The ICO has issued an enforcement notice against Experian, highlighting that the company needs to make ‘fundamental changes” to how it handles data.
The enforcement notice comes out of an investigation the ICO has conducted for two years, researching how Experian, Equifax and TransUnion use personal data. The findings highlight an industry wide problem where Credit Reference Agencies conduct a significant amount of invisible processing of personal data, without the express consent of the person.
Credit Reference Agencies gather information about peoples credit history, from many sources. As a result of what they find, they build a credit report about a person and typically generate a score once a user is profiled. As an ongoing process, they continually monitor people’s credit histories, updating a persons score and credit report. In turn, 3rd party companies like banks and lending institutions buys this data to make risk based decisions on who to loan credit to, at what rate.
All three Credit Reference Agencies had made improvements to their direct marketing services, with Equifax and TransUnion going further and withdrawing some products. However, the ICO highlighted that all three agencies had failed to explain clearly what they were doing with people’s data, and that Experian still needed to action to align themselves with data legislation. All three were enriching and then trading personal data.
It is believed that Experian will appeal against the enforcement, questioning if the ICO has overstated the legal requirements and highlighting the importance of the services to business and consumers.
One thing is for sure. The ICO are fully enabled to investigate if companies are being transparent on how and why they have personal data. Organisations need to consider carefully what justifications they have for gathering, storing and processes their data.