General Information Notice to Experian's ID&F Customers
Version: 1 Adopted: 20 April 2018
NOTE: This notice provides information on changes that Experian will be implementing with effect from the 25th May 2018, which is the effective date of the General Data Protection Regulation (or the GDPR).
Experian’s ID&F Business operates as a Fraud Prevention Agency (FPA) which collects, maintains and shares, data on known and suspected fraudulent activity. This document describes at a very high level how Experian uses and shares personal data within its Identity and Fraud business (‘ID&F’). If you would like more detailed information on this processing, please visit www.experian.co.uk/crain.
This document answers these questions:
- What does Experian’s ID&F business use personal data for?
- What are Experian’s legal grounds for handling personal data in relation to its ID&F business?
- What kinds of personal data does Experian’s ID&F business use, and where does it get it?
- Who does Experian share personal data with?
- Where is personal data stored and sent?
- For how long is personal data retained?
- What can I do if I want to see the personal data held about me?
- What can I do if my personal data is wrong?
- Can I object to the use of my personal data and have it deleted?
- Can I restrict what Experian does with my personal data?
- Who can I complain to if I’m unhappy about the use of my personal data?
- Where can I find out more?
(a) Verifying data like identity, age and residence, and preventing and detecting
criminal activity, fraud and money laundering
(b) Account management
(c) Tracing and debt recovery
(d) Statistical analysis, analytics and profiling
(e) Database activities
(f) When acting as an FPA, Experian may supply the data received from lenders and creditors about individuals and their financial associates and their business (if they have one) to other organisations. This may be used by them and Experian to: -
- Prevent crime, fraud and money laundering
- Verify an individual’s identity if an individual or their financial associate applies for facilities including all types of insurance proposals and claims.
- Trace an individual’s whereabouts and recover debts that they owe.
- Conduct other checks to prevent or detect fraud.
- Undertake statistical analysis and system testing.
- other purposes where that individual has given consent or where required or permitted by law.
The UK’s data protection law allows the use of personal data where its purpose is legitimate and isn’t outweighed by the interests, fundamental rights or freedoms of data subjects. The law calls this the Legitimate Interests condition for personal data processing. The Legitimate Interests being pursued by Experian’s ID&F business are:
(a) Promoting responsible lending and helping to prevent over-indebtedness.
(b) Helping prevent and detect crime and fraud and anti-money laundering services and verify identity
(c) Supporting tracing and collections
(d) Complying with and supporting compliance with legal and regulatory requirements
Experian’s ID&F business obtains and uses information from different sources, so it often holds different information and personal data from each other. However, most of the personal data they do hold falls into the categories outlined below;
(b) Lender-provided and creditor provided data
(c) Fraud prevention indicators
(d) Gone Away Information Network indicators
(e) Search footprints
(f) Other Supplied Data (phone number data and politically exposed persons (PEPs) and sanctions data.)
(g) Other derived data (address links, aliases, financial associations and linked people, and flags and triggers
(h) Data provided by the relevant people
(a) Fraud Prevention Agencies
(b) Resellers, distributors and agents
(c) Other organisations - Some data, where permitted in accordance with industry rules or where it’s public information, can be shared with other organisations that have a legitimate use for it - ID verification services, for example.
(d) Public bodies, law enforcement and regulators
(e) Processors (where Experian uses other organisations to perform tasks on their behalf (for example, IT service providers and call centre providers).
(f) Individuals (People are entitled to obtain copies of the personal data Experian hold about them. You can find out how to do this in Section 7 below.)
Experian is based in the UK, and keeps its main databases there. It has operations elsewhere inside and outside the European Economic Area, and personal data may be accessed from those locations too. In both cases, the personal data use in those locations is protected by European data protection standards.
Sometimes Experian will need to send or allow access to personal data from elsewhere in the world. This might be the case, for example, when Experian’s processor or client is based overseas or uses overseas data centres.
While countries in the European Economic Area all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection when it comes to personal data. As a result, when Experian does send personal data overseas it will make sure suitable safeguards are in place in accordance with European data protection requirements, to protect the data. For example, these safeguards might include:
- Sending the data to a country that’s been approved by the European authorities as having a suitably high standard of data protection law. Examples include the Isle of Man, Switzerland and Canada.
- Putting in place a contract with the recipient containing terms approved by the European authorities as providing a suitable level of protection.
- Sending the data to an organisation which is a member of a scheme that’s been approved by the European authorities as providing a suitable level of protection. One example is the Privacy Shield scheme agreed between the European and US authorities. Another example is Binding Corporate Rules.
If your data has been sent overseas like this, you can find out more about the safeguards used by Experian, by contacting Experian as follows;
|By Post:||Experian, PO BOX 9000, Nottingham, NG80 7WF|
|Phone:||0344 481 0800 or 0800 013 8888|
Identification data like names and addresses are kept while there’s a continuing need to keep it. This need will be assessed on a regular basis, and data that’s no longer needed for any purpose will be disposed of.
Experian keeps most search footprints for one year from the date of the search, although it keeps debt collection searches for up to two years.
Other third party supplied data such as politically exposed persons (PEPs) and sanctions data and mortality data will be stored for a period determined by criteria such as the agreed contractual terms.
Experian may hold data in an archived form for longer than the periods described above, for things like research and development, analytics and analysis, (including refining lending and fraud strategies, scorecard development and other analysis such as loss forecasting), for audit purposes, and as appropriate for establishment, exercise or defence or legal claims. The criteria used to determine the storage period will include the legal limitation of liability period, agreed contractual provisions, applicable regulatory requirements and industry standards.
Data access right
You have a right to find out what personal data Experian holds about you. Experian provides more information about access rights on its website.
To get online information: http://www.experian.co.uk/consumer/contact-us/index.html
To make a request by post:
NOTE: The information in this document will be effective from the Adopted Date set out on the first page, except for the information in this Section 9 (data portability right), and in Sections 11 and 12. These Sections provide information on new rights that will only come into effect from the 25th May 2018, which is the effective date of the General Data Protection Regulation (GDPR).
When Experian receives personal data, they perform lots of checks on it to try and detect any effects or mistakes. Ultimately, though, Experian relies on the suppliers to provide accurate data. If you think that any personal data Experian holds about you is wrong or incomplete, you have the right to challenge it. It’s worth knowing that Experian won’t have the right to change the data without permission from the organisation that supplied it, so the Experian will need to take reasonable steps to check the data first, such as asking the organisation that supplied it to check and confirm its accuracy. If the data does turn out to be wrong, Experian will update its records accordingly. If Experian still believes the data is correct after completing their checks, they’ll continue to hold and keep it - although you can ask them to add a note to your file indicating that you disagree or providing an explanation of the circumstances. If you’d like to do this, you should contact Experian using the contact details in section 7 above.
NOTE: The information in this document will be effective from the Adopted Date set out on the first page, except for the information in Sections 9, (data portability right), this Section 11 and in Section 12. These Sections provide information on new rights that will only come into effect from the 25th May 2018, which is the effective date of the General Data Protection Regulation (GDPR).
This section helps you understand how to use your data protection rights to object to your personal data being used and how to ask for it to be deleted. To understand these rights and how they apply, it’s important to know that Experian's ID&F business holds and processes personal data under the Legitimate Interests ground for processing (see section 2 above for more information about this), and don’t rely on consent for this processing. You have the right to lodge an objection about the processing of your personal data to Experian. If you want to do this, you should contact Experian using the contact details set out in section 6 above. Whilst you have complete freedom to contact Experian with your objection at any time, you should know that under the General Data Protection Regulation, your right to object doesn’t automatically lead to a requirement for processing to stop, or for personal data to be deleted, in all cases.
Please note that, because of the importance of the credit referencing industry to the UK’s financial system, and the important purposes the personal data is needed for (like supporting responsible lending, and preventing over indebtedness, fraud and money laundering) it will be very rare that Experian do not have compelling, overriding grounds to carry on using the personal data following an objection. In many cases, it won’t be appropriate for Experian to restrict or to stop processing or delete personal data, for example, where the result would be to hide a poor credit history that could enable a person or organisation to get credit they otherwise wouldn’t be eligible for.
NOTE: The information in this document will be effective from the Adopted Date set out on the first page, except for the information in Sections 9, (data portability right), Section 11 and in this Section 12. These Sections provide information on new rights that will only come into effect from the 25th May 2018, which is the effective date of the General Data Protection Regulation (GDPR).
In some circumstances, you can ask Experian to restrict how they use your personal data. Your rights are set out at Article 18 of the GDPR. You can find Experian’s contact details in section 7 above.
This is not an absolute right, and your personal data may still be processed where certain grounds exist. This is:
- With your consent;
- For the establishment, exercise, or defence of legal claims;
- For the protection of the rights of another natural or legal person;
- For reasons of important public interest.
Only one of these grounds needs to be demonstrated to continue data processing. Experian will consider and respond to requests it receives, including assessing the applicability of these exemptions. Please note that given the importance of complete and accurate credit records, for purposes including for responsible lending, it will usually be appropriate to continue processing credit report data -in particular, to protect the rights of another natural or legal person, or because it’s an important public interest of the union or member state.
Experian tries to deliver the best customer service levels, but if you’re not happy you should contact it so it can investigate your concerns.
|Credit reference agency||Contact details|
Post: Experian, PO BOX 8000, Nottingham, NG80 7WF
Email: email@example.comPhone: 0344 481 0800 or 0800 013 8888
If you’re unhappy with how Experian has investigated your complaint, you have the right to refer it to the Financial Ombudsman Service (Ombudsman) for free. The Ombudsman is an independent public body that aims to resolve disputes between consumers and businesses like Experian. You can contact them by:
- Phone on 0300 123 9 123 (or from outside the UK on +44 20 7964 1000)
- Email on firstname.lastname@example.org
- Writing to Financial Ombudsman Service, Exchange Tower London E14 9SR
- Going to their website at http://www.financial-ombudsman.org.uk/
You can also refer your concerns to the Information Commissioner’s Office (or ICO), the body that regulates the handling of personal data in the UK. You can contact them by:
- Phone on 0303 123 1113
- Writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
- Going to their website at http://www.ico.org.uk/
The work Experian does is very complex, and this document is intended to provide only a concise overview of the key points. More information about Experian and what it does with personal data is available at the following locations:
The Information Commissioner’s Office also publishes advice and information for consumers in its Credit Explained leaflet, available at