NEED ADVICE ON HOW TO FILL IN POC'S - CRA denied my Automatic decission request

[car2403]

Yes absolutely agree with Car, your argument lay with the Data Controller (the creditors) and not with the Data Processor (the CRAs), however, if you have defaulted on any obligation under a contract with your creditors, then, if you have signed such contract or document giving express consent for disclosure/processing of your personal data, you will not have a valid argument against them.

 

See, I disagree with what they say, TM, but unfortunately I'm not rich enough to take them on and risk losing. I believe that the CRA's are DC's, within the definition within the Act, as they are receiving information and processing it as outlined there. In fact, there's an argument that those (Experian, is it?) that calculates your 'credit score' definately do this, as they aren't just a 'conduit' for the information, they are actually processing it in some way and making it different from the source.

 

I chose to take on the OC's, though, which seemed successful. There are lots of threads where they weren't successful, though, so all this needs to be tempered with the usual warnings.

 

If there is no express consent substantiated by any creditor of you, then you can request that they cease processing of your personal data (as stated by nicklea).

 

Consent is another area of concern, especially as the I.C.O seems to think that consent can be implied rather than being express.

 

anyway Guys if i swith to my own thread, i fear i may get lost in the jungle of unanswered threads!

 

so i will just change the title if thats ok with you guys and would be grateful if you could follow me on my journey to get these removed.

 

I think you need one for each OC, BH - this will get mighty confusing having more than one to a thread. I know, because I tried to do that with 2 x HFC claims (thinking, "same company, so should be easy on the same thread") then site team (this was before I joined) had to split the thread and it ended up all over the place - even now, I'm not sure those threads are easily understandable.

 

If you start one for each, post a link to each here and we'll all sub to them all

[bh2362]

thanks Car I will do now.

 

B

[nicklea]

See, I disagree with what they say, TM, but unfortunately I'm not rich enough to take them on and risk losing. I believe that the CRA's are DC's, within the definition within the Act, as they are receiving information and processing it as outlined there. In fact, there's an argument that those (Experian, is it?) that calculates your 'credit score' definately do this, as they aren't just a 'conduit' for the information, they are actually processing it in some way and making it different from the source.

 

Yes they are data controllers, but the important thing to remember is that, while they may be processing data, they are not taking any automated decisions. bh was going to go to court based on section 12 which deals just with automated decision making. I would suggest that the CRAs do not take any decisions and so he really had no case against the CRAs

[car2403]

Yes they are data controllers, but the important thing to remember is that, while they may be processing data, they are not taking any automated decisions. bh was going to go to court based on section 12 which deals just with automated decision making. I would suggest that the CRAs do not take any decisions and so he really had no case against the CRAs

 

Agreeing to disagree is the order of the day, then, I think - how can they process anything without automated decision making happening, unless they can show that the OC/DC has direct access to their databases to enter the data themselves, which is displayed without further interference? Rhetorical question, as we may never know the answer.

 

How can we prove they are DC's, then? The Act seems to cover their use of data, but it's mighty risky if you ask me.

[Ruprecht]

You would be best just sticking to making a complaint to the ICO and seeing how they respond. A court claim will take even longer probably anyway.

 

The ICO complaint is free and no risk. The CRA will simply defend saying "we don't make any credit decisions"......

 

Don't go near a court unless you are 100% sure you know what you are doing, best case is you may waste a lot of time, worst case is they will go after you for costs! The CRAs send large law firms to defend...

 

If the ICO say you don't have a basis for a claim then you know it is a complete non-starter.

[bh2362]

hi guys a link to one of my threads

 

http://www.consumeractiongroup.co.uk/forum/showthread.php?289102-please-help-Barclays-took-375-out-of-my-bank-account-today-for-an-old-debt/page2

 

please comment

 

Thanks

[car2403]

You would be best just sticking to making a complaint to the ICO and seeing how they respond. A court claim will take even longer probably anyway.

 

are you sure? It took the ICO a year to tell me that Barclays hadn't complied with the DCA after failing to reply to a DSAR within the prescribed period. They 'wrote' to Barclays to ask them to comply in future. When I queried what they would 'actually' do about it, they said they were working with Barclays on improving their procedures, but they couldn't award damages and invited me to take them to Court for a Court to decide those issues and act accordingly.

 

Don't go near a court unless you are 100% sure you know what you are doing, best case is you may waste a lot of time, worst case is they will go after you for costs! The CRAs send large law firms to defend...

 

I'd disagree - there's limited risk going to Court, financially, should the claim be worded correctly and be allocated to the small claims track where costs are limited and rarely awarded. Agreed it's more complicated going after the CRA, but I think we've won BH around on that front

 

If the ICO say you don't have a basis for a claim then you know it is a complete non-starter.

 

Yes, but selling an ashtray for a motorbike doesn't mean that no one will buy it. Or a chocolate fireguard. The ICO are jumped up office monkeys with no power - anyone remember the 'sleepwalking in to a CCTV society' news story from them a few years ago? What's happened there, then? Nowt!

 

Oh, I'm on one today...

[bh2362]

are you sure? It took the ICO a year to tell me that Barclays hadn't complied with the DCA after failing to reply to a DSAR within the prescribed period. They 'wrote' to Barclays to ask them to comply in future. When I queried what they would 'actually' do about it, they said they were working with Barclays on improving their procedures, but they couldn't award damages and invited me to take them to Court for a Court to decide those issues and act accordingly.

 

 

 

I'd disagree - there's limited risk going to Court, financially, should the claim be worded correctly and be allocated to the small claims track where costs are limited and rarely awarded. Agreed it's more complicated going after the CRA, but I think we've won BH around on that front

 

 

 

Yes, but selling an ashtray for a motorbike doesn't mean that no one will buy it. Or a chocolate fireguard. The ICO are jumped up office monkeys with no power - anyone remember the 'sleepwalking in to a CCTV society' news story from them a few years ago? What's happened there, then? Nowt!

 

Oh, I'm on one today...

 

dont worry chris its Friday tommorow mate

[The Mould]

OK Dudes and Dudessess

 

Without arguing of course, the CRA are Data Processors and Not Data Controllers.

 

Take for example:

 

One has a credit agreement (properly executed) with his creditor, the agreement contains a clause stating that you agree that the creditor can disclose/process your personal information to third parties in relation to your credit facility with him, you sign said contract/agreement, you have entered into a legally binding contract for said credit facility and you have given your express consent to the creditor granting him a lawful right under the Data Protection Act 1998 to process/disclose your subject data to third parties (and without doubt, within his organization).

 

So the creditor [is] the Data Controller, he is in controll of all relevant personal data relating directly to you.

 

Say you default on the contract - you miss a payment or some payments and cannot make up the arrears, the creditor instructs a third party (the DCA) to recover the sum owing, the DCA is then the Data Processor of your personal information, the creditor is the controller.

 

The same principle applies to the CRAs, they [are] Data Processors of your personal information, the creditor is the controller.

 

I hope that helps somewhat. (no offence intended to anyone on this thread)

 

Kind Regards

 

The Mould

[car2403]

Data controller means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

 

http://www.ico.gov.uk/for_organisations/data_protection/the_guide/key_definitions.aspx

 

My view is that the CRA becomes a DC when they refuse to remove inaccurate data once the Data Subject has pointed it out.

 

There is no relationship between the DS and the CRA. if they aren't a DC, then they can't process data relating to the DS.

 

Of course this is a bit easier to understand when you move away from the consumer credit issues. Take, for example, walking through a Train Station - if they capture you on CCTV, they are a DC. Capturing photo images is the same as processing your credit reference information without a contract relationship. The difference being I know it's you on CCTV, because I can see you, but I don't know if the credit information they hold about you is accurate - and they don't care either way. (Them being paid to hold it)

[Ruprecht]

hi mould,

 

most of them are not im afraid. nearly all of the are defective i.e wrong layout and dont give enough time.

also the ones like barclays have not ever produced a signed agreement.

Argos is a signed application.

2 x Shop Direct - need i say more about them

HSBC - had a letter bank from them yesterday saying they do not have a signature for a bank account to conform with DPA.

HSBC - Credit card - faulty default have written to them no reply, the CCA request they sent a bank application form, and copy of terms and conditions.

Have done sars on most of these none produced a written agreement.

 

hope this give you an idea

 

B

 

So you have 5 accounts that have gone south, albeit with faulty default notices and maybe unenforceable agreements?

 

Why do you think going to manual processing will help you in anyway?

 

What are you trying to achieve?

 

Maybe you could do a CIFAS protected registration, that should force everything to go manual:

 

http://www.cifas.org.uk/pr

[The Mould]

Good evening bh and all

 

Very briefly, here is a bit more info from the ICO.

 

Data controller means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

A data controller must be a “person” recognised in law, that is to say:

individuals;

organisations; and

other corporate and unincorporated bodies of persons.

 

Data controllers will usually be organisations, but can be individuals, for example self-employed consultants. Even if an individual is given responsibility for data protection in an organisation, they will be acting on behalf of the organisation, which will be the data controller.

 

In relation to data controllers, the term jointly is used where two or more persons (usually organisations) act together to decide the purpose and manner of any data processing. The term in common applies where two or more persons share a pool of personal data that they process independently of each other.

 

Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

 

Data processors are not directly subject to the Act. However, most data processors, if not all, will be data controllers in their own right for the processing they do for their own administrative purposes, such as employee administration or sales.

 

Data controllers remain responsible for ensuring their processing complies with the Act, whether they do it in-house or engage a data processor. Where roles and responsibilities are unclear, they will need to be clarified to ensure that personal data is processed in accordance with the data protection principles. For these reasons organisations should choose data processors carefully and have in place effective means of monitoring, reviewing and auditing their processing. We have published a good practice note on Outsourcing: a guide for small and medium-sized businesses, which gives more advice about using data processors.

 

Who determines the “purpose and manner” of processing?

A person is only a data controller if, alone or with others, they “determine the purposes for which and the manner in which any personal data are processed”. In essence, this means that the data controller is the person who decides how and why personal data is processed. However, we take the view that having some discretion about the smaller details of implementing data processing (ie the manner of processing) does not make a person a data controller.

So, when deciding who is a data controller, we place greatest weight on purpose – identifying whose decision to achieve a “business” purpose has led to personal data being processed.

 

What about processing that is required by law?

The Data Protection Act says:

 

Where personal data are processed only for purposes for which they are required by or under any enactment to be processed, the person on whom the obligation to process the data is imposed by or under that enactment is for the purposes of this Act the data controller.

 

Our view is that this provision applies wherever there is a statutory duty that involves the publication or use of personal data. We do not think that it should be interpreted more narrowly – as applying only where there is an express statutory duty to process personal data – because obligations imposed by legislation other than the Data Protection Act do not usually refer to processing personal data.

 

So, if performing a legal duty necessarily involves processing personal data, the person required to process such data will be the data controller and will be legally responsible for ensuring that the processing complies with the Act.

This is the case even if processing personal data is an inevitable, but not the main, part of performing the legal duty. If performing a legal duty directly or indirectly involves processing personal data, the organisation under the duty will be the data controller in relation to such data processing.

 

Sometimes, an organisation is subject to a duty that requires processing personal data, but delegates its performance to another person. In these circumstances the person with the overall responsibility for achieving the purpose, or performing the function, bears the responsibilities of the data controller. We place greatest weight on purpose rather than manner of processing – identifying whose decision to achieve a business purpose (or to carry out a statutory function) has led to personal data being processed

 

Kind Regards

 

The Mould

　

Edited February 10, 2011 by The Mould
Paragraph space

[bh2362]

Good evening bh2362

 

I would like to make a suggestion to you if I may.

 

So, if you are seeking an Order from the court to enforce compliance of the Data Controller with your Notice/request made under said section of the DPA 1998, you will need to make an application to the court asking for this Order to be made, that is done by way of Application notice (N244).

 

Under s12(1) you have requested that said processing be stopped because processing by such means as automated means significantly affects or has affected you, the subject of the data being processed by automatic means.

 

You will need to show how said processing is or has significantly affected you.

 

If you are claiming compensation for damage and distress as a result of what you alledge /contend is a contravention of the DPA by the data controller, then your claim form N1 should state that you seek compensation under sec 13 of the Data Protection Act 1998 for damage and distress.

 

So you are looking at two different actions here.

 

I hope that will help you somewhat.

 

Kind Regards

 

The Mould

 

Hi The mould,

Thank you for the help in this thread, I was hoping from yourself some guidance on how to fill out an application to enforce an act.

the reason behind this is I have been sending letters backwards and forth to shop direct, the last letter was "if they dont provide the document that contains my consent" then I have asked them to comply with section 10 of the DPA.

I now want to know how I fill out an application, they have ignord this letter now for 21 days, it therefore has been ignored by them, they are just laughing at me.

anyone who can help me or point me to a good thread where someone has done the same, i would be grateful.

 

regards

BH

[thepalace1]

sub'ing with interest, am going through same process with numerous oc/dca

[The Mould]

Hello bh

 

Here is some info for you.

 

OK, here are the relevant sections of the DPA that apply to your case, you probably already are familiar with these sections, nonetheless, read through them over and over until you can recite them of by heart.

1. You should make you application into the court requesting that the court grants an order under sections 10(1) and 12(1),(2)(b) of the Data Protection Act 1998 and serves it upon the Defendant.

2. The reason you have made the application is because the Defendant has failed to comply with your Notice dated (put date) which has been served upon the Defendant pursuant to your rights under said sections of said act.

Your Application Notice (N244) should cost £75. You should prepare and file your Witness Statement detailing the facts of this matter and serve attached to your application, also make copies of your evidence (documents) that you intend to rely upon in support of your application (mark them – Exhibit JS1, JS2 and so on (if your name is John Smith, then use your initials = JS1, JS2 etc, etc)) serve copies of all of your documents attached to your application also.

Serve a copy of your application, Witness Statement and all supporting documents upon the Defendant, state that you have done this in your Witness Statement.

File your application to court and wait until the court send you a notification in respect of your application.

10 Right to prevent processing likely to cause damage or distress.

E+W+S+N.I.

(1)Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons—

(a)the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and

(b)that damage or distress is or would be unwarranted.

(2)Subsection (1) does not apply—

(a)in a case where any of the conditions in paragraphs 1 to 4 of Schedule 2 is met, or

(b)in such other cases as may be prescribed by the [F1 Secretary of State] by order.

(3)The data controller must within twenty-one days of receiving a notice under subsection (1) (“the data subject notice”) give the individual who gave it a written notice—

(a)stating that he has complied or intends to comply with the data subject notice, or

(b)stating his reasons for regarding the data subject notice as to any extent unjustified and the extent (if any) to which he has complied or intends to comply with it.

(4)If a court is satisfied, on the application of any person who has given a notice under subsection (1) which appears to the court to be justified (or to be justified to any extent), that the data controller in question has failed to comply with the notice, the court may order him to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit.

(5)The failure by a data subject to exercise the right conferred by subsection (1) or section 11(1) does not affect any other right conferred on him by this Part.

12 Rights in relation to automated decision-taking.

E+W+S+N.I.

(1)An individual is entitled at any time, by notice in writing to any data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller which significantly affects that individual is based solely on the processing by automatic means of personal data in respect of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct.

(2)Where, in a case where no notice under subsection (1) has effect, a decision which significantly affects an individual is based solely on such processing as is mentioned in subsection (1)—

(a)the data controller must as soon as reasonably practicable notify the individual that the decision was taken on that basis, and

(b)the individual is entitled, within twenty-one days of receiving that notification from the data controller, by notice in writing to require the data controller to reconsider the decision or to take a new decision otherwise than on that basis.

(3)The data controller must, within twenty-one days of receiving a notice under subsection (2)(b) (“the data subject notice”) give the individual a written notice specifying the steps that he intends to take to comply with the data subject notice.

(4)A notice under subsection (1) does not have effect in relation to an exempt decision; and nothing in subsection (2) applies to an exempt decision.

(5)In subsection (4) “exempt decision” means any decision—

(a)in respect of which the condition in subsection (6) and the condition in subsection (7) are met, or

(b)which is made in such other circumstances as may be prescribed by the [F1 Secretary of State] by order.

(6)The condition in this subsection is that the decision—

(a)is taken in the course of steps taken—

(i)for the purpose of considering whether to enter into a contract with the data subject,

(ii)with a view to entering into such a contract, or

(iii)in the course of performing such a contract, or

(b)is authorised or required by or under any enactment.

(7)The condition in this subsection is that either—

(a)the effect of the decision is to grant a request of the data subject, or

(b)steps have been taken to safeguard the legitimate interests of the data subject (for example, by allowing him to make representations).

(8)If a court is satisfied on the application of a data subject that a person taking a decision in respect of him (“the responsible person”) has failed to comply with subsection (1) or (2)(b), the court may order the responsible person to reconsider the decision, or to take a new decision which is not based solely on such processing as is mentioned in subsection (1).

(9)An order under subsection (8) shall not affect the rights of any person other than the data subject and the responsible person.

13 Compensation for failure to comply with certain requirements.

E+W+S+N.I.

(1)An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.

(2)An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if—

(a)the individual also suffers damage by reason of the contravention, or

(b)the contravention relates to the processing of personal data for the special purposes.

(3)In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.

14 Rectification, blocking, erasure and destruction.

E+W+S+N.I.

(1)If a court is satisfied on the application of a data subject that personal data of which the applicant is the subject are inaccurate, the court may order the data controller to rectify, block, erase or destroy those data and any other personal data in respect of which he is the data controller and which contain an expression of opinion which appears to the court to be based on the inaccurate data.

(2)Subsection (1) applies whether or not the data accurately record information received or obtained by the data controller from the data subject or a third party but where the data accurately record such information, then—

(a)if the requirements mentioned in paragraph 7 of Part II of Schedule 1 have been complied with, the court may, instead of making an order under subsection (1), make an order requiring the data to be supplemented by such statement of the true facts relating to the matters dealt with by the data as the court may approve, and

(b)if all or any of those requirements have not been complied with, the court may, instead of making an order under that subsection, make such order as it thinks fit for securing compliance with those requirements with or without a further order requiring the data to be supplemented by such a statement as is mentioned in paragraph (a).

(3)Where the court—

(a)makes an order under subsection (1), or

(b)is satisfied on the application of a data subject that personal data of which he was the data subject and which have been rectified, blocked, erased or destroyed were inaccurate,

it may, where it considers it reasonably practicable, order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction.

(4)If a court is satisfied on the application of a data subject—

(a)that he has suffered damage by reason of any contravention by a data controller of any of the requirements of this Act in respect of any personal data, in circumstances entitling him to compensation under section 13, and

(b)that there is a substantial risk of further contravention in respect of those data in such circumstances,

the court may order the rectification, blocking, erasure or destruction of any of those data.

(5)Where the court makes an order under subsection (4) it may, where it considers it reasonably practicable, order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction.

(6)In determining whether it is reasonably practicable to require such notification as is mentioned in subsection (3) or (5) the court shall have regard, in particular, to the number of persons who would have to be notified.

I hope that will help you somewhat.

Kind Regards

The Mould

[bh2362]

Thank you so much mould,

This is just what I wanted. I really appreciate this.

I have a Post with shop direct I am going through the same with them

Thanks again

[bh2362]

im just about to fill in a N244 to make an application to shop direct.

 

they have ignored two requests:

 

pre-action protocals CPR 31 for the true signed agreement.

 

and for them ignoring my data protection section 10 & 12 request, on both occasions i wrote to the data controller on both responces i have recieved responces from the clerks offices complaints departments.

 

i need some hand holding how to fill on the N244 and how to fill in the witness statement.

 

B

[car2403]

I thought the N244 had to have an existing claim? I can't see how you can complete it without one and wouldn't know how to it outside of the normal Part 7 process (via N1, then N244 as an Application Notice)

 

If it is possible, I'd say that you're opening yourself up to potentially unlimited costs under CPR Part 8, as there is no monetary value to your claim/Application. Something worth considering, as it might make the situ worse?

[bh2362]

Thanks c, so what would be the best way I thought I needed to make an application for an order for them to comply with my request.

Also am applying for an order for disclosure of the true agreement.

If you know a safer way of doing it please let me know I have pushed it this far with them I want to make the application.

Are fos worth a complaint?

B

[bh2362]

Anyone ?

[car2403]

Have you suffered any damage as a result of their non-compliance?

[bh2362]

Have you suffered any damage as a result of their non-compliance?

 

It depends I haven't been able to get credit, I have a car on pcp the

Company want me to hand back the car they Won't offer me another deal

I cannot get a remortgaged.

Also my damages would be the constant writing of letters and the stress it has put me under.

Hope this would he ok

[car2403]

So it looks like the best way is to challenge them with a Court claim for a) damage to credit reputation b) costs of having to deal with them so far and c) specific performance in that you want them to comply with your request to cease processing your data.

 

Doing it the other way opens you up to untold issues that seem quite expensive to me.

[bh2362]

Ok thanks chris, so what do I do now I gave

I want to smack their bums now they have had so many chances.

Have you had any dealings with shop direct before?

 

What to do next?

 

B

[car2403]

The best thing you could do is have a look through my threads - the HFC ones are almost the same, but I had to force them to remove Defaults which shouldn't have been there.

 

Not shop direct, but they are all the same in the end.