British Gas tell me they can pass on my details without my permission!?

[dayglo]

I think I can help clear up some misunderstanding here.

 

First of all, as a utility supplier British Gas' supply service is NOT a regulated product as defined in the Consumer Credit Act. They do not have to conform with it in any way.

 

Secondly, and this is the bit that most people seem to miss, there a at least two sorts of 'defaults' - maybe more but we'll kepp it simple for now.

 

The first type of default is the one defined in the Consumer Credit Act 1974 section 80 something from memory. This is a gateway mechanism that allows a creditor to proceed with collection of all outstanding monies owed from a credit agreement. In this case, CCA doesn't apply so there is no reference to this type of 'default' notice.

 

The second type of default is the one that causes people harm and this is a flag or marker that is sent electronically from a data controller (or subscriber) to a Credit Reference Agency that, based on their opinion alone, you have 'defaulted' in some way and that other lenders ought to be aware of your payment history.

 

As for needing your consent to 'process' your data under the DPA, I'm afraid they are quite correct in that they do not need your consent.

 

For processing to be lawful they must meet just 1 of the set of criteria described in schedule 2. There are 6 available sets of criteria. see the link below.

 

Data Protection Act 1998

 

To move forward we need to do 2 things.

 

1) establish is this business of an exemption for BG in certain cicrumstances has any merit at all (I doubt it) and

 

2) assuming they are processing your data lawfully, establish on what grounds they are doing this.

 

Sadly, my experience of the ICO has left me rather bitter towards them (my issues i know!) and I'd be reluctant to ever rely on them to assist in helping to establish data processing scenarios in your favour.

[dayglo]

I would agree with Dayglo over the Information Commissioners Office, i do have a good relationship with two of their 'officers' they come across as decent and honest, however, that doesnt mean we shouldnt recognise the limitations imposed upon the Information Commissioners Office generally.

 

I did discuss this with one of them today but didnt have my copy of the Data Protection Act to hand so couldnt get to the bottom of it.

 

THe ICOs views as i sure you know is that the creditor doesnt need your authorisation to pass data to a third party, not that i or you im sure agree.

 

Hi Glenn, I think we've discussed this before somewhere (hazy memory) but in preparing for my upcoming hearing with v/f and reading the DPA so often I'm afraid I agree with the ICO (in fact the act is crystal clear in this regard - I just can't believe so many folk missed it in the summer) that consent is only one of 6 criteria that may be in place for processing to be lawful.

 

All any data controller needs to do is show that the conditions described in Schedule 2 Paragraph 6 are met.

 

6. - (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

 

I can see almost ANY data controller claiming this as the basis for lawful processing of personal data. It's back to who has the greater legitimate interest.

[dayglo]

This is the, in my opinion, completely useless 'legal guidance' issued by the ICO on this very paragraph. (sched. 2 para 6)

 

 

The Commissioner takes a wide view of the legitimate interests condition and recommends that two tests be applied to establish whether this condition may be appropriate in any particular case. The first is the establishment of the legitimacy of the interests pursued by the data controller or the third party to whom the data are to be disclosed and the second is whether the processing is unwarranted in any particular

case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject whose interests override those of the data controller. The fact that the processing of the personal data may prejudice a particular data subject does not necessarily render the whole processing operation prejudicial to all the data subjects.

 

all it does it repeat the same basis but in a longer form!

 

Although, they tried to argue on behalf of Vodafone in my case that, they take 'other credit suppliers' interests into account as well! can you believe that? greater weight is given to companies with which a data subject has zero realtionship with and may never have, that the rights and legitimate freedoms etc of the data subject!

 

It was around this point I completely lost my rag with the ICO!

[dayglo]

i'll try to find the exact quote from my case - hope justinp doesn't mind his thread being hijacked! it's all in a good cause!

[dayglo]

here it is in context

 

14th September 2006

 

 

Reference: xxxxxxxxxxx

 

 

Dear Mr Dayglo

 

I refer to your emails of 7th September 2006 and 8th September 2006 concerning the retention of account information by the credit reference agencies.

 

You complained that the credit reference agencies are retaining and sharing information about closed accounts in contravention of the Data Protection Act 1998 (the Act). You maintained that they only have permission to hold account information for the duration of a credit agreement and that once the agreement ends so does the consent to process information about it.

 

Your argument is based on the assumption that the credit reference agencies need consent to process account information. This is not the case.

 

As you may be aware the first data protection principle states that

 

"Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:

at least one of the conditions in Schedule 2 is met; and

in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met."

 

One of the conditions for processing in Schedule 2 is that the individual has given his consent to the processing. It is our view that consent is not easy to achieve and that organisations should consider other conditions for processing before looking at consent. No one condition carries greater weight than any other. All the conditions provide an equally valid basis for processing. Merely because consent is the first condition to appear in both Schedules 2 and 3 does not mean that organisations should consider it first.

 

Consent is not defined in the Act and so it is helpful to look back at Directive 95/46/EC which defines "the data subject's consent" as:

 

".any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed."

 

In the context of applying for credit, consent to share information with the credit reference agencies cannot be freely given. This is because if you don't agree to your data being shared then your application will simply be rejected. In other words you have no choice.

 

It is our view that the condition for processing below (Schedule 2 part 6) covers the sharing of account data with the credit reference agencies for the duration of a contract and six years beyond.

 

"The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case because of prejudice to the rights and freedoms or legitimate interests of the data subject."

 

We take a wide view of the legitimate interests and we consider that it is in the interests of other creditors to make informed lending decisions. It is important to note here that the fact that the processing may be seen by some to prejudice a particular individual (for example, someone with an adverse entry on his credit reference file may not be able to obtain credit facilities) does not necessarily render the whole processing operation prejudicial to all individuals.

 

The Act does not prescribe the period for which information is retained by credit reference agencies. However we understand that the Crowther Report on Consumer Credit 1971 expressed support for the view that a statutory time limit should be considered and suggested a period of six years should be adopted. At the time this was already the practice common to some of the major credit reference agencies. The Younger Committee on Privacy considered that as the prevailing practices of the agencies were coordinated, there was no immediate necessity for statutory recommendations to be made but prepared the ground for the Data Protection Act 1984 by recommending that periods should be specified beyond which the information should not be retained.

 

The fifth data protection principle states that "Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes."

 

Account information is held by the credit reference agencies for a period of six years after the account was last active. It does appear to be the case, at least at the present time, that in addition to current credit commitments the preceding six years of an individual's credit history is taken into account by credit grantors when applications for credit facilities are assessed. As a consequence this historical information would appear to be relevant to the purpose of credit referencing and by holding this information the agencies would not appear to be in breach of the fifth principle.

 

I trust that this has clarified our position.

 

Yours sincerely

 

xxxxx xxxxxxx

Casework and Advice Manager

[dayglo]

Congratulations Justin. A victory for for rational thinking and mathematics i think. nice one.