act - in fact the reason why the act was conceived in the first place - was to ensure that NO PRIVATE AND CONFIDENTIAL DATA is passed to third parties.

 

If say CAGGER A contacts me for data about CAGGER B and assuming I had it I would be breaking the law if I passed this information on.

 

It's the same say if you previously worked say at BP and another firm rings up and wants information --the only information they are allowed to pass on is stuff that's in the public domain such as Candidate XXXX worked here from date1 to date2.

 

I'm not sure HOW these "Tittle Tattle" companies such as experian are allowed to pass on to 3rd parties private data such as credit card details etc etc.

 

After all I can't go into a Bank and get the current account details for another Customer --or at least I hope I can't without a Court Order.

 

These agencies most DEFINITELY should be shut down.

 

Cheers

jimbo

[tigercub]

jimbo45 I totally agree with you

 

It's more the fact that they can print what they want even though it is untrue and then the onus is back on the consumer to fight there side and prove otherwise. what happened to innocent until proved guilty! Its very much like trial by media, The DCA or the OC can tell the credit reference agencies what they want (Within reason) its then up to me or you to argue that with them however if they refuse to remove the data your screwed for 6 years!!! its absolutely shocking

[nicklea]

Hi all

I thought one of the main provisions of the act - in fact the reason why the act was conceived in the first place - was to ensure that NO PRIVATE AND CONFIDENTIAL DATA is passed to third parties.

 

I'm not sure HOW these "Tittle Tattle" companies such as experian are allowed to pass on to 3rd parties private data such as credit card details etc etc.

 

Simply because you sign an agreement saying that you allow them to do that

[jimbo45]

Hi there

Surely there are 2 things wrong with this

 

1) Even if you DO sign it's STILL against the LAW. The LAW trumps everything else so they STILL have no right to deliver to 3rd parties even if you agree to it.

 

For example I could take a "Hit Contract" using an Albanian colleague against a really NASTY DCA Solicitor. Now this Contract in no way is valid in Law even if I "Sign" an agreement.

 

 

2) A contract forced "Under Duress" is not in English Law enforceable.

 

Cheers

 

jimbo

[nicklea]

Hi there

Surely there are 2 things wrong with this

 

1) Even if you DO sign it's STILL against the LAW. The LAW trumps everything else so they STILL have no right to deliver to 3rd parties even if you agree to it.

 

I would suggest that you are mistaken in your belief. Would you care to point out which particular section of which particular Act you feel has been contravened.

 

 

2) A contract forced "Under Duress" is not in English Law enforceable.

 

Oh that is just fantastic - so they held a gun to your head and forced you to sign a credit card agreement did they. Or what other 'duress' did they use to get you to sign the agreement

[Bazooka Boo]

1) Even if you DO sign it's STILL against the LAW. The LAW trumps everything else so they STILL have no right to deliver to 3rd parties even if you agree to it.

For example I could take a "Hit Contract" using an Albanian colleague against a really NASTY DCA Solicitor. Now this Contract in no way is valid in Law even if I "Sign" an agreement.

2) A contract forced "Under Duress" is not in English Law enforceable.

 

There are two points regarding this, the first is that regardless or not you have a signed contract to take a 'hit' on anyone, this is illegal, and as you say the Law trumps everything.

Secondly, under what duress are you signing an agreement, it is there for all to see in black and white, albeit with a magnifying glass granted, but it's not like they're holding your dog by the scruff of the neck out of a 20 story window?

 

I completely see what and agree with your point, in that you have not given your verbal agreement for DCA's to be processing and passing on your data to CRA's or other DCA's, but I feel this is not the way to attack it, after all, any agreement you sign will say in the small print that they retain the right to pass your details onto third parties in the event of default or whatever, if a third party (DCA) then buys the debt under the law of property act and all the rights to it, then I can see why they are adamant that they are doing no wrong in processing your data, as much as it pains me to say it.

IF however, they are merely acting on behalf of their client then correct it is not for said DCA to be passing your data to another DCA, which is where this corrupt industry hides behind their numerous puerile names under the guise of Solicitors or other DCA's, this is where I think the angle of attack should be focused, why does Lowell group, for instance, need to use three different trading styles? Is this a vain attempt at exploiting the debtors lack of knowledge? Yes. Is this to confuse the debtor? Yes, is it to put psychological pressure on, and intimidate the debtor? Yes.

That is what the OFT and TS need to get a grip of.

[mr2mr2]

is there an update to this ???

[tigercub]

Apologies I have not sent an update to this since my emails to all 3 of the Credit Refernce Agencies: The basic state of play is at the moment all 3 of the agencies have come back and said that they have contacted the Original Creditor and they have confirmed existence of the account therefore they will not remove the date however I can add a notice of correction:

 

I have replied as follows and I am still awaiting replies from all 3 CRA's

 

 

Thank you for your email with regards to ************ Bank

 

I am shocked and dismayed that you feel that you can process data on the hearsay of a company without any proof of what they are saying to be true.

 

I therefore request that you put the Original Creditor and Or ***** (The DCA) to strict proof that any such paperwork has been sent and/or received by me as the defendant. I can assure you that they have failed to comply with any such requests since communications began in April of 2009.

 

The defendant has been in constant communication with ******** through written correspondence since April 2009 with regards to requests for a true and signed copy of the alleged agreement they refer to. This was my right under ********** obligation to supply a copy of the agreement under the legislation contained within s.78 (1) Consumer Credit Act 1974 (s.77 (1) for rolling sum credit) - their obligation also extends to providing a statement of account to which to date the defendant still does not have all the information.

 

With this in mind ********* Bank have also recorded a default against the defendants credit file with all three of the credit reference agencies which the defendant believes have been applied unlawfully as they have no legal right to the debt.

 

I formally request that you remove the data as previously requested until you or they can provide strict proof of the debt.

Yours sincerely

[Tingy]

Excellent letter! I have a real interest and developing expertise in the DPA. I am sure I read somewhere last week that there is indeed a duty on the data controller of the CRA to enssure the information supplied by whoever is indeed accurate. This would make sense as they are undoubtedly processing the data if not only by publishing it, so the eight enforceable principles of the DPA come into play, one is which is ensuring accuracy. I'm just off to look at the Schedules of the DPA which is whre I think I read it. If I find it I'll return and add it.

 

Not the bit I was looking for, but if they have no CCA Agreement and the account is in dispute I would have thought this should be reasonable grounds. Mind you, best of luck with the ICO - not known for wielding their powers!

 

Under PART 3

10 Right to prevent processing likely to cause damage or distress.

 

(1)Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons—

(a)the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and

(b)that damage or distress is or would be unwarranted.

 

 

 

 

ALSO

http://www.ico.gov.uk/for_organisations/data_protection/the_guide/information_standards/principle_4.aspx

 

Only takes a minute or two to read, so plough through the boring start!

Edited March 3, 2011 by Tingy

[tigercub]

Tingy from what I understand you are totally correct: For reference here is a copy of the initial letters sent to the DCA:

 

This is a formal notice, served under the provisions of Chapter 29 of the Data Protection Act 1998 in requesting that you conform to my demand for a change in the manner in which you hold and process subject data about me.

 

As you are no doubt aware, Part II, Section 12 (1) of the said Act allows all data subjects the right to insist on the removal of any and all data from automated processes in respect of matters relating to them. I have reproduced that clause for your information, in case you do not have a copy to hand:

 

“An individual is entitled at any time, by notice in writing to any data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller which significantly affects that individual is based solely on the processing by automatic means of personal data in respect of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct”

 

You will note the exact language of the Act, in that such a request may be made in relation to a number of different reference checks "which significantly affects that individual", and the Acts specifically cites "credit worthiness" as one of those examples.

 

Recent checks on my file have caused severe complications, and now "significantly affect" my everyday life, and that of my family. An additional point to note is that issues of this nature that adversely affect "normal family life" are in breach of the Human Rights Act.

 

Therefore, you have seven days from receipt of this letter to remove all such data from your system where it is referenced and processed via automated processes. You will obviously need to transfer it to your manual process system and alert your customers that my data can no longer be searched via an automatic process.

 

I look forward to receiving your confirmation that the above change has been made to my file at the end of that seven day period.

 

To that end, and with the festive season upon us I look forward to receiving your confirmation by close of business Friday 7th January 2011 this giving you additional time to conform to my formal demand.

[Tingy]

You do realise if it breaches the DPA it auomatically breaches the Human Rights Act as the DPA 1998 was absorbed in its entirity into the Human Right Acts 2000. I've argued this point so many times and most disagree with me - I'm convinced I'm right and it's good to find someone who agrees with me. I've definitely found reference recently to the CRA being a Data Controller in themselves, so they must abide by the same principles as any other Data Controller. Yes, they can ask and assume it's right, but where there is reasonable doubt they should conduct their own investigations (or face the consequences) and good practice, dictated by the ICO says THEY should place a marker against the entry saying that data is in dispute so cannot be relied on.

 

Good luck!

[nicklea]

With this in mind ********* Bank have also recorded a default against the defendants credit file with all three of the credit reference agencies which the defendant believes have been applied unlawfully as they have no legal right to the debt.

 

Why do you say this? Do you deny ever having a loan and/or credit card with this bank?

 

There is a whole world of difference between what is needed to enforce an agreement in court and what is needed to demonstrate that you borrowed the money and haven't paid it back. It is the latter that is needed in order to record a default with the CRA - nothing more.

 

What you need to do is to take this up with the creditor usaing section 10 DPA. I believe that this was mentioned to you earlier in this thread.

 

I really would suggest that trying to go after the CRAs is not going to be fruitful.

 

EDIT

 

ps Why do you refer to yourself as a Defendant in this letter?

[Tingy]

Nick,

 

This is what I said just 3 posts ago as the main prong of attack. However there are other things that could support this from the DPa and with albeit Guidance from the ICO.

[nicklea]

tigercub,

 

I'm sorry but I really do have a lot of issues with your letter from the very minor to the very significant. I'm writing this mainly for the benefit of any others reading this thread as I guess that you are pretty much determined upon this course of action.

 

This is a formal notice, served under the provisions of Chapter 29 of the Data Protection Act 1998 in requesting that you conform to my demand for a change in the manner in which you hold and process subject data about me.

 

First of all, just a very very minor point., it is NOT chapter 29 of the DPA. It is, if anything, the other way round. The DPA is the 29th Act passed in that year. As an example, the 29th Act passed the previous year was the Local Government Rating Act and the following year was the Greater London Authority Act. Last year, the 29th Act passed was the Flood and Water Management Act. This is all that c.29 means. I really would suggest that if you don't understand something then you ask for advice.

 

 

As you are no doubt aware, Part II, Section 12 (1) of the said Act allows all data subjects the right to insist on the removal of any and all data from automated processes in respect of matters relating to them.

I'm afraid that you really are totally wrong about this. Please reread the actual section, you actually quoted it in your letter:-

I have reproduced that clause for your information, in case you do not have a copy to hand:

 

“An individual is entitled at any time, by notice in writing to any data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller which significantly affects that individual is based solely on the processing by automatic means of personal data in respect of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct”

As you can see from reading the above, you are entitled to 'insist' that no decision is taken based soley on automated processing. However, and I am sure that you have read the whole section of the Act, I am sure that you are aware that there are a lot of exempt decisions that companies can take regardless of any 'insistence' on your part.

 

However, as is obvious from your quote of the act above, you do not have the right to 'insist' that:-

 

the right to insist on the removal of any and all data from automated processes in respect of matters relating to them.

You cannot insist on the removal of your data, you can ONLY 'insist' that they do not take automated decisions which are not exempt decisions within the meaning of the section

 

 

You will note the exact language of the Act, in that such a request may be made in relation to a number of different reference checks "which significantly affects that individual", and the Acts specifically cites "credit worthiness" as one of those examples.

This bit of your letter is, I would suggest, absolutely meaningless. The act does not mention 'reference checks', it just refers to decisions being made solely on the basis of automated processing.

 

Recent checks on my file have caused severe complications

A decision on whether or not to make a check on your credit reference file would, I suggest, not have been made on a purely automated basis. It would have involved human interaction

In addition, I would also suggest, that the making of a single or a couple of credit checks, even if they were purely automated, would not affect your credit rating. Your credit rating would only be affected to a certain extent if you had a large number of checks for new credit within a short space of time. Otherwise, checks of your credit file will not affect your credit worthiness.

 

 

and now "significantly affect" my everyday life, and that of my family. An additional point to note is that issues of this nature that adversely affect "normal family life" are in breach of the Human Rights Act.

Oh my God. I almost fell out of my chair laughing at this. I presume that you have read the relevant parts of the Human Rights Act and the European Convention on Human Rights?

 

For the benefit of others reading this thread I will include the relevant article here:-

 

Article 8

Right to respect for private and family life

 

1 Everyone has the right to respect for his private and family life, his home and his correspondence.

 

2 There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Now let's see, is a debt collection agency or a credit reference agency a public authority? - answer NO.

I really would suggest that you are wasting your time with this. I'll give you examples of where Article 8 has successfully been used:-

 

The prison service used to open letters between prisoners and their lawyers. This was challenged on the grounds of legal privilege and under Article 8. It was held that it was a breach of the prisoners' Article 8 rights for their correspondence with their lawyers to be opened.

 

There was also another group of offenders where the police where attempting to get around the necessity of getting a search warrant before entering the premises of these offenders and the court of appeal held that this was not allowed under various other laws and that it was also in contravention of Article 8.

 

These are examples of where Article 8 comes into play. I really would suggest that you cannot sensibly attempt to use it because they have made a credit check on you.

 

 

Therefore, you have seven days from receipt of this letter to remove all such data from your system where it is referenced and processed via automated processes. You will obviously need to transfer it to your manual process system and alert your customers that my data can no longer be searched via an automatic process.

This has got nothing to do with making automated decisions under section 12. Also, what customers do you think DCAs have? If you think that they are sharing your data with other people then you need to be quoting section 10 not section 12. You said that this was a letter that you sent to a DCA, but from this sentence, this almost sounds like a letter that you sent to a CRA. This is very confusing as you really will not succeed, I would suggest, in any action against a CRA.

 

 

To be honest with you, if you are really serious about this, I would suggest that the only way forward with this is to serve a section 10 notice on the appropriate companies and then, when they invariably fail to respond, start a claim in the county court against them.

 

Otherwise, writing letters such as this - while it may well help to vent your anger - won't, in my opinion, achieve very much, if anything at all.

Edited March 3, 2011 by nicklea

[247orbital]

The whole problem with CRA's is that they take the DCA's word for anything they process, even if you supply them with evidence that the DCA has made an error they will still not remove the information from your credit file. The DCA must give them permission to alter or remove any information they give to Experian/Equifax etc.

Any queries are simply referred back to who ever owns the debt etc. I'm going to tackle an error on my CF by sending letters containing all the information to both the CRA and DCA and go from there. If they refuse to remove the listing I will after the 28 days give them another 7 days then just go straight to the LBA and take both to court.

[Tingy]

I agree with you that the whole notion of a CRA having a Data Dontroller of its own as they are without doubt processing and publishing your data seems to have got lost somewhere along the line. This is completely wrong, and while I don't necessarily dispute the CRA truusting the banks etc... who pass the data to them, indeed the DPA allows for exactly this. However, if queried then they ought to be doing something more substantial than going back and asking , "Are you sure this is right? Yes, OK then" and leaving your file unaltered. To my mind this undermines the whole purpose of the act and goes directly against some of the eight enforceable underlying principles of it.