CAG CRA S.A.R Club

[sosumi]

This thread got so long I can't keep track - problem is I find stuff, link to it then get completely sidetracked! ;-) I'm pretty sure Dobbydog was near the beginning of the thread and several others. Also the Experian (tracing) link was recent. I shall go hunt for it now.

[sosumi]

We'll be seeing you in 5 hours then! :lol:

... I'm still ere Just found Dobbydog for Seahorse:

http://www.consumeractiongroup.co.uk/forum/debt-collection-industry/112671-cag-cra-r-club-2.html?highlight=Dobbydog#post1107883

Shall now look for the luvverly (not) Hexperian...

I shall be 800 years old according to my posts, very shortly. I can do it...

[sosumi]

Hexperian's own version of a spiv selling data on street corners:

http://www.consumeractiongroup.co.uk/forum/debt-collection-industry/112671-cag-cra-r-club-25.html?highlight=Autotrace#post1303825

[sosumi]

Helloo CallCredit:

Callcredit - Consumer Credit Referencing - Skipton Building Society

Over the years, the Society's customer base has grown to accommodate the needs of many thousands of people, with 80 branches across the UK and Skipton Group is now comprised of 13 companies, with expertise across the credit, finance and e-commerce industries; Amber Credit plc, Callcredit Limited, Connell Limited, EuroDirect Database Marketing Limited, GMAP Limited, Homeloan Management Limited, Pink Homeloans, Savings Management Limited, Skipton Financial Services Limited, Skipton Guernsey Limited and Skipton Mortgages Limited.

[sosumi]

- and 'heyup' Equifax Corporate:

Business Solutions Home

- gosh, so many businesses in there!! But, my most fave of the three is...

[sosumi]

yes it's this:

Experian - Principal activities

So many activities. So very very many activities. All based on data.

 

So, 3 Credit Reference Agencies. Making a pretty good living from data. Whose data would that be then???

[sosumi]

- Good on you Seahorse

[sosumi]

First they sacked computer engineers (outsourcing to India), now they're getting rid of 100 managers.

www.thisisnottingham.co.uk

Then there's this - Times Online April 6:

(from here

Experian to track net users

 

James Ashton

 

EXPERIAN, the credit checking company, is braving mounting concerns over internet privacy with plans to launch a service that will track broadband users’ activity so they can be targeted with advertising.

Through Hitwise, the web-site company it acquired for £120m a year ago, Experian has held talks with internet service providers to sell its monitoring technology.

Observers expect it to compete in part with Phorm, an AIM-listed company that has stirred controversy after being recruited by BT, TalkTalk and Virgin Media to track their 10m customers’ behaviour so they can be sent advertising messages on the websites they are looking at.

However, the key difference is that Hitwise, which describes itself as an “online competitive intelligence service” would play little part in dispatching the advertising to web pages itself, something that Phorm does through its Open Internet Exchange.

“Hitwise is not in the online behavioural targeting business,” a spokesman said.

Phorm’s shares have tumbled 36% since it unveiled its three key clients in February, partly because of a £32m fund-raising for overseas expansion.

Last week, BT was drawn into the privacy row when it admitted to carrying out secret trials of the Phorm technology in late 2006. Jonathan Groo-cock, an analyst at Investec, thinks a revenue sharing model could bring in an extra £85m of sales to BT.

Another trial to be carried out shortly by the two companies will be monitored by the Information Commissioner’s Office, which said: “Clearly the trial should reveal whether this is a service that web users want, whether it is privacy friendly and that users are comfortable with the privacy safeguards put in place by Phorm.”

Kent Ertugrul, Phorm’s chief executive, insists that it tracks users anonymously, replacing their identities with random numbers that are dropped once an ad has been sent. Unlike “cookies” dispatched by many websites to track behaviour, it can also be switched off.

The company has recruiteda heavyweight board, including David Dorman, the former boss of AT&T and Christopher Lawrence, the vice-chairman of Rothschild.

Experian, once part of GUS, is best known for trawling public records and selling the data to banks and retailers.

[sosumi]

Then there's Lower My Bills, a 'service' provided by Experian:

Online Price Comparison - LowerMyBills.co.uk

and About Us - LowerMyBills.co.uk

Compare a Mortgage, anyone:

Compare Mortgages - LowerMyBills.co.uk

and here's the form they provide. Scroll down and see what they want from you:

https://www.lowermybills.co.uk/mortgages/mortgages-form.html

[sosumi]

Contributors to this thread might like to look at sparkie's thread. He has an ongoing battle with RBOS.. but is now going after Experian in a big way. This link should take you to the correct post but if it doesnt it is # 491

 

 

http://www.consumeractiongroup.co.uk/forum/royal-bank-scotland/56333-big-claim-aginst-rbos-25.html#post1538794

Great stuff CitizenB, many thanks for the link. xx

[sosumi]

I love this site!!

[sosumi]

Thanks again CitizenB, have just subscribed

[sosumi]

Hi Allwood, Sparkie

I really can't stop but just wanted to say that my complaint about BCW's 'trace' on mine and hubby's Equifax CRF is now in the hands of the Financial Ombudsman. I've had a 'Without Prejudice' apology from APEX (ie. BCW's former Stratford office'. Frankly, they can apologise all they like but it won't stop me from taking this further.

I haven't time to stop now but I admire both of you for taking this on, and hope to join you very soon. I'm very very suspicious of the relationship between DCAs and CRAs and agree that it needs challenging.

[sosumi]

If I wanted to S.A.R - (Subject Access Request) a Credit Reference Agency - Experian is the one I have in mind right now, as "SCOR – Access to full data is now available to all DBSG Members. Get maximum benefit." - will be a Focus Session led by the Director of Regulatory Affairs, Experian, at a beanfeast for Debt Collectors everywhere in September... And Experian - aka 'CreditExpert' is advertising everywhere with it's one month 'free trial' for Consumers all over the World Wide Web it seems...

So, if I wanted to get all of the information they hold about me, including who they have divulged ('shared') this information with, and why - as I think is my right, how would I word the request, anyone?

I'm thinking it will cost me £10.00.

I'm thinking it would be worth it.

Debt collectors appear to have more access to data about me than I do.

After that it'll be Experian and CallCredit. But Experian seems the most timely right now.

Any help with the wording would be much appreciated!

Okay, I'm going right back to the beginning here - I'll requote your last post Allwood, but I need to focus on what the point of this thread was and what I subsequently discovered. I also have to catch up properly - feels like a mammoth task!!

[sosumi]

As promised Allwood - hopefully this will have a green arrow icon on it now

Jon, I was mainly referring to you Jon or Sparkie that is going to take this company to task but as I am not sure how to send a PM to people, I will post the draft on here.

Dear

 

Further to our telephone conversation of [date]regarding my Subject to Access data bundle documents that I received from Equifax [date]

 

As discussed on the phone [date] there are two organisations names in the bundle of data that I received from you [name of DCA's] and also I note that those two organisations was on my last my last that I got from Equifax and this concerns me greatly. I would be grateful if you would let me have the copies of the documentation(s) that was provided to Equifax to allow you to give access to those two organisations into see my personal data file with Equifax.

 

I should also take this opportunity to remind you that you website says: ..."Please note that we do not disclose any of your information to third parties, except as required by law". Therefore please let me know what law that Equifax relied on to allows those two organizations to access my data file with my consent or knowledge.

 

Yours sincerely

 

Copy to:

Information Commission Officer

Wycliffe House, Water Lane

Wilmslow, FK9 4AF

[sosumi]

I had a conversation with Experian a while ago and they told me they were going to ensure all DCA's had a Credit Agreement who supplied info to the CRA's before they logged any information on their systems - I was wondering how long that might actually take to achieve knowing how difficult this is.

 

The picture is a much bigger one and these practices by DCA's should be stopped, just like the nonsense they keep pouring out about not having a responsibility to provide a copy of an agreement on a CCA request because they bought the debt under the Law of Property Act 1925. It has to be stopped because 95% of people getting this rubbish do not come on here to know any different.

 

Sarah

It is the bigger picture that bothers me Sarah.

I remember reading this before, that Experian was going to ensure that only legitimate info. was/is logged onto their systems, and my reaction then was as it is now - "yer what?":eek:

So they weren't bothered before???

This is a bloomin minefield, the whole thing. A group of 'clubs' sharing information freely, without legitimate consent...

it feels a bit Masonic IMO.

I'm not going to wait around for Experian, Equifax or CallCredit to decide that maybe the consumers have a point about who has access to the personal information they collate, and use, and sell.

As we've all said, we are the lucky ones as we've discovered CAG. For every one of us there are maybe thousands of other people getting threatening letters and/or harassing phone calls from 'rogue DCAs' 'phishing' - it appalls me!

My information is my information. If I've previously agreed with a Creditor to have my information shared on a database to help other creditors make informed decisions, then so be it. But if I ask, I expect to receive proof that I agreed to it.

I most certainly did not agree to have my personal information kept in a set of records to be shared with a gang of thieves! (aka DCAs!)

.. Whoops a little rant there, but hopefully you'll understand!

[sosumi]

Here's a snippet of the apology I received from APEX (formerly Buchanan Clark and Wells) Stratford:

"... I understand that you are unhappy with trace search that was undertaken on your account. Your account was placed with us by Lloyds TSB to collect an outstanding amount.

... When a debt is placed with ourselves we will undertake various functions to ensure we contact our customer's quickly and efficiently to enable us to assist them with their personal situation. One of these functions is to verify the address details by searching the Credit Reference Bureau's, which was the case on your account..."

We have lived in this house for 25 years. No 'verification' required BCW/APEX - and you knew it!

"... sincere apologies for any confusion this matter has caused...

"Apex Credit Management Ltd consider the service we provide of the up-most importance and as a Company we pride ourselves in Service Excellence..."

hmmm...

Well never mind, it's all gone to the Financial Ombudsman now.

[sosumi]

Experian's 'Marketing Information'

This has been described as a red herring in the past, but I don't think so.

This was provided as a separate section in the SAR from Experian. Front page headed thus:

"This section contains information taken from our marketing database. The information will provide an indication of how your details have been obtained.

This information will be used for the purposes of direct mail marketing."

Now what follows in this section are a list of codes they didn't provide a glossary for, but they 'searched through the prospect sources held in EIM (National Canvasse, Lifestyle, Club Canvas for this person and they are on our National Canvasse file, sourced from a lifestyle survey..

Details from the lifestyle file, of positive answers:

There's a list of codes that do look like they're from a survey. Things like this:

000313 CHAR-CONC-ORGN-AGE CONCERN

000315 CHAR-CONCERN-ORGN-AMNESTY INTERNATIONAL

 

So yes they're pretty obvious. Neither hubby or I have refused to take part in surveys, saw no need to, often took pity on people with clipboards looking foolish in the city centre etc. Early last year I enrolled on several 'survey sites' for which they paid vouchers or Nectar points. Bad idea BTW:rolleyes:

 

But then another subsection:

THE FOLLOWING ARE FREEFORM ANSWERS

And this is where it gets interesting. The codes have figures or words beside them. Although they're in roughly the same list format, the 'responses' are clearly from different sources, and look as though they're used in different ways, hence 'freeform'

Our Postcode is on several entries.

Also phone numbers (we've changed from BT to Cable and back again, so there are several)

But lookee here:

00031 PRIM-DPAT-FLAG-DATE RECORD LAST UPDATED 19980901

in other words, this info was last updated on the 9th January 1998. As I requested the SAR last year, this information has been on their records for 9 years minimum.

This info also has my date of birth, and also the entry:

000085 PRIM-DPAT-FLAG-OUTPUT GONE AWAY N

- So, I haven't 'gone away'.

In fact, when you look at the list of codes and their responses, I'd say this is the real 'gold' for data miners. As Experian says, this information is used for the 'purposes of direct mail marketing'. 'Marketing' suggests to me that it would be available to far more than creditors.

I wish I could photocopy the lists, but the truth is there are codes within codes so I wouldn't be sure what personal information I'd be broadcasting. I can see that some of it has come from Insurance Companies, but I'm not sure about the rest.

They even have Gas and Electric meter numbers!

And why, for 'direct mail marketing' would they have a line detailing CCJ Surname and Initial Level - which is a 'N' BTW, but again, why?

[sosumi]

Hope you do not mind me asking this Sosumi but did they have any agreement or other documents that verified their statement.

 

As you can see, from my previous posting that Barclays said that they had nothing on me only old internal statements, we might as well give up if they are allowed to get away with this.

 

As said by another CAG member, why have three CRA's most European countries only have on and I note that BCW is also got an outlet one those counties that has one CRA and is managed by the government.

No, no agreements Allwood. In fact, at the time BCW put the 'trace' on mine and hubby's Equifax reports, BCW were chasing me as the sole account holder. Their trace was conducted the very day they received my CCA request. And like I say, the trace was put on both our reports.

They won't get away with it for much longer Allwood. I know it's disheartening, but we will find a way through this.

[sosumi]

Fraud, Undue Enrichment and Data Protection.

DougalT has been writing about the Fraud Act, JonCris about Undue Enrichment, we've all been talking about Data Protection...

Just thoughts - back later

[sosumi]

Taken from here:

Corporate Compliance Page - DPA 1998

Data Protection Act 1998

 

Background

 

The Data Protection Act 1998 (DPA) is a law that governs the use of individuals' personal data. The 1998 Act came in to force in 1st March 2000 and replaced the Act of 1984.

To obtain a full copy of the DPA please go to Office of Public Sector Information

Every UK-based business holding personal information must register and comply with the DPA. Consumers are now more aware of their rights and an organisation's obligations as to the use of their personal data. Businesses now rely heavily on retaining long-standing customers and so must show priority to the security and use of personal information. Therefore ignoring these responsibilities can have serious consequences commercially and could seriously damage a company's reputation.

The Information Commissioners Office

 

The Information Commissioner, currently Richard Thomas, regulates the DPA and his key responsibilities are also outlined in the DPA The Information Commissioners Office, the ICO, also holds and maintains the Data Protection Register which contains a list of all companies who hold personal information, as well as stating their purposes for the use of the information.

Companies can register with the ICO online at: Information Commissioner's Office - ICO or by telephone on 01625 545740. The cost of the licence is £35 per year and can be paid by Direct Debit. The ICO also offers full guidance on issues relating to the DPA for businesses and helpful guidance for consumers. Once again details can be found on their website.

The ICO launched their Annual Report on the 14th July 2004 – a full version of which can be seen by clicking on the link below:

ICO Annual Report

Requirements under the DPA

 

The DPA is made up of 8 main principles. In summary these are:

 

• Data shall be processed fairly and lawfully
  
• Data shall be processed for a limited purposes
  
• Data should be adequate, relevant and not excessive
  
• Data should be kept accurate
  
• Data should not be held for longer than necessary for the purposes
  
• Data should be processed in accordance with the Data Subjects Rights
  
• Data should be secure
  
• Data should not be transferred to countries outside of the European Economic Area (EEA) without adequate protection
  

Definitions of Terminology under the DPA

 

"Personal Data" – any personal information relating to living identifiable individuals that is processed automatically. Any personal information, which although held in non-automated form, is readily accessible because the information is stored in a structured filing system.

"Sensitive, Personal Data" – such as political opinions, religious beliefs, ethnic origin, health information, sexual life, criminal convictions or membership of a trade union, require a Data Controller to establish higher levels of justification before such data can be processed lawfully.

"Processing" – relates to any activity performed on the personal data including use, disclosure, storage or collection of personal data.

"Data Controller" – is the name for an organisation that is ultimately responsible for the processing; the person who controls and benefits from the processing activity.

"Data Processor" – is any service provider who, in order to deliver services to the Data Controller, processes personal data on behalf of that Controller.

"Data Subject" – is the individual about whom the personal data relates; individuals who are customers, contacts or clients of a Data Controller are also Data Subjects.

Principle One - Fair and Lawful Processing -

 

When determining if data processing is fair a Data Controller would have to consider the consequences of the processing to the Data Subject as well as ensuring it is for a legitimate business purpose. Lawful processing would be any that complies with relevant law whether derived from statute or common law. Principle One also states that data should not be processed unless at least one of the conditions in Schedule 2 is met, or in the case of Sensitive personal data, one of the conditions in Schedule 3 is met:

Conditions of Schedule 2

Consent

Consent is defined in the Act as, ".. Any freely given specific and informed indication of his wishes by which the Data Subject signifies his agreement to personal data relating to him being processed."

Necessary

Processing would be deemed necessary if it would enable the Data Controller to comply with any legal obligations to which they are subject. Or if it is in the Data Subjects vital interests.

Conditions of Schedule 3

These are identical that that of Schedule 2 but relate specifically to sensitive personal data. Therefore specific consent would need to be obtained from the Data Subject. The Data Controller would also need to give special consideration as to whether or not the processing of sensitive personal data is necessary.

Principle Two – Limited Purposes -

 

Data must be processed within the specified purpose(s). Data Controllers must specify the purpose(s) of their data processing in a notice to the Data Subject and through notification to the ICO. Usually notification to the Data Subject is carried out through the consent and fair obtaining clauses.

Principle Three – Adequate, Relevant and not Excessive -

 

This Principle applies to the type of data held and ensuring that it is adequate in relation to the purposes of processing. The Data Controller would need to consider factors such as the number of individuals on whom the data is held and weigh this against the number of individuals on whom the data is actually processed. As well as the nature of the personal data and the way it was obtained.

Principle Four – Data Accuracy -

 

Personal data must be accurate in that it must not be "factually misleading". A Data Controller would need to take steps to ensure data accuracy as well as ensuring procedures are in place for amending or updating the data when necessary. In essence a Data Controller must not knowingly hold inaccurate personal data on an individual.

Principle Five – Data should not be held longer than necessary -

 

Under this Principle a Data Controller must review their personal data regularly and delete the information that is no longer required for their purposes. The industry standard for the length of time credit related data should be held is six years. However each Data Controller needs to assess individually the type of data they hold and make a commercial decision based upon whether or not the data is still required for their own data processing.

Principle Six – Data Subjects Rights -

 

A Data Controller would contravene this principle if they failed to supply information following a Subject Access Request from the Data Subject and if they fail to comply with the most common notices under the act. These are:

 

• Section 10 – 'Right to prevent processing likely to cause damage or distress'
  
• Section 11- 'Right to prevent processing for the purposes of direct marketing'
  
• Section 12 – 'Rights in relation to automated decision taking'
  
• Section 12A - 'Right to require data controller to rectify, block, erase or destroy inaccurate or incomplete data'
  

Principle Seven - Data Security -

 

Under this Principle a Data Controller has to ensure that appropriate technical and organisational measures are in place to prevent unlawful access to and accidental damage or destruction of personal data. This would apply to areas of the business such as the security access to information, ensuring a Disaster Recovery Plan is in place, staff selection and training and having systems in place to detect and deal with breaches of security.

Principle Eight – Transfer of Data -

 

Personal data is not to be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures, an adequate level of protection. The Eight Principle will not be breached where the transfer is to a country or territory that the European Commission has deemed 'adequate'.

An up to date list of 'adequate' places can be found at: Universal HTTP Redirector

[sosumi]

Not trying to teach grandma to suck eggs I promise , and if this is repeated earlier I apologise in advance, but these pages are directly from CallCredit's Compliance Webpages, and I think they're all valuable. These pages might also remind some peeking DCAs just how criminal their activities have been. I'm taking the pages one by one:

Personal Credit Report - Credit Score - Credit Reporting - Consumer Services

Edited June 8, 2008 by sosumi
tidying! ;)

[sosumi]

Could you link to the pages, rather than posting them up, and explain their relevance, sosumi?

 

Just trying to keep the forum nice and tidy.

.. Just caught me in time Car, I'm rushing!

[sosumi]

Can't stop will be back to edit and link later - and more tidily!

[sosumi]

Okay for me this seems the big one, The Fraud Bill, directly from CallCredit's Corporate Compliance pages, here:

Personal - Credit Score - ing - Consumer Services

This is what Dougal16T (here) has been writing about here on several threads. I'll try and link up properly later.

Bearing in mind that CallCredit's description is aimed at a Corporate audience, and is therefore using individuals as examples. I really think we need to turn these examples round, and look at the way in which DCAs conduct their 'business'.

 

CallCredit are very reasonably explaining the Laws on these web pages. For that, they should be commended. But I find it ironic all the same.

DCAs thrive on fraud and extortion. They make a living out of deception. Should they be allowed any kind of access to our data? NO!

Edited June 8, 2008 by sosumi
added Dougal's link re. Fraud :)