NOTE: This notice provides information on changes that Experian will be implementing with effect from the 25th May 2018, which is the effective date of the General Data Protection Regulation (or the GDPR).
Experian’s ID&F Business operates as a Fraud Prevention Agency (FPA) which collects, maintains and shares, data on known and suspected fraudulent activity. This document describes at a very high level how Experian uses and shares personal data within its Identity and Fraud business (‘ID&F’).
This document answers these questions:
(a) Verifying data like identity, age and residence, and preventing and detecting criminal activity, fraud and money laundering
(b) Account management
(c) Tracing and debt recovery
(d) Statistical analysis, analytics and profiling
(e) Database activities
(f) When acting as an FPA, Experian may supply the data received from lenders and creditors about individuals and their financial associates and their business (if they have one) to other organisations. This may be used by them and Experian to:
The UK’s data protection law allows the use of personal data where its purpose is legitimate and isn’t outweighed by the interests, fundamental rights or freedoms of data subjects. The law calls this the Legitimate Interests condition for personal data processing. The Legitimate Interests being pursued by Experian’s ID&F business are:
(a) Promoting responsible lending and helping to prevent over-indebtedness
(b) Helping prevent and detect crime and fraud and anti-money laundering services and verify identity
(c) Supporting tracing and collections
(d) Complying with and supporting compliance with legal and regulatory requirements
Experian’s ID&F business obtains and uses information from different sources, so it often holds different information and personal data from each other. However, most of the personal data they do hold falls into the categories outlined below;
(b) Lender-provided and creditor provided data
(c) Fraud prevention indicators
(d) Gone Away Information Network indicators
(e) Search footprints
(f) Other Supplied Data (phone number data and politically exposed persons (PEPs) and sanctions data.)
(g) Other derived data (address links, aliases, financial associations and linked people, and flags and triggers
(h) Data provided by the relevant people
(a) Fraud Prevention Agencies
(b) Resellers, distributors and agents
(c) Other organisations - Some data, where permitted in accordance with industry rules or where it’s public information, can be shared with other organisations that have a legitimate use for it - ID verification services, for example
(d) Public bodies, law enforcement and regulators
(e) Processors (where Experian uses other organisations to perform tasks on their behalf (for example, IT service providers and call centre providers)
(f) Individuals (People are entitled to obtain copies of the personal data Experian hold about them. You can find out how to do this in Section 7 below.)
Experian is based in the UK, and keeps its main databases there. It has operations elsewhere inside and outside the European Economic Area, and personal data may be accessed from those locations too. In both cases, the personal data use in those locations is protected by European data protection standards.
Sometimes Experian will need to send or allow access to personal data from elsewhere in the world. This might be the case, for example, when Experian’s processor or client is based overseas or uses overseas data centres.
While countries in the European Economic Area all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection when it comes to personal data. As a result, when Experian does send personal data overseas it will make sure suitable safeguards are in place in accordance with European data protection requirements, to protect the data. For example, these safeguards might include:
If your data has been sent overseas like this, you can find out more about the safeguards used by Experian, by contacting Experian as follows;
By Post: Experian, PO BOX 9000, Nottingham, NG80 7WF
Web Address: http://www.experian.co.uk/consumer/contact-us/index.html
Identification data like names and addresses are kept while there’s a continuing need to keep it. This need will be assessed on a regular basis, and data that’s no longer needed for any purpose will be disposed of.
Experian keeps most search footprints for one year from the date of the search, although it keeps debt collection searches for up to two years.
Other third party supplied data such as politically exposed persons (PEPs) and sanctions data and mortality data will be stored for a period determined by criteria such as the agreed contractual terms.
Experian may hold data in an archived form for longer than the periods described above, for things like research and development, analytics and analysis, (including refining lending and fraud strategies, scorecard development and other analysis such as loss forecasting), for audit purposes, and as appropriate for establishment, exercise or defence or legal claims. The criteria used to determine the storage period will include the legal limitation of liability period, agreed contractual provisions, applicable regulatory requirements and industry standards.
Data access right
You have a right to find out what personal data Experian holds about you. Experian provides more information about access rights on its website.
Experian: To get online information: http://www.experian.co.uk/consumer/contact-us/index.html
To make a request by post:
Customer Support Centre, Experian Ltd, PO BOX 9000, Nottingham, NG80 7WF
NOTE: The information in this document will be effective from the Adopted Date set out on the first page, except for the information in this Section 9 (data portability right), and in Sections 11 and 12. These Sections provide information on new rights that will only come into effect from the 25th May 2018, which is the effective date of the General Data Protection Regulation (GDPR).
When Experian receives personal data, they perform lots of checks on it to try and detect any effects or mistakes. Ultimately, though, Experian relies on the suppliers to provide accurate data. If you think that any personal data Experian holds about you is wrong or incomplete, you have the right to challenge it. It’s worth knowing that Experian won’t have the right to change the data without permission from the organisation that supplied it, so the Experian will need to take reasonable steps to check the data first, such as asking the organisation that supplied it to check and confirm its accuracy. If the data does turn out to be wrong, Experian will update its records accordingly. If Experian still believes the data is correct after completing their checks, they’ll continue to hold and keep it - although you can ask them to add a note to your file indicating that you disagree or providing an explanation of the circumstances. If you’d like to do this, you should contact Experian using the contact details in section 7 above.
NOTE: The information in this document will be effective from the Adopted Date set out on the first page, except for the information in Sections 9, (data portability right), this Section 11 and in Section 12. These Sections provide information on new rights that will only come into effect from the 25th May 2018, which is the effective date of the General Data Protection Regulation (GDPR).
This section helps you understand how to use your data protection rights to object to your personal data being used and how to ask for it to be deleted. To understand these rights and how they apply, it’s important to know that Experian's ID&F business holds and processes personal data under the Legitimate Interests ground for processing (see section 2 above for more information about this), and don’t rely on consent for this processing. You have the right to lodge an objection about the processing of your personal data to Experian. If you want to do this, you should contact Experian using the contact details set out in section 6 above. Whilst you have complete freedom to contact Experian with your objection at any time, you should know that under the General Data Protection Regulation, your right to object doesn’t automatically lead to a requirement for processing to stop, or for personal data to be deleted, in all cases.
Please note that, because of the importance of the credit referencing industry to the UK’s financial system, and the important purposes the personal data is needed for (like supporting responsible lending, and preventing over indebtedness, fraud and money laundering) it will be very rare that Experian do not have compelling, overriding grounds to carry on using the personal data following an objection. In many cases, it won’t be appropriate for Experian to restrict or to stop processing or delete personal data, for example, where the result would be to hide a poor credit history that could enable a person or organisation to get credit they otherwise wouldn’t be eligible for.
NOTE: The information in this document will be effective from the Adopted Date set out on the first page, except for the information in Sections 9, (data portability right), Section 11 and in this Section 12. These Sections provide information on new rights that will only come into effect from the 25th May 2018, which is the effective date of the General Data Protection Regulation (GDPR).
In some circumstances, you can ask Experian to restrict how they use your personal data. Your rights are set out at Article 18 of the GDPR. You can find Experian’s contact details in section 7 above.
This is not an absolute right, and your personal data may still be processed where certain grounds exist. This is:
Only one of these grounds needs to be demonstrated to continue data processing. Experian will consider and respond to requests it receives, including assessing the applicability of these exemptions. Please note that given the importance of complete and accurate credit records, for purposes including for responsible lending, it will usually be appropriate to continue processing credit report data -in particular, to protect the rights of another natural or legal person, or because it’s an important public interest of the union or member state.
Experian tries to deliver the best customer service levels, but if you’re not happy you should contact it so it can investigate your concerns.
Credit reference agency Contact details
Experian Limited Post: Experian, PO BOX 8000, Nottingham, NG80 7WF
Phone: 0344 481 0800 or 0800 013 8888
If you’re unhappy with how Experian has investigated your complaint, you have the right to refer it to the Financial Ombudsman Service (Ombudsman) for free. The Ombudsman is an independent public body that aims to resolve disputes between consumers and businesses like Experian. You can contact them by:
You can also refer your concerns to the Information Commissioner’s Office (or ICO), the body that regulates the handling of personal data in the UK. You can contact them by:
The work Experian does is very complex, and this document is intended to provide only a concise overview of the key points. More information about Experian and what it does with personal data is available at the following location:
The Information Commissioner’s Office also publishes advice and information for consumers in its Credit Explained leaflet, available at