Credit reference agency Experian has been ordered by the UK’s top privacy watchdog to improve how it handles people’s personal data.
The Information Commissioner’s Office (ICO) made the enforcement notice following a two-year investigation that looked into how Experian, Equifax and TransUnion used personal data within their data broking businesses for direct marketing purposes.
A complaint from the campaign group Privacy International to the ICO also raised concerns about the data broking industry, specifically Equifax and Experian.
The ICO found that the three CRAs were trading, enriching and enhancing people’s personal data without their knowledge. This processing resulted in products which were used by commercial organisations, political parties or charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people.
The ICO published the investigation findings a report into data protection compliance in the direct marketing data broking sector.
Although the CRAs varied widely in size and practice, the ICO found significant data protection failures at each company. As well as the failure to be transparent, the regulator found that personal data provided to each CRA, in order for them to provide their statutory credit referencing function, was being used in limited ways for marketing purposes.
The ICO noted that although Experian made progress in improving compliance, it did not go far enough. Experian did not accept that they were required to make the changes set out by the ICO, and as such were not prepared to issue privacy information directly to individuals nor cease the use of credit reference data for direct marketing purposes.
Now Experian has been ordered to make the changes within the next nine months or face further action.
“Our investigation uncovered data protection failings that likely affected millions of adults in the UK,” said Elizabeth Denham, the information commissioner. “Our investigation has changed the way credit reference agencies operate their offline direct marketing services. It has found invisible processing, allowing people to better understand how their data is being used, meaning people can exercise their privacy and data protection rights.
“The information the CRAs are privileged to hold for statutory credit reference purposes was unlawfully used by them in their capacity as a data broker, with poor regard for what people might want or expect.
“The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data. The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights.
“The trade in personal data with other organisations has implications beyond the industry. Disrupting the flow of non-compliant personal data will have significant impact not just across the sector but will drive benefits for individuals and organisations wherever this data is used.
“I am encouraged by Equifax and TransUnion’s willingness to change their practices and put people’s legal rights first. Now I expect the data broking sector to make the same commitments.”
Copyright © 2018 RegTech Analyst