Equifax Information Notice
Version 3.1 Adopted: July 2023
This Equifax Information Notice (“Notice”) describes how and why Equifax Limited (“Equifax”, “we”, “our” and “us”) hold and process personal data about you in relation to our core UK credit reference and fraud prevention services, and related services.
Equifax is a so-called “controller” of your personal data. This means that we make decisions about how and why we process your personal data and, because of this, we are responsible for making sure our use of your personal data is in accordance with data protection laws.
Equifax’s core activity is ‘credit referencing’ and ‘fraud prevention’. Together with the other main credit reference agencies (“CRA”s), TransUnion and Experian, we have drafted a separate document detailing how each CRA commonly uses and shares personal data we receive about you and/or your business that is part of, derived from or used in credit referencing and fraud prevention activities. We have called this document the ‘Credit Reference Agency Information Notice’ (CRAIN) and you can access it here: www.equifax.co.uk/crain
Equifax also provides other related services, which are listed below with the relevant processing of your personal data either set out in this Notice or a separate processing notice linked to below:
- Debt collection and recoveries management - our group company, TDX Group Limited, supports clients with debt management and recovery, and it uses personal data obtained from Equifax to assist with such activities. A copy of TDX’s privacy notice can be found here: https://www.tdxgroup.com/privacy
- Open Banking - together with our group company, Consents Online Limited (a FCA registered account information services provider), Equifax provides clients access to consumer transaction data held within payment accounts. A copy of the privacy notice explaining how Equifax and Consents Online use transaction data and related personal data is available here: https://consents.online/Privacy
- Marketing Services (see section 10 of this Notice) - Equifax uses personal data to help clients with their marketing activities, for example, to help ensure responsible lending by removing contact information from marketing lists where the financial services being offered are inappropriate to the circumstances of the individual, or to advise clients when individuals have moved address, updated their marketing preferences or have died.
- Segmentation and profiling (see section 8 of this Notice) - the generation of a ‘credit score’ is a type of profiling but Equifax also uses personal data to analyse, segment and profile sections of the population, for example by age range or geographic area.
In addition to the above, we may also make available other information notices from time to time in relation to specific products or business functions. These will apply in conjunction with this Notice.
CONTENT OF THIS NOTICE:
- How can you contact us?
- How do we use your personal data?
- What types of personal data does Equifax collect and where do we get it?
- What is our legal basis for using your personal data?
- Who does Equifax share personal data with?
- Where is personal data stored and sent?
- How long does Equifax retain personal data?
- Does Equifax make decisions about you or profile you?
- What are your rights in relation to your personal data?
- Marketing Services
- Who can you complain to if you are unhappy about the use of your personal data?
- Where can you find out more?
1. HOW CAN YOU CONTACT US?
We can be contacted by any of the following methods:
Post: Equifax Ltd, Customer Service Centre, PO Box 10036, Leicester, LE3 4FS.
Secure email via: www.equifax.co.uk/ask
Additionally, Equifax Ltd has a dedicated Data Protection Officer who can be contacted as follows:
Post: Equifax Ltd, Data Protection Officer, PO Box 10036, Leicester, LE3 4FS.
2. HOW DO WE USE YOUR PERSONAL DATA?
As one of the UK’s biggest credit reference agencies, we are regulated by the Financial Conduct Authority (“FCA”) and authorised to conduct business as a credit reference agency and a credit broker.
In order to provide our services, we hold detailed consumer and business data in the UK, which enables us to provide insights into the behaviours and drivers behind the economy, helping our clients drive their businesses forward and consumers and businesses access the products and services they can reasonably afford.
We appreciate that the role of a credit reference and fraud prevention agency (such as Equifax) is very complex, relying on a number of different uses of your data.
To help you understand how and why we use your data, we have summarised our primary uses of your personal data immediately below.
We have also produced an example ‘data journey’, which illustrates how your data would typically flow from you to Equifax, and with whom we may share it. You can access this ‘data journey’ here: [www.equifax.co.uk/ein-datajourney.html]
If you would like more information about what categories of personal data we use, where we obtain your data and more specifically how we process that data (and on what lawful basis), please see the further sections of this Notice or contact us using the contact details above.
Summary of personal data use:
(a) CREDIT REFERENCE AGENCY PROCESSING
As a credit reference agency, we receive personal data about you that is part of, derived from or used in credit activity.
As a basic example:
Equifax might receive information such as your name, address and date of birth when you apply for a loan or credit card.
We will match this to data we already hold and return information relevant to your financial standing.
The lender will use the information we provide to decide whether or not you can be accepted for the loan or credit card.
Should you be accepted, Equifax may then receive information about how you manage your repayments, including if you have missed a payment or if you are subject to any county court judgements.
This in turn supplements the information we already hold and creates a more complete view of your financial standing, which can be shared with other lenders.
The information we receive and process in relation to your credit activity, is used by Equifax and our clients in ‘credit referencing activities’, which include:
- Credit reporting and affordability checks (for example, information related to your financial standing guides lenders as to whether to accept your application for a loan or credit card)
- Verifying data like your identity, your age, where you live, and preventing and detecting criminal activity, fraud and money laundering
- Tracing your whereabouts to assist in the return of money you are owed or to reclaim debt that you owe
- Statistical analysis, including profiling of either you as an individual (for example, to generate a ‘credit score’) or a group of people (for example, the general financial standing of a region or city)
Please refer to the above mentioned CRAIN for more details on these activities: www.equifax.co.uk/crain
(b) FRAUD PREVENTION AGENCY PROCESSING
Equifax is a Fraud Prevention Agency ("FPA") and member of Cifas, a not-for-profit fraud prevention service. This means we collect, maintain and share data on known and suspected fraudulent activity. Where Equifax identifies potential fraud, it may share that information with Cifas so that other Cifas members can access it. This enables them to perform additional checks when (for example) a credit application is made in your name. If fraud is detected, you could be refused certain services, finance or employment.
Please refer to the Cifas privacy notice at https://www.cifas.org.uk/fpn for more details.
How data is used by Equifax as a fraud prevention agency:
In order to flag, prevent and monitor fraudulent (or suspected fraudulent) activity, we may supply the data received from our clients about you, your financial associates and your business (if you have one) to other organisations (please see SECTION 5 - WHO DOES EQUIFAX SHARE PERSONAL DATA WITH for more information). This may be used by these organisations and other FPAs and CRAs to:
- Prevent crime, fraud and money laundering by, for example;
- checking details provided on applications for credit and credit related products and services
- managing credit and credit related accounts or products or services
- verifying details provided as part of insurance underwriting and the pricing of insurance policies and assessment of insurance risk including insurance claims
- checking details on applications for jobs or as part of employment
- Verify your identity if you or your financial associate applies for facilities including all types of insurance and where a claim is made
- Trace your whereabouts to assist in the return of money you are owed or to reclaim debt that you owe
- Conduct other checks to prevent or detect fraud, as permitted by law
- Undertake statistical analysis and system testing
(c) MARKETING SERVICES
Equifax will use some of the data it holds about you to assist clients with their marketing activities. The data that is available for such use is limited and we restrict the use of your data by our clients to only certain marketing activities, which are summarised below, with further details provided in SECTION 10 (Marketing Services).
In any event, you have control of whether or not your data is used for marketing activities, and if you would prefer that it is not used for such activities, you have a right to object (please see SECTION 9.4 for more details).
The relevant information and the services we provide are summarised as follows:
- Financial Pre-Screening - To help promote responsible lending, avoid consumer overindebtedness and uphold the ‘Consumer Duty’ applicable to certain regulated firms, Equifax will use negative credit payment, search history, and public derogatory data such as the presence of county court judgements, to enable clients entitled to receive such data to remove individuals from financial marketing campaigns where the advertised service would not be appropriate to the circumstances of the individual. Credit related data may also be used to confirm residency at an address. You have the right to object to this processing. If you do, we will ensure that the credit data that Equifax holds on you within its Marketing Services products is not used to remove you from a marketing campaign.
- Suppression - To help avoid marketing being sent to the wrong address, to individuals that have died or who are under 18 or who have objected to the use of their data for marketing purposes, Equifax will identify to its relevant clients when potential recipients of client marketing appear to have died, moved address, are under 18 or have raised an objection to being marketed to.
- Customer marketing - To help promote responsible lending and avoid consumer overindebtedness, Equifax’s clients can search negative credit payment and search history of their customers, so that they can send marketing that is appropriate to the financial circumstances of that individual customer. Our clients must comply with their own legal obligations when conducting these searches with Equifax, making use of the data and sending marketing, including providing fair notice to you and obtaining any necessary consents.
- Open register supply – Equifax makes available to clients a copy of the open electoral register, this being the version that is available to anyone who wants to buy a copy and includes only the details of those individuals who have not ‘opted-out’ of being on the open register. Further information can be found at the following government website: https://www.gov.uk/electoral-register/opt-out-of-the-open-register
- Pre-mover information – Equifax stores details of properties that are available for rent or sale and shares this information with clients, who may use it to send marketing materials to that address (for example, offers to install or migrate broadband). This information will not include the name of the relevant resident, just the property details.
- Aggregated data insights - Equifax aggregates and anonymises data, which is made available to clients for a variety of uses, including to inform their marketing activities. For example, an analysis of the general financial strength of a town, city, postcode or other area may inform what marketing is conducted by our clients in that area.
Please note that SECTIONS 3 to 9 below do not specifically include or refer to the Marketing Services provided by Equifax as all the relevant information is included in SECTION 10 (MARKETING SERVICES).
(d) CONSUMER SERVICES
We will use your personal data when providing our services to you directly, including:
- Credit Score and Report – using the data held on our database, we calculate your credit score and can provide a report explaining what factors have impacted that score.
- WebDefend – using the details you provide to us (email addresses, telephone numbers, credit/debit card details, bank account numbers, driving licence number or National Insurance numbers), we identify and monitor potential instances of fraud by cross checking your data to that shown on websites used by fraudsters to trade personal data.
These services can be obtained through our website www.equifax.co.uk (the “Website”).
In obtaining these services, we will collect details such as your name, address, date of birth, contact details (including email and telephone number) and bank details. If you have applied through our Website, we may also collect a username and password (or other relevant log-in details).
(e) OPEN BANKING SERVICES
Equifax and its group company Consents Online Limited (“ConsentsOnline”) may also use personal data about you when we provide our open banking services.
Such services involve you granting permission to Equifax and ConsentsOnline to access transaction data listed on a payment account held by you, including balance, overdraft or credit limit, incoming and outgoing transactions, including the amount, data and description of transaction (“Transaction Data”).
At your instruction, we will then share your Transaction Data, together with any analysis of it that we may create, to our client i.e. the organisation that you have authorised to receive such information (an “Approved Recipient”).
The Approved Recipient will then typically use the Transaction Data and any analysis to assess your financial standing or provide other services which you have requested.
For more information on how and for what purposes we process your personal data in relation to our open banking services, please refer to our Open Banking Privacy Notice, which is available here.
(f) BIOMETRIC IDENTITY VERIFICATION
Equifax may collect biometric information about you when we provide our identity verification services, which will involve submitting photos of yourself and your photo identification.
If you decide to use this service via one of our clients, Equifax may process information about face geometry and related biometric information derived from the photos and other information (including information from your driving licence/passport) that you submit to us for the purpose of providing identity verification services.
(g) BUSINESS DATA PROCESSING
Personal data about individuals in their role as owners, directors, and employees of UK businesses may also be obtained, and processed by Equifax, and shared with clients or other credit reference agencies.
The information we receive and process is used by Equifax and our clients in ‘credit referencing activities’, which include:
- Credit reporting and affordability checks (for example, information related to your financial standing guides lenders as to whether to accept your application for a loan or credit card)
- Verifying business information and preventing and detecting criminal activity, fraud and money laundering
- Tracing your whereabouts to assist in the return of money you are owed or to reclaim debt that you owe
- Statistical analysis, including profiling of either you in a business capacity (for example, to generate a ‘credit score’) or a group of people (for example, the general financial standing of a region or city)
For further information please refer to the Business Information Providers Association.
(h) GENERAL INFORMATION SERVICES PROCESSING
In order to provide our services to clients and individuals, we need to undertake certain general background operational processing of your personal data, as follows:
- Data loading - data supplied to Equifax is checked for integrity, validity, consistency, quality and age to ensure it is fit for purpose. These checks pick up things like irregular dates of birth, names, addresses, account start dates, and gaps in payment status history.
- Data matching - data supplied to Equifax is matched to the data held on our existing databases to help make sure it is assigned to the right person, even when there are discrepancies like spelling mistakes or different versions of a person’s name. Where permitted, Equifax uses the personal data individuals have provided to its clients, together with data from other sources, to create and confirm identities, which are used to underpin the services Equifax provide.
- Data linking and financial associates - as Equifax compiles data into its databases, we create links between different pieces of data. For example, people who appear financially associated with each other may be linked together, and addresses where someone has previously lived can be linked to each other and to that person’s current address.
- Systems and product development/testing - data may be used to help support the development and testing of new products and technologies.
- Legal compliance and general record keeping – we will process data where required by law (for example, in order to comply with our requirements as a FCA regulated business) and may retain data where necessary for record keeping, tax compliance and to defend against claims.
3. WHAT TYPES OF PERSONAL DATA DOES EQUIFAX COLLECT AND WHERE DO WE GET IT?
To enable us to operate as a credit reference and fraud prevention agency, it is necessary for us to collect and store numerous types of data about you.
We typically do not have a direct relationship with you (except where you receive products or services from us (or otherwise communicate with us) directly), so we obtain this data from numerous sources, including directly from publically available materials (for example, the electoral roll and published county court judgements) or from our clients (for example, where a lender provides information about you so that we can conduct a credit check).
Equifax typically acts as a controller in relation to all the data it receives from such clients, including where provision of this information is for us to locate a match to records we already hold in our database and which is then supplemented with additional information (for example, addresses linked to you, your relevant credit data or other attributes relevant to you).
All the credit reference agencies rely on similar types of data in order to provide their core credit, anti-money laundering, identification and fraud services. Details of the types, description and source of information common to all three main credit reference agencies (including Equifax) can be found in the CRAIN: www.equifax.co.uk/crain
We have also set out the key categories of data that we collect about you and where we obtain this information, in the below table:
|CATEGORY OF DATA||TYPE OF PERSONAL DATA||WHERE COLLECTED*|
|Time at address||
|Date of Birth||
|Financial Accounts and Repayment Data||Credit agreements (including balance, payment history and term)||
|Closed / settled accounts||
|Instances of default||
|Current account turnover data (“CATO”)||
|Court Judgments, Decrees and Orders||County court judgements||
|Individual Voluntary Arrangements (“IVAs”)||
|Debt relief orders||
|High Court Data (Liquidations, Receiverships etc)||
|Searches (these are searches that lenders and clients may make in relation to you, when you apply for services, for example)||Credit searches||
|Debt collection searches||
|Application Data (this is information which is sent to Equifax as part of a search when you conduct an application for credit)||Name||
|Derived or Created Data||Credit score||
|Linked addresses (additional addresses that have been associated with you such as a previous address)||
|Linked companies (where a director or owner)||
|Attributes and characteristics||
|Biometric Information||Copies of photo identification||
|Other Data||Instances of actual or potential fraud||
|Sanctions, Politically exposed persons and SIP/SIE’s||
- The majority of data is derived from multiple sources. We have therefore listed key examples.
- Personal data may refer to you as an individual or in your capacity as a director, shareholder or business proprietor.
In addition to the above categories, we also process the following data relating to residential addresses:
- whether it is available for sale or rent (we call this “Pre-Mover Data”), which we store and make available to clients so that they can (for example) ensure the occupier of the property is updated on how to migrate or obtain products and services (such as broadband); and
- postcode level data (“PLD”), such as the percentage of households in a postcode with one adult present. This is information relating to a particular geographic area (and is therefore not always ‘personal data’ because it doesn’t relate to an identifiable individual). Please be aware that some of our clients may link PLD with you based on the area in which you live. This combined data is likely to be considered your personal data, which is processed by our clients.
4. WHAT IS OUR LEGAL BASIS FOR USING YOUR PERSONAL DATA?
We are required by data protection law to always have what is referred to as a “lawful basis” (i.e. a reason or justification) for processing your personal data. The below sets out the relevant lawful basis we rely on for that processing.
Please note that where we have indicated that our use of your personal data is either necessary for us to comply with a legal obligation or necessary for us to take steps, at your request, to potentially enter into a contract with you (or to perform our obligations in an existing contract), we may not be able to enter into or continue our contract or engagement with you, if you elect not to provide the relevant personal data.
The UK’s data protection law allows the use of personal data where the processing is necessary for a legitimate interest pursued by us or a third party and this interest is not outweighed by the interests, fundamental rights or freedoms of data subjects.
This is commonly referred to as the ‘Legitimate Interests’ condition for personal data processing.
Where Equifax processes your personal data in our function as a Credit Reference Agency or Fraud Prevention Agency (as detailed above and in the CRAIN), we rely on our Legitimate Interests and those of our clients, which include:
- Promoting responsible lending and helping to prevent over-indebtedness
- Helping prevent and detect crime and fraud, supporting anti-money laundering services and verifying identity
- Supporting tracing and collections
- Complying with and supporting compliance with legal and regulatory requirements
Please refer to the CRAIN for more details on the above activities: www.equifax.co.uk/crain
The UK’s data protection law allows the use of personal data where it is necessary for the performance of a contract to which you are a party.
We provide some of our services directly to individuals (for example, you may subscribe to receive your Equifax credit report). Where we process your personal data to provide you with these services, our processing will be both because it is in our Legitimate Interests to provide these services to you and also on the basis that such processing is necessary to comply with our contractual obligations to you, as an Equifax customer.
In addition to the lawful bases set out above, UK data protection law also allows us to process personal data where such processing is necessary for compliance with law.
There are many situations where such legal obligations may arise from time to time but those most likely to impact our business (and result in the processing of your personal data) are as follows:
- Where we are required to hold or share your personal data in compliance with FCA regulations and permissions;
- Where a crime is suspected (including fraud or money laundering) and we are required to make appropriate notifications or assist with investigations.
- Where we are required to comply with the instructions of a regulator, court or law enforcement agency.
- To maintain records required by law or to evidence our compliance with laws.
Consent or Explicit Consent
UK data protection law permits controllers to process personal data where you have consented to a specific use of it. Except in relation to certain marketing activities (please see SECTION 10), we typically do not rely on consent to lawfully process your personal data.
Occasionally, there may be isolated processing activities which we undertake on the basis of your consent, which we will notify you of in the relevant consent form (or similar document).
In relation to the processing of biometric data, we will, via our clients, provide a clear written consent statement explaining the processing activities associated with this data.
5. WHO DOES EQUIFAX SHARE PERSONAL DATA WITH?
As a credit reference and fraud prevention agency, our services require that your personal data be shared with certain third parties (for example our clients), who may request information about you in order to assess your suitability for a loan or other products.
In many cases, where an organisation uses Equifax services, there will be information accessible, for example from a website or at point of application or service, to explain that the organisation may check your data with a credit reference or fraud prevention agency (for example to undertake identity verification and fraud checking). In some cases, some organisations have the ability to compel CRAs, by law, to disclose certain data for certain purposes.
Where we do share your personal data, we operate comprehensive access control processes. For example, before we share data with any other organisation, we check that organisation’s identity, location and, where applicable, confirm any necessary legal registrations.
The below sets out the different types of recipient we share your personal data with.
Members of the Equifax credit data sharing arrangement
Each organisation that shares financial data with Equifax is also entitled to receive similar kinds of financial data contributed by other organisations. These organisations are typically banks, building societies, and other lenders, as well as other credit providers like utilities companies and mobile phone providers.
Fraud Prevention Agencies (FPAs)
If Equifax reasonably suspects that fraud has been or might be committed, it may share data with FPAs. These FPAs collect, maintain and share data on known and suspected fraudulent activity. Equifax and some other CRAs also act as FPAs.
Equifax shares information with the major fraud prevention agency in the UK, Cifas, who can be contacted here.
Debt Collection Agencies (DCAs)
Equifax uses credit reference data to provide products and services for ongoing relationship and account management activities. It may share this data with Debt Collection Agencies if an individual has fallen into arrears, and is going through a debt collection process.
Equifax has arrangements with other organisations to enable them to supply Equifax services to end clients. Equifax will accordingly disclose personal data to such resellers and distributors for this purpose, and those resellers and distributors will either operate as independent controllers or as data processors for and on behalf of the relevant end client. Details of our primary resellers are shown here and will be updated as appropriate from time to time:
|Company Details||Description of Service|
|GB Group plc (‘GBG’) https://www.gbgplc.com/products-services-privacy-policy/||
|LexisNexis Risk Solutions https://risk.lexisnexis.co.uk/||
|Iovation Inc. www.iovation.com||
|Sagacity Solutions Limited www.sagacitysolutions.co.uk||
|Jumio UK Limited www.jumio.com||
|BAE Systems Applied Intelligence Limited www.baesystems.com/en/cybersecurity/home||
|CoCreate Design and Marketing Limited www.cocreatedesign.com||
|Synectics Solutions Limited www.synectics-solutions.com||
|Fair Isaac Services Limited www.fico.com||
|Threatmetrix Inc. www.threatmetrix.com||
Some data, where permitted in accordance with industry rules or where it is public information, can be shared with other organisations that have a legitimate use for it - ID verification services, for example.
Public bodies, law enforcement and regulators
The police and other law enforcement agencies, as well as public bodies like local and central authorities and Equifax’s regulators, can sometimes request that Equifax supply them with personal data. This can be for a range of purposes such as preventing or detecting crime, fraud, apprehending or prosecuting offenders, assessing or collecting tax or investigating complaints.
Equifax Group Companies
Equifax shares personal data with other companies within its group where required for the purposes of administration of products/services, IT back office and software support. Such group companies include: Equifax Inc. Equifax Commercial Services Limited, Equifax Consumer Information Services LLC, Equifax Chile and Equifax Costa Rica (“Equifax Group”).
We also provide services to some group companies (such as TDX Group Limited) to enable those group companies to provide services to their clients.
Equifax uses other trusted organisations to perform tasks on its behalf. The following shows the countries of operation for listed services:
|Service Category||Country(s) of Operation (See section 6. for more information on Equifax overseas processing)|
|IT infrastructure and operations software support||UK & India|
|IT back office business process software support||India|
|IT back office helpdesk service support||India|
|IT service management support||UK & US|
|Customer call centre services||UK & Philippines|
|Customer call centre support services||US|
|Processing administration services||India|
|Telephone support services||UK|
|Printing and mailing house services||UK|
|Merchant payment processor for customer payments||Ireland|
|Cloud services provider||UK & US|
|Identity and fraud prevention service provider||US|
|Marketing communication services||UK|
|Confidential Waste Services||UK|
Many of these services are provided by companies within the Equifax Group:
|Equifax Group Company Details||Country(s) of Operation (See section 6. for more information on Equifax overseas processing)||Description of Service|
|Equifax Inc.||US||Administrative support, IT and Security back office software support, software development and cloud disaster recovery|
|Equifax Commercial Services Limited||Ireland||Customer call centre and complaints handling services|
|Equifax Consumer Services LLC||US||Website portal services|
People are entitled to obtain copies of the personal data Equifax holds about them. You can find out how to do this in SECTION 9 below.
6. WHERE IS PERSONAL DATA STORED AND SENT?
Equifax is based in the UK, and we keep our main databases here. All information and personal data held by Equifax is stored either on encrypted services at a secure physical location (whether these be our own servers or those of cloud service providers that we use).
Equifax also has internal policies and controls in place to ensure that personal data is kept secure as well as to minimise the risk of any personal data being lost, misused, disclosed or accidently destroyed.
Equifax also has operations elsewhere inside and outside the European Economic Area, and personal data may be accessed by or transferred to Equifax Group companies or service providers in other jurisdictions.
Details of the main processors Equifax use and where they operate can be found above in SECTION 5.
While countries in the European Economic Area all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection when it comes to personal data. As a result, when Equifax does send or allow access to personal data overseas we will make sure suitable safeguards are in place in accordance with European data protection requirements, to protect the data. To do this Equifax:
- ensures third parties have entered into a contractual duty of confidentiality with Equifax;
- obliges third parties to implement appropriate technical and organisational measures to ensure the security of personal data;
- ensures adequate transfer mechanisms are in place, including in many cases by putting in place a contract with the recipient containing mandatory terms approved by the European Commission as providing a suitable level of protection for personal data. These are commonly referred to as Standard Contractual Clauses or ‘EU Model Clauses’.
7. HOW LONG DOES EQUIFAX RETAIN PERSONAL DATA?
Identification data like names and addresses are kept while there’s a continuing need to keep it. This need will be assessed on a regular basis, and data that’s no longer needed for any purpose will be disposed of.
A list of retention periods for key data sets that we process is available in the CRAIN at: www.equifax.co.uk/crain In addition, we have summarised some of these below:
Financial accounts and repayment data
Data about live and settled accounts is kept on credit files for six years from the date they’re settled or closed. If the account is recorded as defaulted, the data is kept for at least six years from the date of the default.
Court judgments, decrees and administration orders
Generally, court judgments and other decrees and orders are kept on credit files for six years from the date of the judgement, decree or order. But they can be removed if the debt is repaid within one calendar month of the original date or if the judgement is set aside or recalled by the courts.
Bankruptcies, IVAs, debt relief orders and similar events
Data about bankruptcies, IVAs and other insolvency-related events and arrangements are usually kept on credit files for six years from the date they begin. This period is extended if they last longer than six years. Some data, such as a bankruptcy restrictions order, can also remain on the credit file for longer than six years.
Although the start of these events is automatically reported to Equifax, the end (such as a discharge from bankruptcy or completion of an IVA) might not be. It is for this reason that we advise you to contact us (please see our contact details above) and the other CRAs (as applicable) when this happens, to make sure that credit files are updated accordingly.
Equifax keeps most search footprints for at least one year from the date of the search, although we keep debt collection searches for up to two years.
Derived or created data
Equifax also creates data and generates links and matches between data. For example, Equifax keeps address links and aliases for as long as they’re considered relevant for credit referencing and other valid purposes.
Links between people are kept on credit files for as long as we believe those individuals continue to be financially connected. When two people stop being financially connected, either person can contact us and ask for the link to be removed. We will then follow a process to check the people are no longer associated with each other and then update our records accordingly.
Other third party supplied data such as politically exposed persons (PEPs) and sanctions data and mortality data will be stored for a period determined by criteria such as the agreed contractual terms.
Equifax holds data in an archived form for longer than the periods described above, for things like research and development, analytics and analysis, (including refining lending and fraud strategies, scorecard development and other analysis such as loss forecasting), for audit purposes, and as appropriate for establishment, exercise or defence of legal claims. The criteria used to determine the storage period will include the legal limitation of liability period, agreed contractual provisions, applicable regulatory requirements and industry standards.
8. DOES EQUIFAX MAKE DECISIONS ABOUT YOU OR PROFILE YOU?
It is a common misconception that CRAs use your personal data to ‘decide’ whether or not a lender should provide you with credit or other services. This is not the role of a CRA.
Equifax will collect and combine personal data about you to generate a ‘picture’ of you (for example, your financial standing). This is a form of profiling.
Where permitted by law, Equifax then shares this profile of you with our clients (for example, banks and other lenders) who will then use it to make their own decisions about you.
Accordingly, Equifax does not tell its clients if they should offer you credit or services – this is for the client to decide based (at least in part) on the data and analytics that we provide.
Please refer to the CRAIN for more details on this: www.equifax.co.uk/crain
Scores and ratings
The primary form of profiling Equifax undertakes is in the production of scores and ratings. Equifax uses the data we obtain to produce credit, risk, fraud, identity, affordability, screening, collection and/or insolvency scores and credit ratings about you.
Please refer to CRAIN for more details on this: www.equifax.co.uk/crain
Equifax will combine the information it holds about you and others to generate characteristics linked to (for example) the area in which you live (please see our comments at SECTION 4 in relation to PLD).
Typically, these characteristics are (once compiled) at an anonymous level i.e. you are not directly identified. However, where we share this data with our clients, they might link it to relevant individuals (for example, an individual living in London might be linked to the data profile we have created in relation to residents of London).
9. WHAT ARE YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA?
Data protection law provides you with a number of rights in relation to your personal data (which are summarised below and expanded in the sub-sections following). You can exercise these rights by contacting us via the details set out in SECTION 1.
Subject to the requirements of applicable laws and certain limitations or exemptions, you have the right to:
- access your personal data and be provided with certain information in relation to it, such as the purpose for which it is processed;
- require us to correct any inaccuracies in your personal data without undue delay;
- require us to erase your personal data (please be aware that the right of erasure under data protection law is not an absolute right as it only applies in relation to one or more specific circumstances);
- require us to restrict the processing of your personal data;
- receive the personal data which you have provided to us in a commonly used, machine readable format, where we are processing it on the basis consent or to comply with a contract with you (please see the above tables) and such processing is automated; and
- object to a decision that we make which is based solely on automated processing of your personal data.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the UK data protection regulator. More information can be found on the ICO website at https://ico.org.uk
We have provided further details of the above rights, below.
9.1 WHAT CAN I DO IF I WANT TO SEE MY PERSONAL DATA HELD BY EQUIFAX?
Data access right
You have a right to find out what personal data Equifax holds about you and for a copy of this information to be provided to you free of charge.
The most relevant information Equifax holds about you is likely to be contained in your own credit report.
View Statutory Credit Report On-line
Equifax provides a quick and efficient way to access your credit report for free and on-line within a few minutes where we can positively confirm your on-line identity. Click below to start the process:
Request a paper copy of your Statutory Credit Report
Customer Service Centre
PO Box 10036
A copy of your Statutory Credit Report will be posted to your home address within one month but is likely to be much quicker than that.
Request a copy of other personal data held by Equifax
You can also request a free downloadable copy (available in PDF format) of the other information Equifax holds about you. Click below to start the process:
It may take us up to one month to collate and provide you with this information.
If you require a copy of your personal data in a format such as braille or audio, please use one of the contact channels detailed in SECTION 1 above, to make your request
9.2 DO I HAVE A ‘PORTABILITY RIGHT’ IN CONNECTION WITH MY EQUIFAX DATA?
Recent data protection legislation also contains a right to data portability that may give consumers a right in some data processing contexts, to receive their personal data in a portable format when it is processed on certain grounds, such as consent. This is not a right that will apply to Equifax data where this data is processed on the grounds of legitimate interests. To find out more about legitimate interests please go to SECTION 3 above.
9.3 WHAT CAN I DO IF MY PERSONAL DATA IS WRONG?
When Equifax receives personal data, we will check it to try and detect any defects or mistakes. Ultimately, though, we can often only rely on our suppliers to provide accurate data.
If you think that any personal data Equifax holds about you is wrong or incomplete, you have the right to challenge it. It’s worth knowing that when acting as a credit reference agency or fraud prevention agency we won’t have the right to change the data without permission from the organisation that supplied it, so we will need to take reasonable steps to check the data first, such as asking the organisation that supplied it to check and confirm its accuracy.
If the data does turn out to be wrong, we will update our records accordingly. If we still believe the data showing on your credit report is correct after completing our checks, we’ll continue to hold and keep it - although you can ask us to add a note to your credit report indicating that you disagree or providing an explanation of the circumstances.
If you’d like to do this, please use one of the contact channels detailed in SECTION 1 above.
9.4 CAN I OBJECT TO EQUIFAX USE OF MY PERSONAL DATA AND HAVE IT DELETED OR RESTRICTED?
Data protection laws in the UK give you the right to object to your personal data being processed and to request that such processing be restricted or the data deleted. However, please be aware that the rights of objection, restriction and erasure are not ‘absolute rights’, meaning that they will only apply in specific circumstances.
This section helps you understand how to use your data protection rights to object to your personal data being used and how to ask for it to be restricted or deleted.
You can contact Equifax with your objection or request at any time, using the contact details in SECTION 3.
Right of Objection:
The right of objection only applies in the following circumstances:
a) Where the processing is based on a legitimate interest or a public interest. However, we are permitted to continue processing your data if there are ‘compelling legitimate grounds’ to continue processing your data (please see the section ‘Overriding Legitimate Grounds’ below)
b) Where personal data is processed for the purposes of direct marketing. This is an absolute right – meaning if you raise an objection to any such processing, we will stop that processing (please be aware that we may retain a record of your objection and certain other details to ensure that your objection to marketing processing continues to be recognised).
Right of Restriction:
The right of restriction only applies in the following circumstances:
a) the accuracy of your data is contested by you for a period enabling us to verify the accuracy;
b) our processing of your personal data is unlawful but you would prefer that the data not be deleted and would instead like us to simply not use it;
c) it is no longer necessary for us to process the personal data but you would like us to retain it (rather than delete it) so that you can use it for the establishment, exercise or defence of a legal claim; or
d) you have objected to the processing (see above) and are pending verification of any overriding legitimate grounds we may have to continue processing the data (see below).
Right of Erasure:
A right of erasure only applies in relation to one or more of the following circumstances (as applicable):
a) The personal data is no longer necessary for the purpose we collected it for.
b) The processing of your personal data was on the basis of your consent, which has now been revoked and there are no other lawful basis for processing your personal data.
c) Your personal data is processed for the purposes of conducting direct marketing and you have now objected to such marketing (however, we may still need to retain some of your data in order to ensure that you are not sent marketing).
d) We are unlawfully processing your personal data or applicable UK law requires us to erase the personal data to comply with a legal obligation.
e) The processing of your personal data is on the basis of a legitimate interest pursued by us or a third party (or is in the public interest), you have objected to such processing and there are no overriding legitimate grounds to continue processing the personal data.
As explained earlier in this Notice, the majority of our processing of your personal data is on the basis of legitimate interest. Therefore, condition (e) above, is the one most likely to apply and we can continue processing your data if an overriding legitimate ground exists (please see below).
Overriding Legitimate Grounds
Please be aware that it is very likely that an overriding legitimate ground to continue processing your data will continue to exist (despite your objection or request for erasure). This is because of the importance of the credit referencing industry to the UK’s financial system, which helps the industry assess instances of fraud and prevent over indebtedness, fraud and money laundering.
As a result, in many cases it won’t be appropriate for Equifax to restrict or to stop processing or delete your personal data. For example, where the result would be to hide a poor credit history that could enable a person or organisation to get credit they otherwise wouldn’t be eligible for.
10. MARKETING SERVICES
10.1 WHAT PERSONAL DATA DO WE PROCESS AND WHERE DO WE GET IT FROM?
The following types of personal data are used in our marketing services:
Personal Identifiers - your name, postal address and date of birth, obtained or derived from local authorities, credit providers, clients and Registry Trust.
Public Data - records of you on the open register, published county court judgments (CCJs) and individual voluntary arrangements and bankruptcies, obtained from local authorities, Registry Trust and Insolvency services.
Credit Data - derogatory financial data provided to us by our clients and credit providers, including details of any missed payments or defaults and searches (such as credit and debt collection).
Property Data - details of the property at which you reside including whether it is available for sale or rent, which we obtain from public information and third-party suppliers.
Deceased Data - Name and address data for people who are deceased
Aggregated and Anonymous Data - anonymous and aggregated analytics generated by Equifax of the geographic area (such as a postcode) in which you live.
10.2 HOW DO WE USE YOUR DATA FOR DIRECT MARKETING PURPOSES?
Equifax’s marketing services involve the provision of analysis or data to our clients to assist with their own marketing activities. The list below explains the services available to our clients.
When our clients are undertaking marketing campaigns in relation to a financial service (for example, promoting a new loan), they may want to check that they are not sending communications to individuals for whom the product would not be appropriate to the circumstances of the individual. This helps promote responsible lending, avoid consumer overindebtedness and uphold the ‘Consumer Duty’ which certain regulated firms are required to comply with.
To assist such clients, Equifax will use Personal Identifiers, Public Data and Credit Data to remove individuals from marketing lists.
We do not permit this activity to be conducted in relation to just any individual. Our clients must first have provided fair notice of such use of your data and have a lawful basis to use it. For this reason, the service is typically used in relation to applicants and existing customers of our clients and we would encourage you to read the fair processing notices of your service providers.
To help avoid marketing being sent to the wrong address or to individuals that have died or have objected to the use of their financial data for marketing purposes, Equifax will notify clients when potential recipients of client marketing appear to have died, moved address or have raised such an objection.
To help promote responsible lending and avoid consumer overindebtedness, Equifax’s clients can access elements of the credit data, number of credit accounts and searches of their customers so that they can send marketing that is appropriate to the financial circumstances of that individual customer. Our clients must comply with their own legal obligations when conducting these activities with Equifax, making use of the data and sending marketing, including providing fair notice to you and obtaining any necessary consents.
As with the Pre-Screening services (see above), we do not permit these searches to be conducted in relation to just any individual. Our clients must be entitled to access your private credit data, must have first provided fair notice to you of such use of your data, have a lawful basis to use your data and have your consent to send marketing to you (where consent is required). For this reason, the service is typically limited to use in relation to existing customers of our clients or those individuals with whom our clients have an existing relationship. Accordingly, we would encourage you to read the fair processing notices of your service providers.
Open register supply
The electoral register contains the names and addresses of everyone who is registered to vote in public elections. There are two versions of the electoral register; the full version and the ‘open register’ (‘edited register’ in Northern Ireland). The open register is the version that is available to anyone who wants to buy a copy and includes only the details of those individuals who have not ‘opted-out’ of being on the open register. Further information can be found at the following government website: https://www.gov.uk/electoral-register/opt-out-of-the-open-register
Equifax receives a copy of the open register on a rolling basis and will make the information it contains available to our clients on a similar rolling basis.
Our clients are permitted to use this information for direct marketing purposes (for example, to send you postal marketing).
When you registered with the Electoral Roll (e.g. to vote), you will have been given the option to opt-out of having your details placed on the open register. If you did not opt out, your data can be used for direct marketing purposes on the lawful basis of legitimate interest.
You can ‘opt-out’ from appearing on the open register at any time by contacting your local Electoral Registration Office. Please be aware however, that while choosing to be removed from the open register will prevent companies having access to those details in the future, companies may continue to send you marketing communications using information they have previously obtained.
In any case, you have the right to ‘opt-out’ from receiving these communications by notifying the relevant sender.
Please see also SECTION 9 - WHAT ARE YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA.
When a property is listed for sale or rent, that information is typically made publically available (for example, via listings at estate agents).
Through its supplier (TwentyCI Limited – please see the details below), Equifax stores details of such properties, including the address and whether it is for sale or rent (“Pre Mover Data”).
The Pre Mover Data does not include any information that identifies the current resident, landlord, seller or any other data subject.
We provide the Pre Mover Data to clients who may (where permitted by law) use it to send marketing materials to you (for example, postal marketing with offers relevant to a new or outgoing resident, such as installation or migration of broadband).
You can opt-out from receiving any marketing communications at any time by notifying the relevant sender.
Please see also SECTION 9 - WHAT ARE YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA.
Pre Mover Data supplier:
8 Whittle Court
Tel: 01908 829300
Aggregated and anonymous data
Equifax anonymises and aggregates some of the information it holds (including information in relation to your financial standing) to generate analysis of an area or section of the population.
In SECTION 4 (above) we explain that such anonymous analysis is used to create postcode level data (PLD), which provides a likely profile of those resident in a particular area, normally a postcode.
In addition to the above noted marketing activities, we make available PLD (and potentially other anonymised data analysis) to our clients.
Our clients may use this data for general marketing purposes or, provided they act lawfully, combine this data with information they already hold about you in order to send direct marketing to you.
What is ‘general’ and ‘direct’
General marketing is (for example) where an organisation is sending mailshots to every address in an area and does not know or use the identity of the people at those addresses.
Where our clients use PLD to identify areas that might be most receptive to their products (for example, fibre broadband), any generic leaflets they send within that area will likely constitute general marketing.
Direct marketing is where you are targeted as an individual.
For example, we might supply a client with PLD which provides a general profile of the financial status of individuals who live in a borough of London, including their likelihood to purchase fibre broadband.
In addition to sending generic marketing to all of the households in that London borough, in relation to its roll out of new fibre broadband, the client may also have your permission to send marketing to you directly, and might use the PLD to refine the content of such marketing.
10.3 ON WHAT LAWFUL BASIS DOES EQUIFAX COLLECT AND PROCESS PERSONAL DATA FOR DIRECT MARKETING PURPOSES?
Except where we are sending direct marketing to you directly because you have opted-in to receive it (in which case, our lawful basis for processing your data is consent), all of our processing for the direct marketing purposes described above, is on the lawful basis of it being in the legitimate interests of us and our clients.
10.4 WHO DO WE SHARE MARKETING SERVICES DATA WITH?
We supply Marketing Services data to our clients and resellers.
Marketing Services Clients
The number and type of clients that we have will vary from time to time and these clients can operate in a variety of sectors, which include the following:
|Primary Sector||Sub Sectors|
|Charity||Ages, Animals, Armed and Ex Services, Arts, Children and Youth, Community, Culture and Heritage, Disability, Environmental, Education and Training, Employment Trades and Professions, Family, Homeless, Hospices, Human Rights, International, Medical Welfare, Mental Health, Overseas Aid, Religious, Rescue Services, Social Welfare, Sports Recreation and Visual Impairments|
|Finance||Pensions, Loans, Credit cards, Mortgages, Automotive (including dealerships and accessories), Investments and Savings, Insurance Home, Car, Travel, Pet, Personal and Other Insurance|
|FMCG||Supermarkets, Pharmacies, Consumables|
|Home and Family||Building Works, Buying, Changing Career, Children, Computers, Conservatories, DIY, Education, Employment, Electricity Services, Extensions, Finding New Employment, Floorings, Furniture, Further Education, Garages, Gas Services, Health Issues, Home Appliances, Learning, Letting, LPG Services, Oil Services, Other Household Utilities, Returning to Work, Self-Employment, Selling, Smoking, Stables, Starting Work, Telephones and TV|
|Legal||Accident Claims Management, Claims Management Companies, Debt Collection, Debt Consolidation, Legal Liability Claims, Legal Protection Claims, Legal Services, Packaged Bank Account Reclaim, Personal Accident Claims, Personal Injury Claims, Personal Liability Claims, PPI Companies and Claims, Voluntary Arrangements, Will Writing and Wills|
|Lifestyle||Health & Well-being, Fitness, Charities, Media and Publishing, Leisure, Gaming, Legal Services, Education and Photography|
|Marketing Services Providers||Marketing Services Providers and Data Brokers|
|Media||Magazine offers, Cinema, Competitions, Magazine Readership, Publishing, Newspaper Readership and Subscriptions, Offers, Theatre, Specialist Magazines, Surveys, Web Promotions, TV and Film|
|Motoring||Bicycles, Boats (powered and sail), Caravans, Gliding, Helicopter, Mobile Homes, Motorbikes, Motor Vehicles, Motorcycling, Motorhomes and Planes|
|Retail||Online retail, General Stores, Automotive, Property, Home Furnishings, Home Improvements, Fashion and Clothing, Telecoms and Utilities|
|Travel||Holidays, Hotels, Travel Booking and Airlines|
In addition to the sectors noted above, we also supply Marketing Services data to the following resellers/distributors:
|Company Details||Description of Service|
|Acxiom Limited https://www.acxiom.co.uk/about-acxiom/privacy/uk-privacy-policy/||Open register data|
|CACI Limited https://www.caci.co.uk/content/consumer-information||Open register data|
|Liveramp UK Limited https://liveramp.uk/privacy/||Open register data|
10.5 DOES EQUIFAX USE MY DATA FOR ITS OWN MARKETING?
Yes, where we have your consent or it is otherwise lawful for us to do so. As noted above, we may have a direct relationship with you where you have enquired about or purchased our products and services (for example, if you obtain your credit report).
When we obtained your personal data in relation to such products/services, you may have given your consent to us sending you direct marketing – or you may have been presented with an option to opt out from receiving direct marketing (where we are able to send marketing without your consent).
These marketing activities are distinct from those described above and only relate to our products and services. As explained below, should you no longer wish to receive any marketing communications from us, you can opt-out or unsubscribe at any time.
Our use of your personal data for our own direct marketing purposes is explained in our Website, Cookies and Consumer Services Privacy Notice, available at https://www.equifax.co.uk/About-us/Privacy_policy.html
10.6 HOW LONG WILL WE RETAIN MARKETING SERVICES DATA?
Equifax’s retention of marketing services data will be based on the data sets that make up the relevant services – and in any case, will not be retained for longer than is necessary.
For example, in relation to open register marketing services, your data will only be held for so long as we hold the open register data (see SECTION 5 - HOW LONG DOES EQUIFAX RETAIN PERSONAL DATA).
10.7 WHAT ARE MY RIGHTS IN RELATION TO MARKETING SERVICES DATA?
Your rights in relation to the personal data we use for Marketing Services are the same as those set out in SECTION 9, above.
In addition to these rights, you have an absolute right to object to direct marketing and (if our processing is based on consent) to withdraw your consent.
WITHDRAWING YOUR CONSENT
You may withdraw your consent for your personal data to be used for further marketing activity at any time.
You can notify us directly using the contact information provided in SECTION 1.
When you do contact Equifax to withdraw your consent (or where we otherwise stop processing your data following an objection – see below), we will add your data to our marketing suppression files. These files are applied to the Equifax marketing contact data in order to remove records about individuals who do not wish to have marketing contact. They may also be shared with some clients in order to ensure they suppress your data from their files. This process does require that Equifax processes your marketing contact data in order to include it in its suppression files.
OBJECTION TO MARKETING SERVICES PROCESSING
You have the right at any time to object to Equifax processing your personal data for the purposes of us (or our clients) sending direct marketing to you.
Following any such objection, we will cease processing your personal data for direct marketing purposes but may need to retain some of your personal data in order to (i) ensure that it continues to be suppressed from such direct marketing use; and/or (ii) continue our use of the data for any other purposes for which we have a lawful basis to do so, as set out in this Notice.
11. WHO CAN YOU COMPLAIN TO IF YOU ARE UNHAPPY ABOUT THE USE OF YOUR PERSONAL DATA?
Equifax works hard to give you the best possible service. We try to make it as easy as possible for you to share your concerns with us, and we want you to be happy with how we handle them.
If you have a complaint, please contact our Complaints Team. Full contact details and the Equifax complaints procedure can be found by clicking here.
If you’re unhappy with how Equifax has investigated your complaint, you may have the right to refer it to the Financial Ombudsman Service (Ombudsman) for free. The Ombudsman is an independent public body that aims to resolve disputes between consumers and businesses like Equifax. You can contact them by:
- Phone on 0300 123 9 123 (or from outside the UK on +44 20 7964 1000) or 0800 023 4567
- Email at email@example.com
- Writing to Financial Ombudsman Service, Exchange Tower, Harbour Exchange, London E14 9SR
- Going to their website at www.financial-ombudsman.org.uk
You can also refer your concerns to the Information Commissioner’s Office (or ICO), the body that regulates the handling of personal data in the UK. You can contact them by:
- Phone on 0303 123 1113
- Email at firstname.lastname@example.org (you need to add a subject line of 'Report a Concern')
- Writing to them at First Contact Team, Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
- Going to their website at www.ico.org.uk
12. WHERE CAN YOU FIND OUT MORE?
The Information Commissioner’s Office publishes advice and information for consumers in its Credit Explained leaflet, available at https://ico.org.uk/media/for-the-public/documents/1282/credit-explained-dp-guidance.pdf.