Equifax Information Notice
(EIN)
Version 2 Adopted: May 2020
This Equifax Information Notice (“Notice”) describes how and why Equifax Limited (“Equifax”, “we”, “our” and “us”) hold and process personal data for each of its business functions in the UK
Equifax is a so-called “controller” of your personal data. This means that we make decisions about how and why we process your personal data and, because of this, we are responsible for making sure our use of your personal data is in accordance with data protection laws
Equifax’s core activity is ‘credit referencing’ and ‘fraud prevention’. Together with the other main credit reference agencies (“CRA”s), TransUnion (formerly Callcredit) and Experian, we have drafted a separate document detailing how each CRA commonly uses and shares personal data we receive about you and/or your business that is part of, derived from or used in credit referencing and fraud prevention activities. We have called this document the ‘Credit Reference Agency Information Notice’ (CRAIN) and you can access it here: www.equifax.co.uk/crain
You (and consumers generally) may be less familiar with other services Equifax provides, which concern the use of your data. For example, we use some of your data for marketing purposes (for example, to enable clients to contact you at an address you are listed at on the open electoral register) and to create profiles about you (for example, the generation of a ‘credit score’ is a type of profiling but we also create other profiles about you or a section of the population). This Notice clarifies these (and other) uses of your data, which you might not be already aware of
We may also make available other information notices in relation to specific products or business functions. These will apply in conjunction with this Notice. For example, our group company TDX Group Limited has its own Privacy Policy in relation to its business functions (including debt management and recovery), a copy of which can be found here: https://www.tdxgroup.com/privacy
CONTENT OF THIS NOTICE:
- How can you contact us?
- How do we use your personal data?
- What types of personal data does Equifax collect and where do we get it?
- What is our legal basis for using your personal data?
- Who does Equifax share personal data with?
- Where is personal data stored and sent?
- How long does Equifax retain personal data?
- Does Equifax make decisions about you or profile you?
- What are your rights in relation to your personal data?
- Marketing Services
- Who can you complain to if you are unhappy about the use of your personal data?
- Where can you find out more?
1. HOW CAN YOU CONTACT US?
We can be contacted by any of the following methods:
Post: Equifax Ltd, Customer Service Centre, PO Box 10036, Leicester, LE3 4FS
Web Address: https://www.equifax.co.uk/Contact-us/Contact_Us_Personal_Solutions.html
Secure email via: www.equifax.co.uk/ask
Phone: 0333 321 4043 or 0800 014 2955
Additionally, Equifax Ltd has a dedicated Data Protection Officer who can be contacted as follows:
Post: Equifax Ltd, Data Protection Officer, PO Box 10036, Leicester, LE3 4FS
Email: UKDPO@equifax.com
2. HOW DO WE USE YOUR PERSONAL DATA?
As one of the UK’s biggest credit reference agencies, we are regulated by the Financial Conduct Authority (“FCA”) and authorised to conduct business as a credit reference agency and a credit broker
In order to provide our services, we hold detailed consumer and business data in the UK, which enables us to provide insights into the behaviours and drivers behind the economy, helping our clients drive their businesses forward and consumers and businesses access the products and services they can reasonably afford
We appreciate that the roll of a credit reference and fraud prevention agency (such as Equifax) is very complex, relying on a number of different uses of your data
To help you understand how and why we use your data, we have summarised our primary uses of your personal data immediately below
We have also produced an example ‘data journey’, which illustrates how your data would typically flow from you to Equifax, and with whom we may share it. You can access this ‘data journey’ here: www.equifax.co.uk/ein-datajourney.html
If you would like more information about what categories of personal data we use, where we obtain your data and more specifically how we process that data (and on what lawful basis), please see the further sections of this Notice or contact us using the contact details above
Summary of personal data use:
(a) CREDIT REFERENCE AGENCY PROCESSING
As a credit reference agency, we receive personal data about you that is part of, derived from or used in credit activity.
As a basic example: Equifax might receive information such as your name, address and date of birth when you apply for a loan or credit card We will match this to data we already hold and return information relevant to your financial standing The lender will use the information we provide to decide whether or not you can be accepted for the loan or credit card Should you be accepted, Equifax may then receive information about how you manage your repayments, including if you have missed a payment or if you are subject to any county court judgements This in turn supplements the information we already hold and creates a more complete view of your financial standing, which can be shared with other lenders. |
The information we receive and process in relation to your credit activity, is used by Equifax and our clients in ‘credit referencing activities’, which include:
- Credit reporting and affordability checks (for example, information related to your financial standing guides lenders as to whether to accept your application for a loan or credit card)
- Verifying data like your identity, your age, where you live, and preventing and detecting criminal activity, fraud and money laundering
- Tracing your whereabouts to assist in the return of money you are owed or to reclaim debt that you owe
- Statistical analysis, including profiling of either you as an individual (for example, to generate a ‘credit score’) or a group of people (for example, the general financial standing of a region or city)
Please refer to the above mentioned CRAIN for more details on these activities: www.equifax.co.uk/crain
(b) FRAUD PREVENTION AGENCY PROCESSING
Equifax is also a Fraud Prevention Agency (“FPA”), which means we collect, maintain and share data on known and suspected fraudulent activity
How data is used by Equifax as a fraud prevention agency:
In order to flag, prevent and monitor fraudulent (or suspected fraudulent) activity, we may supply the data received from our clients about you, your financial associates and your business (if you have one) to other organisations (please see SECTION 5 - WHO DOES EQUIFAX SHARE PERSONAL DATA WITH for more information). This may be used by these organisations and other FPAs and CRAs to:
- Prevent crime, fraud and money laundering by, for example;
- checking details provided on applications for credit and credit related products and services
- managing credit and credit related accounts or products or services
- verifying details provided as part of insurance underwriting and the pricing of insurance policies and assessment of insurance risk including insurance claims
- checking details on applications for jobs or as part of employment
- Verify your identity if you or your financial associate applies for facilities including all types of insurance and where a claim is made
- Trace your whereabouts to assist in the return of money you are owed or to reclaim debt that you owe
- Conduct other checks to prevent or detect fraud, as permitted by law
- Undertake statistical analysis and system testing
(c) MARKETING SERVICES PROCESSING
Equifax does not sell any ‘credit derived’ personal data for the purposes of direct marketing, without your consent
This means that at no point will we ever sell information about your financial standing, which we have received from clients (including banks), in order to permit clients to send you direct marketing communications, without your consent
Equifax does collect certain publically available data about you (or related to you), which it shares with clients for the purposes of direct marketing
The relevant information and the services we provide are summarised as follows:
- Open register supply – The electoral register contains the names and addresses of everyone who is registered to vote in public elections. There are two versions of the electoral register; the full version and the ‘open register’ (‘edited register’ in Northern Ireland). The open register is the version that is available to anyone who wants to buy a copy and includes only the details of those individuals who have not ‘opted-out’ of being on the open register. Further information can be found at the following government website: https://www.gov.uk/electoral-register/opt-out-of-the-open-register
Equifax provides information available from the open register to clients, who are permitted to use this information for direct marketing purposes (for example, to send you postal marketing).
- Pre-mover information – Equifax collects details of properties that are available for rent or sale and shares this information with clients, who may use it to send marketing materials to you (for example, postal marketing with offers relevant to a new or outgoing resident, such as installation or migration of broadband).
The information Equifax collects and shares only relates to the relevant property and does not include your name and any other information that would directly identify you
As explained elsewhere in this Notice, Equifax anonymises and aggregates some the information it holds (including ‘credit derived’ data) for statistical analysis purposes
In addition to the above noted marketing activities, we may make available this anonymised data to our clients (for example, analysis of the general financial strength of a town, city or other area) which our clients are permitted to use for general marketing purposes (for example, sending leaflets to all the residents in a particular area). However, our clients are not permitted to use this information to send marketing to you directly as an individual
We have included a dedicated ‘Marketing Services’ section in this Notice to clearly and concisely explain how your data is obtained and used for marketing activities, including those summarised above (please see SECTION 10 - MARKETING SERVICES for further details)
Please note that SECTIONS 3 to 9 below do not specifically include or refer to the Marketing Services provided by Equifax as all the relevant information is included in SECTION 10 (MARKETING SERVICES).
(d) Consumer Services
We will use your personal data when providing our services to you directly, including:
- Credit Score and Report – using the data held on our database, we calculate your credit score and can provide a report explaining what factors have impacted that score.
- WebDefend – using the details you provide to us (email addresses, telephone numbers, credit/debit card details, bank account numbers, driving licence number or National Insurance numbers), we identify and monitor potential instances of fraud by cross checking your data to that shown on websites used by fraudsters to trade personal data.
These services can be obtained through our website www.equifax.co.uk (the “Website”)
In obtaining these services, we will collect details such as your name, address, date of birth, contact details (including email and telephone number) and bank details. If you have applied through our Website, we may also collect a username and password (or other relevant log-in details)
Processing of your personal data collected either via the Website or through provision of our direct to consumer services (summarised above) is explained in a separate privacy policy available on the Website at: https://www.equifax.co.uk/About-us/Privacy_policy.html
Please ensure that you review the Website privacy policy in addition to this Notice
(e) GENERAL INFORMATION SERVICES PROCESSING
In order to provide our services to clients and individuals, we need to undertake certain general background operational processing of your personal data, as follows:
- Data loading - data supplied to Equifax is checked for integrity, validity, consistency, quality and age to ensure it is fit for purpose. These checks pick up things like irregular dates of birth, names, addresses, account start dates, and gaps in payment status history.
- Data matching - data supplied to Equifax is matched to the data held on our existing databases to help make sure it is assigned to the right person, even when there are discrepancies like spelling mistakes or different versions of a person’s name. Where permitted, Equifax use the personal data individuals have provided to its clients, together with data from other sources, to create and confirm identities, which are used to underpin the services Equifax provide.
- Data linking - as Equifax compiles data into its databases, we create links between different pieces of data. For example, people who appear financially associated with each other may be linked together, and addresses where someone has previously lived can be linked to each other and to that person’s current address.
- Systems and product development/testing - data may be used to help support the development and testing of new products and technologies.
- Legal compliance and general record keeping – we will process data where required by law (for example, in order to comply with our requirements as a FCA regulated business) and may retain data where necessary for record keeping, tax compliance and to defend against claims.
3. WHAT TYPES OF PERSONAL DATA DOES EQUIFAX COLLECT AND WHERE DO WE GET IT?
To enable us to operate as a credit reference and fraud prevention agency, it is necessary for us to collect and store numerous types of data about you
We typically do not have a direct relationship with you (except where you receive products or services from us (or otherwise communicate with us) directly), so we obtain this data from numerous sources, including directly from publically available materials (for example, the electoral roll and published county court judgements) or from our clients (for example, where a lender provides information about you so that we can conduct a credit check)
Equifax typically acts as a controller in relation to all the data it receives from such clients, including where provision of this information is for us to locate a match to records we already hold in our database and which is then supplemented with additional information (for example, addresses linked to you, your relevant credit data or other attributes relevant to you)
All the credit reference agencies rely on similar types of data in order to provide their core credit, anti-money laundering, identification and fraud services. Details of the types, description and source of information common to all three main credit reference agencies (including Equifax) can be found in the CRAIN: www.equifax.co.uk/crain
We have also set out the key categories of data that we collect about you and where we obtain this information, in the below table:
CATEGORY OF DATA |
TYPE OF PERSONAL DATA |
WHERE COLLECTED* |
Identifiers |
Full Name |
Local authorities / Lenders / Clients / Directly (e.g. for consumer services customers) |
Residential Address |
Local authorities / Lenders / Banks / Royal Mail / Registry Trust |
|
Time at address |
Local authorities / determined internally |
|
Date of Birth |
Lenders / Banks / Insolvency services / Registry Trust and others |
|
Telephone Number |
BT / Directly (e.g. for consumer services customers) |
|
Email Address |
Directly (e.g. for consumer services customers) |
|
Alias |
Generated by Equifax by cross referencing other data sets related to you |
|
Financial Accounts and Repayment Data |
Credit agreements (including balance, payment history and term) |
Lenders and other clients |
Closed / settled accounts |
Lenders / Clients |
|
Instances of default |
Lenders / Clients |
|
Current account turnover data (“CATO”) |
Banks party to the CATO scheme |
|
Court Judgments, Decrees and Orders |
County court judgements |
Registry Trust / England & Wales Register |
Bankruptcies |
Insolvency services / London Gazette and Belfast Gazette |
|
Individual Voluntary Arrangements (“IVAs”) |
Insolvency services |
|
Debt relief orders |
Insolvency services |
|
Searches (these are searches that lenders and clients may make in relation to you, when you apply for services, for example) |
Credit searches |
Clients or customers of reseller clients that conduct a search |
Debt collection searches |
Clients or customers of reseller clients that conduct a search |
|
ID checks |
Clients or customers of reseller clients that conduct a search |
|
Derived or Created Data |
Credit score |
Generated by Equifax |
Linked addresses |
Generated by Equifax by cross referencing data sets which relate to you |
|
Linked companies (where a director or owner) |
Companies House / Generated by Equifax by cross referencing data sets, which relate to you |
|
Attributes and characteristics |
Generated by Equifax – please see SECTION 8 |
|
Other Data |
Instances of actual or potential fraud |
CIFAS |
Whether politically exposed |
HM Treasury |
|
Sanctions |
Dow Jones |
*Please note that the majority of data is derived from multiple sources. We have therefore listed key examples
In addition to the above categories, we also process the following data relating to residential addresses:
- whether it is available for sale or rent (we call this “Pre-Mover Data”), which we make available to clients so that they can (for example) ensure the occupier of the property is updated on how to migrate or obtain products and services (such as broadband); and
- postcode level data (“PLD”), such as the value of the property, its council tax band the general affluence of the area. This is information relating to a particular geographic area (and is therefore not always ‘personal data’ because it doesn’t relate to an identifiable individual). Please be aware that some of our clients may link PLD with you based on the area in which you live. This combined data is likely to be considered your personal data, which is processed by our clients.
4. WHAT IS OUR LEGAL BASIS FOR USING YOUR PERSONAL DATA?
We are required by data protection law to always have what is referred to as a “lawful basis” (i.e. a reason or justification) for processing your personal data. The below sets out the relevant lawful basis we rely on for that processing
Please note that where we have indicated that our use of your personal data is either necessary for us to comply with a legal obligation or necessary for us to take steps, at your request, to potentially enter into a contract with you (or to perform our obligations in an existing contract), we may not be able to enter into or continue our contract or engagement with you, if you elect not to provide the relevant personal data
Legitimate interests
The UK’s data protection law allows the use of personal data where the processing is necessary for a legitimate interest pursued by us or a third party and this interest is not outweighed by the interests, fundamental rights or freedoms of data subjects
This is commonly referred to as the ‘Legitimate Interests’ condition for personal data processing
Where Equifax processes your personal data in our function as a Credit Reference Agency or Fraud Prevention Agency (as detailed above and in the CRAIN), we rely on our Legitimate Interests and those of our clients, which include:
- Promoting responsible lending and helping to prevent over-indebtedness
- Helping prevent and detect crime and fraud, supporting anti-money laundering services and verifying identity
- Supporting tracing and collections
- Complying with and supporting compliance with legal and regulatory requirements
Please refer to the CRAIN for more details on the above activities: www.equifax.co.uk/crain
Contract
The UK’s data protection law allows the use of personal data where it is necessary for the performance of a contract to which you are a party
We provide some of our services directly to individuals (for example, you may subscribe to receive your Equifax credit report). Where we process your personal data to provide you with these services, our processing will be both because it is in our Legitimate Interests to provide these services to you and also on the basis that such processing is necessary to comply with our contractual obligations to you, as an Equifax customer
Legal Obligation
In addition to the lawful bases set out above, UK data protection law also allows us to process personal data where such processing is necessary for compliance with law
There are many situations where such legal obligations may arise from time to time but those most likely to impact our business (and result in the processing of your personal data) are as follows:
- Where we are required to hold or share your personal data in compliance with FCA regulations and permissions;
- Where a crime is suspected (including fraud or money laundering) and we are required to make appropriate notifications or assist with investigations.
- Where we are required to comply with the instructions of a regulator, court or law enforcement agency.
- To maintain records required by law or to evidence our compliance with laws.
Consent
UK data protection law permits controllers to process personal data where you have consented to a specific use of it. Except in relation to certain marketing activities (please see SECTION 10), we typically do not rely on consent to lawfully process your personal data
Occasionally, there may be isolated processing activities which we undertake on the basis of your consent, which we will notify you of in the relevant consent form (or similar document)
5. WHO DOES EQUIFAX SHARE PERSONAL DATA WITH?
As a credit reference and fraud prevention agency, our services require that your personal data be shared with certain third parties (for example our clients), who may request information about you in order to assess your suitability for a loan or other products
In many cases, where an organisation uses Equifax services, there will be information accessible, for example from a website or at point of application or service, to explain that the organisation may check your data with a credit reference or fraud prevention agency (for example to undertake identity verification and fraud checking). In some cases, some organisations have the ability to compel CRAs, by law, to disclose certain data for certain purposes
Where we do share your personal data, we operate comprehensive access control processes. For example, before we share data with any another organisation, we check that organisation’s identity, location and, where applicable, confirm any necessary legal registrations
The below sets out the different types of recipient we share your personal data with
Members of the Equifax credit data sharing arrangement
Each organisation that shares financial data with Equifax is also entitled to receive similar kinds of financial data contributed by other organisations. These organisations are typically banks, building societies, and other lenders, as well as other credit providers like utilities companies and mobile phone providers
Fraud Prevention Agencies (FPAs)
If Equifax reasonably suspects that fraud has been or might be committed, it may share data with FPAs. These FPAs collect, maintain and share data on known and suspected fraudulent activity. Equifax and some other CRAs also act as FPAs
Equifax shares information with the major fraud prevention agency in the UK, Cifas, who can be contacted here:
Resellers/Distributors
Equifax also uses other organisations to help provide its services to clients and may provide personal data to them in connection with that purpose. Details of our current list of such organisations are shown here and will be updated as appropriate from time to time:
Company Details |
Description of Service |
GB Group plc (‘GBG’) |
|
LexisNexis Risk Solutions |
|
Iovation Inc |
Fraud prevention and authentication tool provider |
Sagacity Solutions Limited |
Data management and consultancy provider |
Jumio UK Limited |
Facial biometrics and document validation services |
BAE Systems Applied Intelligence Limited |
Threat analytics, managed security services, financial crime, cyber defence and digital transformation services |
CoCreate Design and Marketing Limited |
Web application and development services |
Synectics Solutions Limited |
Detection of potentially fraudulent customer applications for credit, savings, insurance and money transmissions |
Fair Isaac Services Limited |
Data analytical services |
Threatmetrix Inc |
Fraud prevention software |
Other organisations
Some data, where permitted in accordance with industry rules or where it is public information, can be shared with other organisations that have a legitimate use for it - ID verification services, for example
Public bodies, law enforcement and regulators
The police and other law enforcement agencies, as well as public bodies like local and central authorities and Equifax’s regulators, can sometimes request that Equifax supply them with personal data. This can be for a range of purposes such as preventing or detecting crime, fraud, apprehending or prosecuting offenders, assessing or collecting tax or investigating complaints
Equifax Group Companies
Equifax shares personal data with other companies within its group where required for the purposes of administration of products/services, IT back office and software support. Such group companies include: Equifax Inc. Equifax Commercial Services Limited, Equifax Consumer Information Services LLC, Equifax Chile and Equifax Costa Rica (“Equifax Group”)
We also provide services to some group companies (such as TDX Group Limited) to enable those group companies to provide services to their clients
Processors
Equifax uses other trusted organisations to perform tasks on its behalf. The following shows the countries of operation for listed services:
Service Category |
Country(s) of Operation |
IT infrastructure and operations software support |
UK & India |
IT back office business process software support |
India |
IT back office helpdesk service support |
India |
IT service management support |
US |
Customer call centre services |
UK & Philippines |
Customer call centre support services |
US |
Processing administration services |
India |
Telephone support services |
UK |
Printing and mailing house services |
UK |
Merchant payment processor for customer payments |
Ireland |
Cloud services provider |
US |
Identity and fraud prevention service provider |
US |
Marketing communication services |
UK |
Confidential Waste Services |
UK |
Many of these services are provided by companies within the Equifax Group:
Equifax Group Company Details |
Country(s) of Operation |
Description of Service |
Equifax Inc. |
US |
Administrative support, IT and Security back office software support, software development and cloud disaster recovery |
Equifax Commercial Services Limited |
Ireland |
Customer call centre and complaints handling services |
Equifax Consumer Services LLC |
US |
Website portal services |
Servicios Equifax Chile Ltda |
Chile |
Back office incident and diagnosis support for Interconnect systems |
Verdad Informatica de Costa Rica S.A. |
Costa Rica |
Back office incident and diagnosis support for Interconnect systems |
In addition to the above, Equifax has service arrangements in place with auditors, consulting and professional service providers
Individuals
People are entitled to obtain copies of the personal data Equifax holds about them. You can find out how to do this in SECTION 9 below
6. WHERE IS PERSONAL DATA STORED AND SENT?
Equifax is based in the UK, and we keep our main databases here. All information and personal data held by Equifax is stored either on encrypted services at a secure physical location (whether these be our own servers or those of cloud service providers that we use)
Equifax also has internal policies and controls in place to ensure that personal data is kept secure as well as to minimise the risk of any personal data being lost, misused, disclosed or accidently destroyed
Equifax also has operations elsewhere inside and outside the European Economic Area, and personal data may be accessed by or transferred to Equifax Group companies or service providers in other jurisdictions
Details of the main processors Equifax use and where they operate can be found above in SECTION 5
While countries in the European Economic Area all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection when it comes to personal data. As a result, when Equifax does send or allow access to personal data overseas we will make sure suitable safeguards are in place in accordance with European data protection requirements, to protect the data. To do this Equifax:
- ensures third parties have entered into a contractual duty of confidentiality with Equifax;
- obliges third parties to implement appropriate technical and organisational measures to ensure the security of personal data;
- ensures adequate transfer mechanisms are in place, including in many cases by putting in place a contract with the recipient containing mandatory terms approved by the European Commission as providing a suitable level of protection for personal data. These are commonly referred to as Standard Contractual Clauses or ‘EU Model Clauses’.
7. HOW LONG DOES EQUIFAX RETAIN PERSONAL DATA?
Identifiers
Identification data like names and addresses are kept while there’s a continuing need to keep it. This need will be assessed on a regular basis, and data that is no longer needed for any purpose will be disposed of
A list of retention periods for key data sets that we process is available in the CRAIN at: www.equifax.co.uk/crain In addition, we have summarised some of these below:
Financial accounts and repayment data
Data about live and settled accounts is kept on credit files for six years from the date they’re settled or closed. If the account is recorded as defaulted, the data is kept for at least six years from the date of the default
Court judgments, decrees and administration orders
Generally, court judgments and other decrees and orders are kept on credit files for six years from the date of the judgment, decree or order. But they can be removed if the debt is repaid within one calendar month of the original date or if the judgment is set aside or recalled by the courts
Bankruptcies, IVAs, debt relief orders and similar events
Data about bankruptcies, IVAs and other insolvency-related events and arrangements are usually kept on credit files for six years from the date they begin. This period is extended if they last longer than six years. Some data, such as a bankruptcy restrictions order, can also remain on the credit file for longer than six years
Although the start of these events is automatically reported to Equifax, the end (such as a discharge from bankruptcy or completion of an IVA) might not be. It is for this reason that we advise you to contact us (please see our contact details above) and the other CRAs (as applicable) when this happens, to make sure that credit files are updated accordingly
Search footprints
Equifax keep most search footprints for at least one year from the date of the search, although we keep debt collection searches for up to two years
Derived or created data
Equifax also creates data and generates links and matches between data. For example, Equifax keeps address links and aliases for as long as they’re considered relevant for credit referencing and other valid purposes
Links between people are kept on credit files for as long as we believe those individuals continue to be financially connected. When two people stop being financially connected, either person can contact us and ask for the link to be removed. We will then follow a process to check the people are no longer associated with each other and then update our records accordingly
Other data
Other third party supplied data such as politically exposed persons (PEPs) and sanctions data and mortality data will be stored for a period determined by criteria such as the agreed contractual terms
Archived data
Equifax holds data in an archived form for longer than the periods described above, for things like research and development, analytics and analysis, (including refining lending and fraud strategies, scorecard development and other analysis such as loss forecasting), for audit purposes, and as appropriate for establishment, exercise or defence of legal claims. The criteria used to determine the storage period will include the legal limitation of liability period, agreed contractual provisions, applicable regulatory requirements and industry standards
8.DOES EQUIFAX MAKE DECISIONS ABOUT YOU OR PROFILE YOU?
It is a common misconception that CRAs use your personal data to ‘decide’ whether or not a lender should provide you with credit or other services. This is not the role of a CRA
Equifax will collect and combine personal data about you to generate a ‘picture’ of you (for example, your financial standing). This is a form of profiling
Where permitted by law, Equifax then share this profile of you with our clients (for example, banks and other lenders) who will then use it to make their own decisions about you
Accordingly, Equifax does not tell its clients if they should offer you credit or services – this is for the client to decide based (at least in part) on the data and analytics that we provide
Please refer to the CRAIN for more details on this: www.equifax.co.uk/crain
Scores and ratings
The primary form of profiling Equifax undertakes is in the production of scores and ratings
When requested, Equifax uses the data we obtain to produce credit, risk, fraud, identity, affordability, screening, collection and/or insolvency scores and credit ratings about you
Please refer to CRAIN for more details on this: www.equifax.co.uk/crain
Other Profiling
Equifax will combine the information it holds about you and others to generate characteristics and attributes linked to (for example) the area in which you live (please see our comments at SECTION 4 in relation to PLD)
Typically, these characteristics and attributes are (once compiled) at an anonymous level i.e. you are not directly identified. However, where we share this data with our clients, they might link it to relevant individuals (for example, an individual living in London might be linked to the data profile we have created in relation to residents of London). Please note that clients are not permitted to link such data for direct marketing purposes (please see SECTION 10 (MARKETING SERVICES) for more information
9. WHAT ARE YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA?
Data protection law provides you with a number of rights in relation to your personal data (which are summarised below and expanded in the sub-sections following). You can exercise these rights by contacting us via the details set out in SECTION 1
Subject to the requirements of applicable laws and certain limitations or exemptions, you have the right to:
- access your personal data and be provided with certain information in relation to it, such as the purpose for which it is processed;
- require us to correct any inaccuracies in your personal data without undue delay;
- require us to erase your personal data (please be aware that the right of erasure under data protection law is not an absolute right as it only applies in relation to one or more specific circumstances);
- require us to restrict the processing of your personal data;
- receive the personal data which you have provided to us in a commonly used, machine readable format, where we are processing it on the basis consent or to comply with a contract with you (please see the above tables) and such processing is automated; and
- object to a decision that we make which is based solely on automated processing of your personal data.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the UK data protection regulator. More information can be found on the ICO website at https://ico.org.uk
We have provided further details of the above rights, below
9.1 WHAT CAN I DO IF I WANT TO SEE MY PERSONAL DATA HELD BY EQUIFAX?
Data access right
You have a right to find out what personal data Equifax holds about you and for a copy of this information to be provided to you free of charge
The most relevant information Equifax holds about you is likely to be contained in your own credit report
View Statutory Credit Report On-line
Equifax provides a quick and efficient way to access your credit report for free and on-line within a few minutes where we can positively confirm your on-line identity. Click below to start the process:
https://www.econsumer.equifax.co.uk/consumer/uk/order.ehtml?prod_cd=UKSCR
Request a paper copy of your Statutory Credit Report
You can request a free postal copy of your Statutory Credit Report in two ways - online or via our credit report application form which you can download then post to the following address:
Equifax Ltd
Customer Service Centre
PO Box 10036
Leicester
LE3 4FS
A copy of your Statutory Credit Report will be posted to your home address within one month but is likely to be much quicker than that
Request a copy of other personal data held by Equifax
You can also request a free downloadable copy (available in PDF format) of the other information Equifax holds about you. Click below to start the process:
https://www.subjectaccess.uk.equifax.com/subjectaccess/#/dsar-landing-page
It may take us up to one month to collate and provide you with this information
If you require a copy of your personal data in a format such as braille or audio, please use one of the contact channels detailed in SECTION 1 above, to make your request
9.2 DO I HAVE A ‘PORTABILITY RIGHT’ IN CONNECTION WITH MY EQUIFAX DATA?
Recent data protection legislation also contains a right to data portability that may give consumers a right in some data processing contexts, to receive their personal data in a portable format when it is processed on certain grounds, such as consent. This is not a right that will apply to Equifax data where this data is processed on the grounds of legitimate interests. To find out more about legitimate interests please go to SECTION 3 above
9.3 WHAT CAN I DO IF MY PERSONAL DATA IS WRONG?
When Equifax receives personal data, we will check it to try and detect any defects or mistakes. Ultimately, though, we can often only rely on our suppliers to provide accurate data
If you think that any personal data Equifax holds about you is wrong or incomplete, you have the right to challenge it. It’s worth knowing that when acting as a credit reference agency or fraud prevention agency we won’t have the right to change the data without permission from the organisation that supplied it, so we will need to take reasonable steps to check the data first, such as asking the organisation that supplied it to check and confirm its accuracy
If the data does turn out to be wrong, we will update our records accordingly. If we still believe the data showing on your credit report is correct after completing our checks, we’ll continue to hold and keep it - although you can ask us to add a note to your credit report indicating that you disagree or providing an explanation of the circumstances
If you’d like to do this, please use one of the contact channels detailed in SECTION 1 above
9.4 CAN I OBJECT TO EQUIFAX USE OF MY PERSONAL DATA AND HAVE IT DELETED OR RESTRICTED?
Data protection laws in the UK give you the right to object to your personal data being processed and to request that such processing be restricted or the data deleted. However, please be aware that the rights of objection, restriction and erasure are not ‘absolute rights’, meaning that they will only apply in specific circumstances
This section helps you understand how to use your data protection rights to object to your personal data being used and how to ask for it to be restricted or deleted
You can contact Equifax with your objection or request at any time, using the contact details in SECTION 3
Right of Objection:
The right of objection only applies in the following circumstances:
a) Where the processing is based on a legitimate interest or a public interest. However, we are permitted to continue processing your data if there are ‘compelling legitimate grounds’ to continue processing your data (please see the section ‘Overriding Legitimate Grounds’ below)
b) Where personal data is processed for the purposes of direct marketing. This is an absolute right – meaning if you raise an objection to any such processing, we will stop that processing (please be aware that we may retain a record of your objection and certain other details to ensure that your objection to marketing processing, continues to be recognised)
Right of Restriction:
The right of restriction only applies in the following circumstances:
a) the accuracy of your data is contested by you for a period enabling us to verify the accuracy;
b) our processing of your personal data is unlawful but you would prefer that the data not be deleted and would instead like us to simply not use it;
c) it is no longer necessary for us to process the personal data but you would like us to retain it (rather than delete it) so that you can use it for the establishment, exercise or defence of a legal claim; or
d) you have objected to the processing (see above) and are pending verification of any overriding legitimate grounds we may have to continue processing the data (see below)
Right of Erasure:
A right of erasure only applies in relation to one or more of the following circumstances (as applicable):
a) The personal data is no longer necessary for the purpose we collected it for
b) The processing of your personal data was on the basis of your consent, which has now been revoked and there are no other lawful basis for processing your personal data
c) Your personal data is processed for the purposes of conducting direct marketing and you have now objected to such marketing (however, we may still need to retain some of your data in order to ensure that you are not sent marketing)
d) We are unlawfully processing your personal data or applicable UK law requires us to erase the personal data to comply with a legal obligation
e) The processing of your personal data is on the basis of a legitimate interest pursued by us or a third party (or is in the public interest), you have objected to such processing and there are no overriding legitimate grounds to continue processing the personal data
As explained earlier in this Notice, the majority of our processing of your personal data is on the basis of legitimate interest. Therefore, condition (e) above, is the one most likely to apply and we can continue processing your data if an overriding legitimate ground exists (please see below)
Overriding Legitimate Grounds
Please be aware that it is very likely that an overriding legitimate ground to continue processing your data will continue to exist (despite your objection or request for erasure). This is because of the importance of the credit referencing industry to the UK’s financial system, which helps the industry assess instances of fraud and prevent over indebtedness, fraud and money laundering
As a result, in many cases it won’t be appropriate for Equifax to restrict or to stop processing or delete your personal data. For example, where the result would be to hide a poor credit history that could enable a person or organisation to get credit they otherwise wouldn’t be eligible for
10. MARKETING SERVICES
10.1 HOW DO WE USE YOUR DATA FOR DIRECT MARKETING PURPOSES?
As summarised above, Equifax does not sell any ‘credit derived’ personal data for the purposes of direct marketing, without your consent
This means that, unless we have your explicit consent, we will at not sell the personal data we receive about you from lenders (and other clients) when you make applications for credit (for example your current address or details of your financial standing); in order to enable clients to send you direct marketing communications
Equifax does collect certain publically available data about you (or related to you), which it shares with clients for the purposes of direct marketing
Equifax might also have a direct relationship with you (for example, because you subscribe to receive your monthly credit report) and we provide our own marketing to you because you have consented to receive it
The relevant information and marketing services we provide are explained in this section
Open register supply
The electoral register contains the names and addresses of everyone who is registered to vote in public elections. There are two versions of the electoral register; the full version and the ‘open register’ (‘edited register’ in Northern Ireland). The open register is the version that is available to anyone who wants to buy a copy and includes only the details of those individuals who have not ‘opted-out’ of being on the open register. Further information can be found at the following government website: https://www.gov.uk/electoral-register/opt-out-of-the-open-register
Equifax receives a copy of the open register on rolling basis and will make the information it contains available to our clients on a similar rolling basis
Our clients are permitted to use this information for direct marketing purposes (for example, to send you postal marketing)
When you registered with the Electoral Roll (e.g. to vote), you will have been given the option to opt-out of having your details placed on the open register. If you did not opt out, your data can be used for direct marketing purposes on the lawful basis of legitimate interest
You can ‘opt-out’ from appearing on the open register at any time by contacting your local Electoral Registration Office. Please be aware however, that while choosing to be removed from the open register will prevent companies having access to those details in the future, companies may continue to send you marketing communications using information they have previously obtained
In any case, you have the right to ‘opt-out’ from receiving these communications by notifying the relevant sender
Please see also SECTION 9 - WHAT ARE YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA.
Pre-mover information
When a property is listed for sale or rent, that information is typically made publically available (for example, via listings at estate agents)
Through its supplier (TwentyCI Limited – please see the details below), Equifax receives details of such properties, including the address and whether it is for sale or rent (“Pre Mover Data”)
The Pre Mover Data does not include any information that identifies the current resident, landlord, seller or any other data subject
We provide the Pre Mover Data to clients who may (where permitted by law) use it to send marketing materials to you (for example, postal marketing with offers relevant to a new or outgoing resident, such as installation or migration of broadband)
You can opt-out from receiving any marketing communications at any time by notifying the relevant sender
Please see also SECTION 9 - WHAT ARE YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA
Pre Mover Data supplier:
TwentyCi Limited
8 Whittle Court
Milton Keynes
Buckinghamshire
MK5 8FT
Email: enquiries@twentyci.co.uk
Tel: 01908 829300
Aggregated and anonymous data
Equifax anonymises and aggregates some of the information it holds (including information in relation to your financial standing) to generate analysis of an area of section of the population
In SECTION 4 (above) we explain that such anonymous analysis is used to create postcode level data (PLD), which provides a likely profile of those resident in a particular area (for example, London)
In addition to the above noted marketing activities, we make available PLD (and potentially other anonymised data analysis) to our clients
While we do permit our clients to use this data for general marketing purposes, we do not permit clients to combine this data with information it already holds about you in order to send direct marketing to you.
What is ‘general’ and ‘direct’ marketing and what do we permit? General marketing is (for example) where an organisation is sending mailshots to every address in an area and does not know or use the identity of the people at those addresses Where our clients use PLD to identify areas that might be most receptive to their products (for example, fibre broadband), any generic leaflets they send within that area will likely constitute general marketing Direct marketing is where you are targeted as an individual For example, we might supply a client with PLD which provides a general profile of the financial status of individuals who live in a borough of London, including their likelihood to purchase fibre broadband The client would be permitted to send generic marketing to all of the households in that London borough, in relation to its roll out of new fibre broadband The client would not be permitted to take any name and address data it already holds about you and link it with the PLD (because you live in the relevant borough, for example) so that it can specifically target you with marketing about its new fibre broadband. |
10.2 ON WHAT LAWFUL BASIS DOES EQUIFAX COLLECT AND PROCESS PERSONAL DATA FOR DIRECT MAREKTING PURPOSES?
Except where we are sending direct marketing to you directly because you have opted-in to receive it (in which case, our lawful basis for processing your data is consent), all of our processing for the direct marketing purposes described above, is on the lawful basis of it being in the legitimate interests of us and our clients
10.3 WHO DO WE SHARE MARKETING SERVICES DATA WITH?
We supply Marketing Services data to our clients and resellers
Marketing Services Clients
Equifax has fewer than ten (10) clients, with whom it shares marketing data, including the distributors/resellers listed below
However the number and type of clients that we have will vary from time to time and these clients can operate in a variety of sectors, which include the following:
Primary Sector |
Sub Sectors |
Charity |
Ages, Animals, Armed and Ex Services, Arts, Children and Youth, Community, Culture and Heritage, Disability, Environmental, Education and Training, Employment Trades and Professions, Family, Homeless, Hospices, Human Rights, International, Medical Welfare, Mental Health, Overseas Aid, Religious, Rescue Services, Social Welfare, Sports Recreation and Visual Impairments |
Finance |
Pensions, Loans, Credit cards, Mortgages, Automotive (including dealerships and accessories), Investments and Savings, Insurance Home, Car, Travel, Pet, Personal and Other Insurance |
FMCG |
Supermarkets, Pharmacies, Consumables |
Home and Family |
Building Works, Buying, Changing Career, Children, Computers, Conservatories, DIY, Education, Employment, Electricity Services, Extensions, Finding New Employment, Floorings, Furniture, Further Education, Garages, Gas Services, Health Issues, Home Appliances, Learning, Letting, LPG Services, Oil Services, Other Household Utilities, Returning to Work, Self-Employment, Selling, Smoking, Stables, Starting Work, Telephones and TV |
Legal |
Accident Claims Management, Claims Management Companies, Debt Collection, Debt Consolidation, Legal Liability Claims, Legal Protection Claims, Legal Services, Packaged Bank Account Reclaim, Personal Accident Claims, Personal Injury Claims, Personal Liability Claims, PPI Companies and Claims, Voluntary Arrangements, Will Writing and Wills |
Lifestyle |
Health & Well-being, Fitness, Charities, Media and Publishing, Leisure, Gaming, Legal Services, Education and Photography |
Marketing Services Providers |
Marketing Services Providers and Data Brokers |
Media |
Magazine offers, Cinema, Competitions, Magazine Readership, Publishing, Newspaper Readership and Subscriptions, Offers, Theatre, Specialist Magazines, Surveys, Web Promotions, TV and Film |
Motoring |
Bicycles, Boats (powered and sail), Caravans, Gliding, Helicopter, Mobile Homes, Motorbikes, Motor Vehicles, Motorcycling, Motorhomes and Planes |
Retail |
Online retail, General Stores, Automotive, Property, Home Furnishings, Home Improvements, Fashion and Clothing, Telecoms and Utilities |
Travel |
Holidays, Hotels, Travel Booking and Airlines |
Resellers/Distributors:
In addition to the clients noted above, we also supply Marketing Services data to the following resellers/distributors:Company Details |
Description of Service |
Acxiom Limited |
Open register data |
CACI Limited |
Open register data |
Liveramp UK Limited |
Open register data |
OMNIS Data Limited |
Open register data |
10.3 DOES EQUIFAX USE MY DATA FOR ITS OWN MARKETING?
Yes, where we have your consent or it is otherwise lawful for us to do so. As noted above, we may have a direct relationship with you where you have enquired about or purchased our products and services (for example, if you obtain your credit report)
When we obtained your personal data in relation to such products/services, you may have given your consent to us sending you direct marketing – or you may have been presented with an option to opt out from receiving direct marketing (where we are able to send marketing without your consent)
These marketing activities are distinct from those described above and only relate to our products and services. As explained below, should you no longer wish to receive any marketing communications from us, you can opt-out or unsubscribe at any time
Our use of your personal data for our own direct marketing purposes is explained in our Website privacy policy, available at https://www.equifax.co.uk/About-us/Privacy_policy.html
10.4 HOW LONG WILL WE RETAIN MARKETING SERVICES DATA?
Equifax’s retention of marketing services data will be based on the data sets that make up the relevant services – and in any case, will not be retained for longer than is necessary
For example, in relation to open register marketing services, your data will only be held for so long as we hold the open register data (see SECTION 5 - HOW LONG DOES EQUIFAX RETAIN PERSONAL DATA)
10.5 WHAT ARE MY RIGHTS IN RELATION TO MARKETING SERVICES DATA?
Your rights in relation to the personal data we use for Marketing Services are the same as those set out in SECTION 9, above
In addition to these rights, you have an absolute right to object to direct marketing and (if our processing is based on consent) to withdraw your consent
WITHDRAWING YOUR CONSENT
You may withdraw your consent for your personal data to be used for further marketing activity at any time
You can notify us directly using the contact information provided in SECTION 1
When you do contact Equifax to withdraw your consent (or where we otherwise stop processing your data following an objection – see below), we will add your data to our marketing suppression files. These files are applied to the Equifax marketing contact data in order to remove records about individuals who do not wish to have marketing contact. They may also be shared with some clients in order to ensure they suppress your data from their files. This process does require that Equifax processes your marketing contact data in order to include it in its suppression files
OBJECTION TO MARKETING SERVICES PROCESSING
You have the right at any time to object to Equifax processing your personal data for the purposes of us (or our clients) sending direct marketing to you
Following any such objection, we will cease processing your personal data for direct marketing purposes but may need to retain some of your personal data in order to (i) ensure that it continues to be supressed from such direct marketing use; and/or (ii) continue our use of the data for any other purposes for which we have a lawful basis to do so, as set out in this Notice
11. WHO CAN YOU COMPLAIN TO IF YOU ARE UNHAPPY ABOUT THE USE OF YOUR PERSONAL DATA?
Equifax works hard to give you the best possible service. We try to make it as easy as possible for you to share your concerns with us, and we want you to be happy with how we handle them
If you have a complaint, please contact our Complaints Team. Full contact details and the Equifax complaints procedure can be found by clicking here
If you’re unhappy with how Equifax has investigated your complaint, you may have the right to refer it to the Financial Ombudsman Service (Ombudsman) for free. The Ombudsman is an independent public body that aims to resolve disputes between consumers and businesses like Equifax. You can contact them by:
- Phone on 0300 123 9 123 (or from outside the UK on +44 20 7964 1000) or 0800 023 4567
- Email at complaint.info@financial-ombudsman.org.uk
- Writing to Financial Ombudsman Service, Exchange Tower, Harbour Exchange, London E14 9SR
- Going to their website at www.financial-ombudsman.org.uk
You can also refer your concerns to the Information Commissioner’s Office (or ICO), the body that regulates the handling of personal data in the UK. You can contact them by:
- Phone on 0303 123 1113
- Email at casework@ico.org.uk (you need to add a subject line of 'Report a Concern')
- Writing to them at First Contact Team, Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
- Going to their website at www.ico.org.uk
12. WHERE CAN YOU FIND OUT MORE?
The Information Commissioner’s Office publishes advice and information for consumers in its Credit Explained leaflet, available at https://ico.org.uk/media/for-the-public/documents/1282/credit-explained-dp-guidance.pdf.