Privacy Hub
Credit Reference Agency Information Notice (CRAIN)
This privacy notice, produced with Experian and Transunion (the other key CRAs), explains how personal data is processed for core credit referencing activities. This often relates to personal data that has not been collected directly from the individual.
Version: 1.1 Adopted: 26th March 2020
IN BRIEF
We are credit reference agencies and we play a key role in the UK’s financial ecosystem. This document explains how we obtain, process and share personal data about consumers and businesses.
This section briefly summarises the key processing activities common to the credit reference agencies. For more detail, please refer to the rest of this document. In addition, we recommend reviewing each credit reference agency’s own information notices, which explain the specific processing activities of that credit reference agency. Links to these documents can be found in Section 14 below.
This document answers these questions:
- Credit reference agencies collect information about consumers and businesses from various sources and build databases that hold all of this data.
- The sources of that information include public records, such as court judgments (CCJs) and electoral register information, and financial information from lenders, utilities suppliers and telecoms businesses.
- Lenders and other organisations carry out searches against that information with one or more credit reference agencies.
- Organisations can carry out searches for several reasons. These include assessing creditworthiness and ability to afford financial products, checking the accuracy of other information, preventing and detecting crime (such as fraud or money laundering), checking identity, tracing individuals (for example to recover debts that they owe), calculating how much their insurance premiums should be, and assessing their suitability for a job or a tenancy.
- When an organisation carries out a search of someone’s information, we will record details of that search. This is known as a search footprint.
- Credit reference agencies also use consumer data for marketing-related purposes, such as helping organisations to better direct their marketing, including by screening individuals out of advertising for credit products so that those products are not offered to people who would not be eligible for them. They may also use the data to build insight to predict information or characteristics about the population, to help organisations identify who they want to market their products and services to.
- Credit reference agencies also use the data in their databases for other activities. These include analytics and profiling, such as helping lenders build scorecards to use in assessing credit applications.
- Because not every lender supplies data to every credit reference agency, your credit reference information held at each credit reference agency might be different.
- Credit reference agencies carry out several types of data processing to help achieve the aims described above. These include loading data, matching and linking data together as well as testing, developing and building our products and services.
- Consumers have certain rights that they can seek to exercise in relation to the personal data held by credit reference agencies. For example, they have rights to obtain a copy of the data, to ask the credit reference agency to correct it if it is inaccurate, and to object to the processing of the data.
Please note:
- This document describes how the credit reference agencies use and distribute the personal data described in section 4. This data is referred to as “credit reference data”.
- The credit reference agencies are independent businesses. Not all of the products and services described in this document are provided by all three of the credit reference agencies, or in the same way, and not all of the data is used by each of them.
- This document does not cover all personal data that the credit reference agencies use and distribute; for example, this document does not cover processing of personal data in relation to credit reference agency services you sign up to directly, such as services which allow you to view your own credit report and score. Section 2 and section 14 below provide links to where information can be found about each credit reference agency’s other products and services (including marketing services) and how they use and share other kinds of personal data.
- Consumers can obtain a copy of the information that each credit reference agency holds about them. Section 9 explains how this can be done.
CONTENTS
This document answers these questions:
- Who are the credit reference agencies and how can they be contacted?
- What do credit reference agencies use credit reference data for?
- What are the credit reference agencies’ legal grounds for handling credit reference data?
- What kinds of personal data do credit reference agencies use, and where do they get it from?
- Who do credit reference agencies share credit reference data with?
- Where is credit reference data stored and sent?
- For how long is credit reference data retained?
- Do the credit reference agencies make decisions about consumers or profile them?
- How can a consumer see what data the credit reference agencies hold about them? Do consumers have a ‘data portability’ right in connection with their credit reference data?
- What can a consumer do if their credit reference data is wrong?
- Can a consumer object to the use of their credit reference data and have it deleted?
- Can a consumer restrict what the credit reference agencies do with their credit reference data?
- Who can a consumer complain to if they are unhappy about the use of their credit reference data?
- Where can consumers find out more?
1. WHO ARE THE CREDIT REFERENCE AGENCIES AND HOW CAN THEY BE CONTACTED?
There are three main credit reference agencies in the UK.
Each is regulated by the Financial Conduct Authority (“FCA”) and authorised to conduct business as a credit reference agency. The full names and contact details for each are set out below..
Credit Reference Agency | Contact details |
---|---|
Equifax Limited | Post: Web Address: Email: UKDPO@equifax.com Phone: 0333 321 4043 or 0800 014 2955 |
Experian Limited | Post: Web Address: Phone: 0344 481 0800 or 0800 013 8888 |
TransUnion International UK Limited | Post: Web Address: Email: consumer@transunion.co.uk Phone: 0330 024 7574 |
In this information notice, these three companies are referred to as Equifax, Experian and TransUnion respectively. Together they are referred to as credit reference agencies.
Controllers
Each credit reference agency is a controller of the credit reference data that it holds. This means that it has certain responsibilities under data protection law to make sure that the data is used fairly and lawfully.
Where a credit reference agency operates as part of a group of companies, it may share joint responsibility with the other members of that group when sharing data with them. You can contact the relevant credit reference agency using the details above if you want to enquire about any of those group companies or exercise any of your rights in respect of your personal data.
2. WHAT DO CREDIT REFERENCE AGENCIES USE CREDIT REFERENCE DATA FOR?
Credit reference agencies use credit reference data in products and services that they offer to their clients. The purposes for which those products and services are used are described below, but please note that different clients may use the products and services in different ways. Consumers should check the privacy policies of the organisations that they deal with for details about how they use any products and services provided by the credit reference agencies.
(a) Credit reporting and affordability checks
Each credit reference agency uses credit reference data to provide credit reporting services and affordability checks to its clients.
Credit reporting
Organisations use credit reporting services to see how people and businesses are managing payments in respect of their credit arrangements and how they have done so in the past. For example, if a person applies for a bank loan to buy a car, the bank may use credit reporting services to check whether that person has defaulted on any previous credit agreements. It will then use this information, together with information from other sources, to assess the risk of offering the loan.
Affordability checks
Organisations use affordability checks to help understand whether people or businesses applying for credit are likely to be able to afford the repayments. The information provided as part of the affordability checks may affect a person’s or business’s ability to obtain credit.
These activities help promote responsible lending, prevent people and businesses from getting into more debt than they can afford, and reduce the amount of unrecoverable debt and insolvencies.
(b) Checks to validate and verify data, and help prevent and detect fraud, money laundering and other criminal activity
The credit reference agencies use credit reference data to provide validation and verification services and other services to help prevent fraud, money laundering and other criminal activity. Some examples of how credit reference agency clients use these services are as follows:
- When a person applies to an organisation for a product or service, the organisation might ask that person to answer questions about themselves, and then check the answers against the data held by the credit reference agencies to see if they match. For example, they may ask “What is your current address?” If the address provided does not exist on the credit reference agencies’ records (for example, because it is a fictitious address) or does not match the data held by the credit reference agencies (for example, there is no record of the person at the address provided), then this may be an indicator of a mistake or fraud.
- Where some products and services are only available to people of a certain age, organisations may check whether the person they are dealing with is eligible by looking at data held by the credit reference agencies. For example, if a person is signing up to join a gambling website which is only for people who are at least 18 years old, the organisation may check to see if the age provided by the person matches that held by the credit reference agencies.
- Government and quasi-government bodies may use credit reference agency services to check whether people are entitled to certain benefits and to help recover unpaid taxes, overpaid benefits and similar debts. For example, if a person is claiming single person discount for council tax, a local authority may check with the credit reference agencies to see if any other adults are living at the same address.
- The police may use data held by credit reference agencies to help in their investigations into criminal activity.
An indication of invalid or unverified information, fraud, money laundering or other criminal activity may affect the outcome of an application for (amongst other things) a product or service, a tenancy agreement or employment. If clients using the services identify potentially fraudulent activity they may also pass the applicant’s details to a fraud prevention agency such as Cifas and/or to the police.
(c) Customer management
Credit reference agencies use credit reference data to provide products and services for organisations to use for customer management purposes. Customer management is the ongoing maintenance of an organisation’s relationship with its customers. This could include activities designed to support:
- data accuracy: for example, to correct or update data held on the organisation’s records, such as correcting spelling mistakes or adding missing fields;
- ongoing relationship and account management activities: for example, to help organisations make decisions relating to credit limit adjustments, transaction authorisations, card reissue, inbound lending requests, and to identify and manage the accounts of customers including those at risk, in early stress, in arrears, or going through a debt collection process.
(d) Tracing and debt recovery
Credit reference agencies use credit reference data to provide products and services that allow organisations to trace people. This is typically needed where a person has moved address or changed their telephone number and has not provided their new contact details. The credit reference agencies help organisations locate customers they have lost contact with by providing them with updated addresses and other contact details.
The products and services are used to support organisations’ debt recovery and debtor tracing activity. For example, if a person owes money to an organisation and moves to a new house without telling the organisation where they have moved to, the organisation may use these services to help find that person to recover the money that is owed to them.
These products and services are also used to find people in order to let them know about assets that they may have forgotten about or not be aware of, such as old dormant savings accounts or pension funds, or to find people to let them know about assets of a deceased person which they have an interest in, such as administrators or beneficiaries of a deceased person’s estate. Please also see section 2(h) below which describes how some of the credit reference agencies provide tracing services for marketing purposes.
(e) Tenant vetting
Credit reference agencies use credit reference data to provide products and services that allow landlords to verify some of the information provided by their prospective tenants, as well as confirming that they are who they say they are and that they are likely to be willing and able to pay their rent on time. Landlords can use this information to help decide whether to agree to the tenancy, or how much of a deposit they should ask for.
(f) Staff and job candidate vetting
Credit reference agencies use credit reference data to provide products and services that allow organisations to verify some of the information provided by their staff and job candidates and confirm that they are who they say they are. They also enable employers to assess whether the staff member or candidate has a history of managing their own financial commitments well, or whether they are financially compromised. This can be used to help them decide whether the person would be or will continue to be a suitable member of staff.
(g) Insurance risk assessments and pricing
Credit reference agencies use credit reference data to provide products and services for organisations to use to assess insurance risk. For example, an insurer may find that a person’s financial standing and history can be used to help predict how likely that person is to make a claim on an insurance policy, or how large that claim might be. This can help the insurer to decide (i) whether to provide insurance to a person, and (ii) how much the insurance premium should be, and (iii) whether to allow payment for insurance on a credit instalment basis.
(h) Marketing and marketing-related services
Overview
Each credit reference agency offers its clients marketing services. Some of these marketing services use credit reference data and some do not. For details about the marketing services offered and the personal data used by the credit reference agencies, please see the following links:
Experian: https://www.experian.co.uk/privacy/consumer-information-portal
Equifax: https://www.equifax.co.uk/privacy-hub/ein
TransUnion: https://www.transunion.co.uk/legal/privacy-centre?#pc-marketing-services
As well as other rights, consumers have the right to object to the processing of their credit reference data for direct marketing purposes, including any profiling that is related to direct marketing. Section 11 sets out more details on how this right can be exercised.
If a credit reference agency provides marketing services, then they may use an individual’s title, name (including aliases), address, date of birth, gender and address links information (see section 4 for more detail), as well as limited information relating to their financial standing.
Screening out
Credit reference agencies use credit reference data to provide screening services to their clients. This means that they identify people who clients may wish to screen out of marketing lists. Screening is used to help ensure that individuals do not receive irrelevant or inappropriate marketing information.
For example, a client may want to screen out from its marketing list someone who is deceased, or who is under 18, or does not reside at the address they hold, or who may not be interested in a product or service or is unlikely to be accepted for it.
Other marketing-related activities
In addition, credit reference agencies may use credit reference data to offer some or all of the following marketing services:
- They may supply the open version of the electoral register (where people have not opted out from their electoral register data being used for marketing and other purposes) to organisations for marketing purposes. This can include identifying new potential customers, verifying that names, addresses and dates of birth collected from other sources are accurate and complete, and informing customers of any errors.
- They may identify when someone has moved away from an address so that marketing is not sent to them at that old address.
- They may help build insight using profiling techniques which will be used by organisations to help them identify people that they want to communicate with about particular products and services. This insight might predict, for example, age, marital status, household composition, length of residency at an address and gender. It can help give organisations insight into the likely characteristics of the UK population at an individual, household and postcode level. Credit reference data also helps credit reference agencies to validate the insight being created.
- In certain circumstances, insight might also be used to help clients predict the financial profile of a person so that they can personalise their interactions with them and make communications more relevant and suitable. For example, they could use the insight to select products or offers that they believe would be relevant to that person.
- Models and insight created by the credit reference agencies can be matched to clients’ own contact lists so that they can make better informed decisions about how they interact with individuals.
- They may confirm whether individuals are resident at the address that the credit reference agencies or their clients hold for them. This can be done by checking the credit reference data to see if there are any open credit accounts at an address and whether the accounts have recent activity, such as where a recent payment has been made. If they do, then it is likely that they have the correct address details. This will help ensure that an individual does not receive marketing for someone else and the credit reference agencies’ clients do not send marketing to the wrong address.
- They may trace individuals to a new address so that their marketing preferences (both opt- ins and opt-outs) collected at a previous address can continue to apply at their new address and so that marketing is not sent to them at their old address.
- The credit reference agencies may also use credit reference data to help keep their own marketing suppression lists (or those of their group companies) accurate and up to date. For example, if you have previously asked to be excluded from marketing activity and your credit reference data indicates that you have since moved or changed your name, that information can be used to make sure that you continue to be excluded from marketing activity at your new address or under your new name.
(i) Profiling, statistical analysis and anonymisation
Credit reference agencies use, and allow their clients to use, credit reference data to carry out profiling of consumers through statistical analysis. This includes the creation, validation and use of
scorecards, models, and attributes in connection with the assessment of risks relating to credit, fraud, affordability and debt collection. It is also used in verifying identities, to monitor and predict market trends and to enable clients to refine lending and fraud strategies, and loss forecasting.
These practices profile consumers to help determine the likelihood that a consumer with certain characteristics will act in a way that will produce certain outcomes; for example, to repay credit, to be able to afford credit, to claim on an insurance policy, to commit fraud, to respond to certain collection strategies or to become insolvent.
The credit reference agencies may also convert personal data into statistical or aggregated form so that individuals are not identified or identifiable (thereby creating anonymized data). Anonymized data is not personal data and the credit reference agencies may use such data to conduct research and analysis, including to produce statistical research and reports or for any other purposes.
(j) Data management activities
Credit reference agencies use credit reference data to carry out certain processing activities to support their own business operations. This includes supporting the effectiveness, efficiency and security of their databases, products and services, both in the context of their credit reference activities and more widely. For example:
- Data loading: credit reference data is checked for integrity, validity, consistency, quality and age to help make sure it is accurate. These checks pick up issues such as irregular dates of birth, names, addresses, account start and default dates, and gaps in status history.
- Data matching: credit reference data is matched to the credit reference agencies’ existing databases to help make sure it is assigned to the right person, even when there are discrepancies like spelling mistakes or previous names or different versions of a person’s name. Credit reference agencies use credit reference data to create and confirm identities, which they use to underpin the services that they provide.
- Data linking: when credit reference agencies compile data into their databases, they create links between different pieces of data. For example, people who appear financially associated with each other may be linked together and a person can be linked with their previous and current addresses. Also, where someone has an alias, such as a maiden name and married name, these names will be linked.
- System maintenance and testing: credit reference data may be used when carrying out system maintenance, repair and testing, and security activity.
Each credit reference agency has its own processes and standards for data management activity.
(k) New development and testing
The credit reference agencies use credit reference data to help develop new products, services and technologies and to test them. Typically, credit reference agencies will anonymise credit reference data before it is used for these purposes.
(l) Compliance with laws
The credit reference agencies use and disclose credit reference data where required by law. For example, this can happen in response to a court order or a request from a regulator, or in order to comply with a request from a person (or by a third party acting on their behalf), to exercise their legal rights in respect of the credit reference data, such as by requesting a copy of it.
3. WHAT ARE THE CREDIT REFERENCE AGENCIES’ LEGAL GROUNDS FOR HANDLING CREDIT REFERENCE DATA?
Data protection law requires the credit reference agencies to always have what is referred to as a “lawful basis” (i.e. a reason or justification) for processing personal data. There are a number of lawful bases available, but the majority of credit reference agencies’ activity is on the basis that:
- the processing is necessary to pursue the legitimate interests of the credit reference agencies and third parties (such as their clients), and those interests do not unduly prejudice the rights and freedoms of individuals; or
- the processing is necessary to comply with a legal obligation binding on the credit reference agencies.
For information about any other lawful basis relied on by each credit reference agency, please review their individual information notices (see section 14).
Legitimate interests
The credit reference agencies use credit reference data to pursue their legitimate interests, those of their clients and those of individuals. The following table explains these legitimate interests. The credit reference agencies have carried out assessments and have concluded that these interests are not overridden by the interests or fundamental rights and freedoms of individuals.
Interest | Explanation |
---|---|
Promoting responsible lending and helping to prevent over-indebtedness | Responsible lending means that lenders only sell products that are affordable and suitable for the borrowers’ circumstances. This is in the interests of borrowers so that they do not become burdened with debt that they cannot afford to repay, and the stress associated with that. It is also in the interests of lenders in that it reduces bad debt and collections activity. Credit reference agencies facilitate responsible lending by providing services that allow lenders to access information about a person (and anyone with whom they have a financial association, such as a joint account), including how they are managing current debt, have managed debt in the past and whether they have sufficient income to repay the debt. |
Helping prevent and detect fraud, money laundering and validate and verify identity | Credit reference agencies provide identity, anti-fraud and anti-money laundering services to help clients meet legal and regulatory obligations. These services benefit individuals by facilitating prompt access to services through identity verification, and helping to protect them against fraud, and other criminal activity. Prevention and detection of fraud, money laundering and other criminal activity is in the legitimate interest of the credit reference agencies and their clients. It is also to the benefit of wider society and therefore in the public interest. |
Customer and data management activities for the benefit of consumers and businesses. | Credit reference agencies provide services which help businesses maintain the quality of the data they hold and to make informed decisions about how they engage with their customers. It is in the legitimate interests of the credit reference agencies to offer these services to their clients but it is also in the legitimate interests of both the consumer and businesses by helping ensure that data held is accurate, comprehensive and up-to-date and that informed and responsible decisions can be made particularly in the context of lending decisions. |
Supporting tracing and debt recovery | Credit reference agencies provide services that support tracing and collections where the client has a legitimate interest in conducting activity to find its customers and to recover debt, or to reunite, or confirm that an asset relates to the right person. |
Enabling landlords to check the suitability of their prospective tenants | Credit reference agencies enable landlords to verify some of the information provided by their prospective tenants, as well as confirming that they are who they say they are and that they are likely to be willing and able to pay their rent on time. This helps the landlord to decide whether to agree to the tenancy, or how much of a deposit they should ask for; and it reduces the risk that the tenancy relationship will subsequently break down. It also helps tenants to avoid getting into legal difficulties where they have agreed to pay rent that they cannot afford. |
Enabling employers to check the suitability of their current and prospective staff | Credit reference agencies enable employers to verify some of the information provided by their staff and job candidates and confirm that they are who they say they are. They also enable employers to assess whether the staff member or candidate has a history of managing their own financial commitments well, or whether they are financially compromised. This can help reduce the risk of fraud and can help the employer to decide whether the person is or would be a suitable member of its staff. All of which is in the legitimate interest of those employers. |
Enabling insurers to calculate and price risk more accurately | Credit reference agencies enable insurers to consider certain kinds of credit reference data when they are assessing risk. This data can help the insurer decide whether to provide cover to a person, and how much the insurance premium should be. This enables them to better forecast their future liability and to price their insurance products more accurately and competitively. For consumers, it means that insurance policies are priced more fairly, with the lowest-risk individuals paying less for their insurance. |
Supporting compliance with legal and regulatory requirements | Credit reference agencies’ services may be used by their clients to help them comply with their own regulatory obligations, for example, complying with anti-money laundering obligations and regulations set by the FCA which require lenders to assess the creditworthiness of individuals who apply for loans. This is in the legitimate interest of clients. Further, these regulatory obligations are in place in the interests of wider society, so facilitating compliance with them indirectly benefits society as a whole, which is in the public interest. |
Promoting responsible, efficient and informed marketing activities for the benefit of consumers and businesses. | Credit reference agencies provide services to support organisations in ensuring that their marketing strategies are responsible, informed and efficient. This helps them to reduce waste (driving costs down and increasing competition) and avoid sending communications to individuals who are less likely to be interested in receiving them or who should not receive them. More information is available from each credit reference agency about the legitimate interests relied on for their marketing services activities by visiting: Experian: Equifax: TransUnion: |
Commercial interests | It is in each of the credit reference agencies’ legitimate interests to provide the services described above to its clients to generate sales revenues. |
The credit reference agencies’ use of credit reference data is subject to an extensive framework of safeguards that balance the legitimate interests set out above with the fundamental rights and freedoms of the people whose data the credit reference agencies use and share. The framework includes information given to people about how their personal data will be used and how they can exercise their rights to obtain their personal data, have it corrected, erased or restricted, object to it being processed, and complain if they are dissatisfied. It also includes extensive due diligence checks on clients, robust contractual arrangements and internal data management processes that the credit reference agencies have in place. These safeguards help sustain a fair and appropriate balance and to protect the rights and freedoms of individuals.
Legal obligations
In some circumstances the credit reference agencies are required by law to use or share personal data in particular ways. This happens, for example, when a court, law enforcement agency or regulator makes a legally binding request or order for disclosure of personal data. It also happens when individual consumers exercise their rights, for example by requesting a copy of their own personal data from a credit reference agency.
4. WHAT KINDS OF PERSONAL DATA DO CREDIT REFERENCE AGENCIES USE, AND WHERE DO THEY GET IT FROM?
Each credit reference agency obtains and uses personal data from different sources, so they often hold information that is different to some degree from that held by the others. However, most of the personal data they hold falls into the categories outlined below from the sources described.
Information type | Description | Source |
---|---|---|
Identifiers | Credit reference agencies hold personal data that can be used to identify people, such as name, date of birth, and current and previous addresses. They may also hold business data including name, address and details of shareholders and directors. | This data is part of some of the other data sources mentioned below in this table. Data about UK postal addresses is obtained from commercial sources such as Royal Mail. |
Electoral register data | Credit reference agencies hold information from the electoral register (also known as the ‘Electoral Roll’). There are two versions of this. One is known as the open register (also known as the ‘Edited Electoral Roll’ or ‘EER’) and can be used for a variety of purposes including marketing. The other is the full register which the credit reference agencies can only use for limited purposes. | This data is supplied by local authorities across the UK and the Isle of Man. |
Credit account performance data | Credit reference agencies receive personal data about how people are managing to repay their credit commitments. The data includes the name of the lending organisation, the date the account was opened, the account number, the amount of debt outstanding (if any), any credit available (including overdraft limits) and the repayment history on the account, including late and missing payments. | This data is provided from banks, building societies and other financial services providers such as credit card companies, home credit suppliers, credit unions and hire purchase companies. It is also provided by utilities companies, mobile phone networks, retail and mail order companies and insurance companies. |
Rental related data | Some credit reference agencies receive personal data about whether people are managing to pay their rent on time. The data includes tenancy reference, start date, end date, rental amount, arrangement amount and outstanding balance. | This data is provided by social housing providers and private landlords. |
Bank account turnover data and application salary data | This data includes the name of the organisation providing current accounts, current account numbers, sort codes, the number of account holders, the transactions made on the current accounts (credits and in some cases debits), and a figure for credits on each current account. Application salary data consists of the salary declared by a person when they are applying for credit. It also includes whether that figure is net or gross, and whether the salary has been verified (e.g. with copies of salary slips). This data also includes the date that an application was made. | This data is provided from organisations which offer people current accounts, such as banks and building societies. |
Judgment data | Credit reference agencies obtain data about court judgments and decrees. This may include, for example, the name of the court, the nature of the judgment, how much money was owed, and whether the judgment has been satisfied. | The government makes court judgments and other decrees and administrative orders publicly available through statutory public registers. These are maintained by Registry Trust Limited, which supplies the data on the registers to the credit reference agencies. |
Insolvency data | Credit reference agencies obtain data about insolvency-related events. This includes data about bankruptcies, administration orders, individual voluntary arrangements, debt relief orders, sequestrations, trust deeds and debt arrangement schemes. This data includes the start and end dates of the relevant insolvency or arrangement. | This data is obtained from The Insolvency Service, the Accountant in Bankruptcy, The Stationary Office and Northern Ireland’s Department for the Economy – Insolvency Service, the London, Belfast and Edinburgh Gazettes and Registry Trust Limited. Business insolvency data is obtained from the London, Belfast and Edinburgh Gazettes. |
Fraud prevention indicators | This data consists of information which indicates that an individual has demonstrated behaviour that appears to be consistent with that of known fraudulent conduct. It also consists of information where an individual has been a victim of identity fraud, or feels that his or her personal data is vulnerable due to a breach. | This data is obtained from Cifas, a not for profit fraud prevention membership organisation. |
Search footprints | When an organisation uses a credit reference agency to make enquiries about a person, the credit reference agency keeps a record of that enquiry. This is known as a ‘search footprint’. This includes the name of the organisation, the date, and the purpose for which the enquiry was made, for example, employee vetting. | Credit reference agencies generate search footprints automatically when enquiries are made about a person. |
Scores | Credit reference agencies and their clients use credit reference data to produce scores including in relation to credit, affordability, fraud, identity, collections and insolvency. | The credit reference agencies use algorithms known as ‘scorecards’ to produce scores by running credit reference data through scorecards. Similarly, other organisations create their own scores from data obtained from the credit reference agencies as well as other sources. |
Other third-party data | This data includes phone numbers and email addresses, data concerning politically exposed persons (PEPs) and people on sanctions lists as well as mortality data. | Credit reference agencies receive this data from reputable commercial sources under contracts agreed from time to time. |
Other data credit reference agencies create (not already referred to in this table) | The credit reference agencies derive certain data from the credit reference data. For example: Summarised and aggregated data: credit reference agencies can summarise credit reference data, for example by providing a count of the total number of accounts or judgments a person has, or the total amount of debt. They can also aggregate data about different consumers together, for example to provide an overview of the financial status of particular postcodes and other geographical areas. Address links: when a credit reference agency detects that a person has moved to a new house, it may create and store a link between the old and new address. Aliases: when a credit reference agency believes that a person has changed their name, it may record the old name alongside the new one. Financial associations and linked people: when a credit reference agency believes that two or more people are financially linked with each other (for example, because they have a joint account), it may record that fact. Flags and triggers: the credit reference agencies may create flags and triggers that they use in their systems to highlight that certain credit reference data exists or to summarise that data. For example, if the credit reference agencies hold fraud data from the fraud organisation known as Cifas, they may create a flag indicating this fact. This flag would highlight to clients that the data is available and give them the The credit reference agencies generate this data from the data sources available to them. opportunity to ask for more details. | The credit reference agencies generate this data from the data sources available to them. |
Data provided by individuals themselves | People sometimes provide data about themselves directly to credit reference agencies. For example, individuals have the right to ask credit reference agencies to add a short statement that will be displayed when an organisation sees credit reference data about them. This statement is known as a ‘notice of correction’ and can be used to allow the person to explain the reason for an entry. The right to do this is explained in section 10 below). If a person exercises any of their other legal rights, the credit reference agencies will retain data relating to these activities, for example, records will be kept of all actions and correspondence relating to managing complaints. |
5. WHO DO CREDIT REFERENCE AGENCIES SHARE CREDIT REFERENCE DATA WITH?
This section describes the types of organisation credit reference agencies share data with. Before sharing data with any third party each credit reference agency will, where appropriate, complete its own due diligence checks to ensure that the organisation is a real business and has applicable regulatory authorisations in place.
Clients
Credit reference agencies supply their products and services to clients in various sectors, such as banks, building societies, other credit providers, utility companies, mobile phone companies, insurance companies, credit report providers, retailers, gaming organisations, tenant and employee vetting firms, professional services organisations (such as firms of solicitors and accountants), estate agents, landlords, marketing companies, charities and public bodies such as the police, central and local government and regulators.
Certain organisations that share financial data with the credit reference agencies are members of closed user groups which entitle them to receive similar kinds of financial data contributed by other organisations in the group. These organisations are typically banks, building societies, and other lenders, as well as other credit providers like utilities companies and mobile phone networks.
Resellers, distributors and agents
Credit reference agencies sometimes use other organisations to help provide their products and services to clients. To do this, they may provide credit reference data to them so that they can provide the services.
Service providers
The credit reference agencies may use other external organisations and other members of their own groups of companies to perform tasks on their behalf (for example, IT service providers, call centre providers and security service providers). To do this, they may provide or make available credit reference data to them so that they can perform the tasks.
Fraud prevention agencies
Each credit reference agency is a member of Cifas, a not-for-profit fraud prevention service. Where a credit reference agency believes that you may have been a victim of fraud, it may share that information with Cifas so that other Cifas members can access it. This enables them to perform additional checks when (for example) a credit application is made in your name. Please refer to the Cifas privacy notice at https://www.cifas.org.uk/fpn for more details.
Regulators
Regulators can sometimes require credit reference agencies to supply them with personal data. This can be for a range of purposes such investigating complaints or assessing how well a particular industry sector is working.
Individuals
People are entitled to obtain copies of the personal data the credit reference agencies hold about them. Details on how to do this are set out in section 9 below.
6. WHERE IS CREDIT REFERENCE DATA STORED AND SENT?
The three credit reference agencies are all based in the UK and keep their main databases there. They may also have operations and service providers elsewhere inside and outside the UK and the European Economic Area, and credit reference data may be accessed from those locations too. Regardless of where the credit reference data is processed, the credit reference agencies ensure that it is always, protected by applicable UK and European data protection standards.
While the UK and countries in the European Economic Area all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection when it comes to personal data. As a result, when a credit reference agency sends credit reference data overseas it makes sure suitable safeguards are in place in accordance with applicable UK and European data protection requirements, to protect the data. For example, these safeguards might include:
- Sending the data to a country that has been approved by the European authorities as having a suitably high standard of data protection law. Examples include the Isle of Man, Switzerland and Canada.
- Putting in place a contract with the receiving organisation containing terms approved by the European authorities as providing a suitable level of protection.
- Sending the data to an organisation which is a member of a scheme that has been approved by the European authorities as providing a suitable level of protection. One example is the Privacy Shield scheme agreed between the European and US authorities.
More information about the safeguards used by each credit reference agency can be obtained by contacting them at the contact details in section 1 above.
7. FOR HOW LONG IS CREDIT REFERENCE DATA RETAINED?
Each credit reference agency may retain credit reference data for different periods of time. Information about each credit reference agency’s retention periods can be found at the following locations:
- https://www.equifax.co.uk/privacy-hub/crain/retention
- https://www.experian.co.uk/legal/crain/data-retention
- https://www.transunion.co.uk/legal/crain-retention
These periods are subject to regular review and may change from time to time.
8. DO THE CREDIT REFERENCE AGENCIES MAKE DECISIONS ABOUT CONSUMERS OR PROFILE THEM?
Decisions about consumers
Credit reference agencies generally do not make decisions about consumers or tell organisations what decisions to make about consumers – this is for each organisation to decide. For example, credit reference agencies do not tell lenders whether to offer credit to consumers; they just provide services that help those lenders make decisions about consumers. An organisation’s own data, knowledge, processes and practices will also play a significant role in those decisions.
Credit reference agencies may provide similar services to their respective clients, but these services may lead to different decisions because (i) each credit reference agency may hold different information from the others, (ii) each client may place differing importance on some information compared to others, and (iii) each client may take into account information available to it from other sources. These are some of the reasons why a person may receive a “yes” from one lender but a “no” from another.
Scores and ratings
When requested, credit reference agencies use the data they obtain to produce credit, risk, fraud, identity, affordability, screening, collection and insolvency scores and ratings; these are explained in section 4 above.
9. HOW CAN A CONSUMER SEE WHAT DATA THE CREDIT REFERENCE AGENCIES HOLD ABOUT THEM? DO CONSUMERS HAVE A ‘DATA PORTABILITY’ RIGHT IN CONNECTION WITH THEIR CREDIT REFERENCE DATA?
Data access right
Consumers have the right to find out what personal data the credit reference agencies hold about them. Each credit reference agency provides more information about access rights on their websites.
Credit reference agency | How to access your data |
---|---|
Equifax | To get your credit report: To get other information about how to access your personal data: To make a request by post: |
Experian | To get your credit report: To get other information about how to access your personal data: To make a request by post: |
TransUnion | To get your credit report: To get other information about how to access your personal data: To make a request by post: |
Data portability right
Data protection legislation also contains a right to data portability. Where it applies, the right to data portability gives consumers a right to receive their personal data in a standard format. However, this right only applies when personal data is processed on certain grounds, such as consent. This right does not apply to credit reference data because it is processed on the grounds of “legitimate interests”. To find out more about legitimate interests please go tosection 3 above.
10. WHAT CAN A CONSUMER DO IF THEIR CREDIT REFERENCE DATA IS WRONG?
When the credit reference agencies receive personal data, they perform lots of checks on it to try and detect any defects or mistakes. Ultimately, though, the credit reference agencies rely on the suppliers to provide accurate data.
If a consumer thinks that any personal data a credit reference agency holds about them is wrong or incomplete, the consumer has the right to challenge it. The credit reference agency will need to take reasonable steps to check the data, such as asking the organisation that supplied it to check and confirm its accuracy.
If the data turns out to be wrong, the credit reference agency will update its records accordingly. If the credit reference agency still believes that the data is correct after completing their checks, they will continue to hold and use it. Where the data is part of the consumer’s credit report, they can ask the credit reference agency to add a supplementary statement of up to 200 words explaining their views about the information. This statement will be supplied to organisations who subsequently access the information that the consumer has disputed.
To do this, consumers should contact the relevant credit reference agency using the contact details in section 1 above.
11. CAN A CONSUMER OBJECT TO THE USE OF THEIR CREDIT REFERENCE DATA AND HAVE IT DELETED?
This section helps consumers understand how to exercise their data protection rights to object to credit reference data being used by the credit reference agencies and how to ask for it to be deleted. To understand these rights and how they apply to the processing of credit reference data, it is important to know that the credit reference agencies hold and process personal information in credit reference data under the “legitimate interests” basis for processing (see section 3 above for more information about this), and do not rely on consent.
Consumers have the right to object to the processing of credit reference data by a credit reference agency. This can be done by contacting the relevant credit reference agency using the contact details in section 1 above.
Although consumers have complete freedom to contact a credit reference agency with objections at any time, under data protection law, a consumer’s right to object does not automatically lead to a requirement for processing to stop, or for personal data to be deleted.
Because of the importance of the credit referencing industry to the UK’s financial system, and the important purposes for which the credit reference data is needed (such as supporting responsible lending, and preventing over-indebtedness, fraud and money laundering) it will be rare that the credit reference agencies do not have compelling, overriding grounds to carry on using the personal data following an objection. In many cases, it will not be appropriate for the credit reference agencies to restrict or to stop processing or delete credit reference data, for example, where the result would be to hide a poor credit history that could enable a person or organisation to get credit they otherwise would not be eligible for.
However, as an exception from the general rule described above, all consumers have an absolute right to object to their personal data being used for direct marketing purposes. If you object to a credit reference agency using your personal data for those purposes, you can get them to stop by contacting them using the details in section 1.
12. CAN A CONSUMER RESTRICT WHAT THE CREDIT REFERENCE AGENCIES DO WITH THEIR CREDIT REFERENCE DATA?
In some circumstances, consumers can ask credit reference agencies to restrict how they use their credit reference data. Contact details for each credit reference agency are in section 1 above.
This is not an absolute right and processing will only be restricted if certain conditions are met (for example, if the processing is unlawful or the personal data is no longer required by the credit reference agencies for the purposes for which it was obtained).
Even where a restriction condition is met, a consumer’s personal data may still be processed (and shared) by the credit reference agencies where certain grounds exist. These are:
- with the consumer’s consent
- for the establishment, exercise, or defence of legal claims
- for the protection of the rights of another natural or legal person
- for reasons of important public interest
The credit reference agencies will consider and respond to requests they receive, and will assess whether any of the restriction conditions apply and, if they do, whether there are any grounds that permit the continued processing of the personal data.
Given the importance of complete and accurate credit reference data, for purposes including for example for responsible lending and preventing over-indebtedness, fraud and money laundering, it will usually be appropriate for the credit reference agencies to continue processing credit reference data on the basis of protecting the rights of another natural or legal person or for reasons of important public interest.
13. WHO CAN I COMPLAIN TO IF I’M UNHAPPY ABOUT THE USE OF MY PERSONAL DATA?
Each credit reference agency tries to ensure they deliver the best customer service levels but if you’re not happy you should contact them so they can investigate your concerns.
Credit reference agency | Contact details |
---|---|
Equifax | Post: Equifax Limited, PO Box 10036, Leicester LE3 4FS Email: complaints@equifax.com Phone: 0333 321 4043 or 0800 014 2955 |
Experian | Post: Experian, PO BOX 8000, Nottingham, NG80 7WP Email: complaints@uk.experian.com Phone: 0344 481 0800 or 0800 013 8888 |
TransUnion | Post: TransUnion, One Park Lane, Leeds, West Yorkshire LS3 1EP Email: customer.relations@transunion.co.uk Phone: 0330 024 7574 |
Each credit reference agency also has a data protection officer who can be contacted about matters relating to the protection of personal data at the relevant credit reference agency. The contact details for each credit reference agency’s data protection officer are:
The Information Commissioner’s Office
If a consumer is not satisfied with how a credit reference agency has investigated a complaint, the consumer can refer their concerns to the Information Commissioner’s Office which is the body that regulates the handling of personal data in the UK. The contact details are:
- Phone: 0303 123 1113
- Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow SK9 5AF
- Website: https://www.ico.org.uk
The Financial Ombudsman Service
Where the complaint relates to an activity which is regulated by the Financial Conduct Authority (such as credit reporting and affordability checks), consumers also have the right to refer the matter to the Financial Ombudsman Service (Ombudsman) for free. The Ombudsman is an independent public body that aims to resolve disputes between consumers and businesses like credit reference agencies. The contact details are:
- Phone: 0300 123 9 123 (or, from outside the UK, +44 20 7964 1000)
- Email: complaint.info@financial-ombudsman.org.uk
- Post: Financial Ombudsman Service, Exchange Tower London E14 9SR
- Website: https://www.financial-ombudsman.org.uk
14. WHERE CAN CONSUMERS FIND OUT MORE?
The work credit reference agencies do is very complex, and this document is intended to provide only a concise overview of the key points. More information about each credit reference agency and what it does with personal data is available at the following locations:
- Equifax: https://www.equifax.co.uk/privacy-hub/ein
- Experian: https://www.experian.co.uk
- TransUnion: https://www.transunion.co.uk/privacy
The Information Commissioner’s Office also publishes advice and information for consumers in its Credit Explained leaflet, available at https://ico.org.uk/media/for-thepublic/documents/1282/credit-explained-dp-guidance.pdf.