The Information Commissioner’s Office (ICO) have conducted a two-year investigation into the handling and use of personal data held by the 3 main credit reference agencies, Experian Limited, Equifax and TransUnion. The ICO found data protection breaches within all 3 agencies citing “significant ‘invisible’ processing took place, likely affecting millions of adults in the UK”. With individuals not being aware that their personal data was being collected and used for such marketing purposes, the 3 agencies breached data protection law.
The investigation found that all 3 agencies were “trading, enriching and enhancing people’s personal data without their knowledge”, which in turn enabled some commercial organisations, political parties and/or charities to find new customers who could be identified as being able to afford the goods and services offered by each of the entities.
Failures within the agencies included: –
- The failure to be transparent
- Limited use of personal data for marketing purposes without consent
- The use of profiling to generate new or previously unknown information about people
- Website privacy statements were not clear enough in how personal data was to be used
- Some of the lawful bases for processing were being used incorrectly
Post investigation, all 3 agencies made the suggested improvements to how they handled personal data within their direct marketing services. Equifax and TransUnion also withdrew some of the products and services that breached data protection, resulting in the ICO taking no further action against them.
However, whilst Experian improved their compliance in some areas, the ICO deemed that they did not go far enough in making the desired changes to comply with data protection laws. The ICO noted “Experian did not accept that they were required to make the changes set out by the ICO, and as such were not prepared to issue privacy information directly to individuals nor cease the use of credit reference data for direct marketing purposes”.
This resulted last month (October) in the ICO giving an enforcement notice to Experian Limited, ordering them to make the required changes to comply with data protection laws. They have been given 9 months to comply and failure to do so could result in a fine of up to £20m or 4% of the firms’ total annual worldwide turnover.