Latest Guidance Note on Defaults - 3 July 2008
The credit industry works closely with the Information Commission to agree the content of the Guidance Note on Defaults, the latest of which was published on the Information Commission website (see Technical Guidance Note - Filing defaults with credit reference agencies) in September 2007 , but for ease of reference can be accessed here: Filing defaults with credit reference agencies.
Consumer chatroom advice on data retention
Comments have been posted on message boards hosted on the some consumer websites suggesting that it is unlawful for Experian to hold consumer credit file data after an account has been closed. We disagree.
In general, Experian hold such data for 6 years after the account has closed, as do the two other UK credit reference agencies. Experian is fully satisfied that this practice is compliant with the Data Protection Act 1998, and this view is shared by the regulatory body, the Information Commissioner's Office.
A letter confirming the Information Commissioner's position is below.
This information may also be found on the ICO website under the section with advice for the public on credit.
The Data Protection Act 1998
The Data Protection Act 1998 came into force on 1 March 2000 replacing the Data Protection Act 1984 and implementing the European Data Protection Directive. This issue is featuring more and more in the awareness of the general public with the Information Commissioner's Annual Report indicating that nearly three-quarters of all UK adults are concerned about the amount of personal details being stored electronically and 96% rate their right to personal privacy as being important.
All UK-based businesses are required to comply with the Act irrespective of whether they were registered as 'Data Users' under the previous regime and we ignore the Act at our peril. Experian's research reveals that many small companies remain unaware of their obligations when it comes to processing and managing personal data and many lack appropriate systems for making data accessible to the individuals concerned, which is a condition of the Act.
Organisations could face commercial, legal and reputational damage if they fail to meet their privacy obligations. It is becoming increasingly obvious that commercial success and consumer confidence in an organisation's use of their data are closely aligned. Data protection is an investment not a cost and should be viewed as such in our Boardrooms.
What are the principal changes under the Act?
In outline, the main changes to the 1984 Act brought in under in the 1998 legislation include:
- a new comprehensive definition of processing;
- its extension to cover manual records;
- new criteria for fair processing;
- new Data Protection Principles;
- enhanced individual rights;
- its application in respect of data transfers outside the EEA.
What Data are covered?
All personal data relating to living identifiable individuals are covered, including data relating to opinions and intentions.
It is important to remember that the Act also applies to sole traders, partners, directors and shareholders.
There are also provisions covering Sensitive Personal Data, such as racial or ethnic origin and criminal convictions, which have more stringent consent requirements.
Manual records include "relevant filing systems" covering paper files and card index and microfiche systems. To be caught under the Act these manual files must be structured and accessible but if merely in date order or of a general nature, this would not be sufficient to bring them under the provisions of the Act. These manual records also need to relate to particular individuals and specific subject matter.
The Data Controller is the person or organisation who determines the purpose and manner of the processing. The Data Processor is any person or organisation (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller".
Central to compliance with the Act is processing in accordance with the eight data protection Principles. It is important to note the changes to these Principles compared with the 1984 Act. In summary the Principles relate to data being:
- Fairly and lawfully processed
- Limited for purpose
- Adequate, relevant etc
- Accurate
- Not kept longer than necessary
- Processed in accordance with the Data Subject's rights
- Secure
- Not transferred to non EEA countries without adequate protection
What is processing?
Under the Act, "processing" means obtaining, recording, holding, disclosing or carrying out any operation or any set of operations on the data. The Act effectively puts in place cradle to grave protection of an individual's personal data.
To be "fairly obtained" it will be necessary to explain who you are, the purpose of the processing, including disclosure to third parties, and any other information which is required to be divulged in order to make the processing fair.
In most cases there needs to be freely given, specific and informed consent of the data subject to their data being processed, for example on an application form. However one of a number of other conditions could apply to make the processing "fair and lawful" depending on the particular circumstances.
Principal rights include:
- Right of subject access (section 7)
- Right to prevent processing likely to cause substantial damage or distress (section 10)
- Right to prevent processing for the purposes of direct marketing (section 11)
- Rights in relation to automated decision taking (including the right to be informed of the logic behind any such decisions) (section 12)
- Right to take action for compensation (section 13)
- Right to take action to rectify, block, erase or destroy inaccurate data (section 14)
- Right to ask the Commissioner to assess whether the Act has been contravened (section 42)
It is important to remember that when interpreting the rights of data subjects, the Information Commissioner must also take into account Article 8 of the European Convention on Human Rights, which is embodied in the Human Rights Act. Data Protection is very much an aspect of the individual's right to privacy.
Transfers of data outside the EEA
Under the Act transfers of personal data outside the EEA and certain designated countries are allowed only if there is adequate protection. Adequacy must take account of all circumstances of a particular transfer.
However, there are a number of derogations in the Act, for example where data are transferred outside the EEA with an individual's consent or where a robust contract is used along the lines of the model contracts prepared by the EC. For transfers to the US, if the company has signed up to the Safe Harbor agreement, the transfer will be deemed to be adequate.
Powers of the Information Commissioner
The Information Commissioner has a very broad statutory duty to promote good practice, in other words, not only to ensure compliance with the Act, but to go beyond this into the spirit of the legislation.
Section 51 of the Act covers the Commissioner's duties in respect of awareness; promotion of good practice; issuing Codes of Practice; and assessment of processing. In respect of Codes of Practice, a CCTV Code has been issued as have parts of the Employee Code.
It should be remembered that the Act creates criminal offences under Section 55 for unlawful obtaining of and introduces a number of broad offences and sanctions, including Enforcement Notices, powers of entry and inspection and corporate and individual liabilities leading to criminal sanction. Individuals can also sue for compensation through the Civil Courts.
Finally, although the Commissioner has no power of audit under the Act, by virtue of Section 51(7) he can assess processing for the following of good practice, with the consent of the Data Controller.
Download the Information Commissioner's Office Guidance on Default (pdf) »
Disclaimer: The information contained on this webpage is provided for general guidance only. It is not intended to provide you with professional advice nor is it intended to substitute you obtaining professional advice.
