PDA

View Full Version : ICO View on S10 DPA 1998 and CCA 1974 - i think worth a read!!!!


Yaff
10-08-2007, 04:08 PM
I have complained to the Information Commissioners Office regarding various creditors that have admitted they do not hold credit agreements which resulted in myself sending a section 10 request under the Data Protection Act 1998 to cease processing my data as it was inaccurate and furthemore not had my permission to process it in the first place, this is the Information Commissioners Office's response (with the boring bits left out):-


CCA 1974, request for credit agreement.
It may be helpful to explain that sections 77 and 78 of the CCA state that a creditor must give a Consumer a copy of their executed agreement within 12 working days of receiving a request in writing and the appropriate fee. Regulation 3(2) of the CNCD Regulations allows the following to be omitted from any copy:

a) Information in the original which relates to the debtor, hirer or surety or is included for the use of the creditor or owner only and which is not required to be included in the original agreement by the Act or by any regulations as to form and content. Therefore it is not necessary for the copy to repoduce, for example, details of the business or occupation of the debtor, the name and address of the employer or bank details of his income etc,

b) Any signature box, signature or date of signature.

Therefore there is no requirement for an organisation to send you a copy of the original agreement. They may simply send you a copy of the Terms and Conditions of the agreement.

Although i appreciate that you do appear to be disputing the existence of these debts, it may be helpful to explain that the failure of a creditor to produce a copy of the signed credit agreement is not, on its own, evidence that the debt does not exist and should therefore not appear on your credit file. If the credit grantor can supply some other evidence of the agreement and you have no evidence to contradict this then it
is likely to be proper for the debt to continue to be recorded on your credit reference file.


Section 10 notice and consent to share your information

You have complained that the companies are passing information to the credit reference agencies. Your argument is based on the assumption that the credit reference agencies need consent to process account information.
This is not the case.

As you may be aware the first data protection principle states that

"Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:

At least one the conditions in Schedule 2 is met: and
in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met"
One of the conditions for processing in Schedule 2 is that the individual has given his consent to the processing. It is our view that consent is not easy to achieve and that organisations should consider other conditions for processing before looking at consent. No one condition carries greater weight than any other. All the conditions provide an equally valid basis for processing. Merely because consent is the first condition to appear in both Schedules 2 and 3 does not mean that organisations should consider it first.

Consent is not defined in the Act and so it is helpful to look back at Directive 95/46/EC which defines "the data subjects consent" as:

"....any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed"

In the context of applying for credit, consent to share information with the credit reference agencies cannot be freely given. This is becuase if you dont agree to your data being shared then your application will simply be rejected. In other words you have no choice.

It is our view that the condition for processing below covers the sharing of account data with the credit reference agencies for the duration of a contract and six years beyond.

"The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case because of prejudice to the rights and freedoms or legitimate interests of the data subject"

We take a wide view of the legitimate interests and we consider that it is in the interests of other creditors to make informed lending decisions. It is important to note here that the fact that the processing may be seen by some to prejudice a particular individual (for example, someone with an adverse entry on his credit reference file may not be able to obtain credit facilities) does not necessarily render the whole processing operation prejudicial to all individuals.

The Act does not prescribe the period for which information is retained by credit reference agencies. However we understand that the Crowther Report on Consumer Credit 1971 expressed support for the view that a statutory time limit should be considered and suggested a period of six years should be adopted. At the time this was already the practice common to some of the major credit reference agencies. The Younger Committee on Privacy considered that as the prevailing practices of the agencies were cooridinated, there was no immediate necessity for statutory recommendations to be made but prepared the ground for the Data Protection Act 1984 by recommending that periods should be specified beyond which the information should not be retained.

Finally i hope the above information helps to clarify why we do not intend to undertake any further action in this instance. Your cases will now be closed.

Well that is a bit long winded but in the short of it all....'No credit agreement, tough, they still have a right to process your data'

Nearly all of my creditors have failed to produce agreements, so therefore in my eyes not having permission to process my data but the Information Commissioners Office clearly feels differently.

I am sad to say i will NOT be contacting the Information Commissioners Office again as it seems clear they are a huge waste of time.

Thoughts.......

happyhour
10-08-2007, 04:38 PM
yeh, lots of thoughts - all unprintable.

All these laws and qasi governmental agencies that are there to purportedly protect the consumer are just a complete & utter waste of time & tax payers money.

So, according to the CCA, you are entitled to request a copy of the original executed agreement, but according to the ICO, they don't have to supply one. Brilliant:rolleyes: Crystal clear isn't it?

I shall await my reply from the ICO with non-baited breath then.

InKogneeToh
10-08-2007, 04:55 PM
Therefore there is no requirement for an organisation to send you a copy of the original agreement. They may simply send you a copy of the Terms and Conditions of the agreement. This is not what the DTI say! They state that it is a breach of the CCA and regulations to just send the T&Cs!

Although i appreciate that you do appear to be disputing the existence of these debts, it may be helpful to explain that the failure of a creditor to produce a copy of the signed credit agreement is not, on its own, evidence that the debt does not exist and should therefore not appear on your credit file. If the credit grantor can supply some other evidence of the agreement and you have no evidence to contradict this then it
is likely to be proper for the debt to continue to be recorded on your credit reference file. Yes, the debt does still exist and it's 'existence' can remain recorded with the CRAs, BUT entries such as late payment and default markers would be inaccurate since without a copy of the original agreement the debt is unenforceable and therefore the debtor has no legal obligation to pay - so cannot possibly be late or default on a 'non-obligation'!


Section 10 notice and consent to share your information

You have complained that the companies are passing information to the credit reference agencies. Your argument is based on the assumption that the credit reference agencies need consent to process account information.
This is not the case.

As you may be aware the first data protection principle states that

"Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:

At least one the conditions in Schedule 2 is met: and
in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met"
One of the conditions for processing in Schedule 2 is that the individual has given his consent to the processing. It is our view that consent is not easy to achieve and that organisations should consider other conditions for processing before looking at consent. No one condition carries greater weight than any other. All the conditions provide an equally valid basis for processing. Merely because consent is the first condition to appear in both Schedules 2 and 3 does not mean that organisations should consider it first.

Consent is not defined in the Act and so it is helpful to look back at Directive 95/46/EC which defines "the data subjects consent" as:

"....any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed"

In the context of applying for credit, consent to share information with the credit reference agencies cannot be freely given. This is becuase if you dont agree to your data being shared then your application will simply be rejected. In other words you have no choice.

It is our view that the condition for processing below covers the sharing of account data with the credit reference agencies for the duration of a contract and six years beyond.

"The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case because of prejudice to the rights and freedoms or legitimate interests of the data subject" Again, this would only be applicable to a record of the account's existence, not with regard to the processing of adverse data where no agreement exists that can be enforced. IMO the recording of adverse data on a debt that the debtor has no legal obligation to repay would be prejudicial to the 'rights, freedoms and legitimate interests of the data subject'.

We take a wide view of the legitimate interests and we consider that it is in the interests of other creditors to make informed lending decisions. It is important to note here that the fact that the processing may be seen by some to prejudice a particular individual (for example, someone with an adverse entry on his credit reference file may not be able to obtain credit facilities) does not necessarily render the whole processing operation prejudicial to all individuals.

The Act does not prescribe the period for which information is retained by credit reference agencies. However we understand that the Crowther Report on Consumer Credit 1971 expressed support for the view that a statutory time limit should be considered and suggested a period of six years should be adopted. At the time this was already the practice common to some of the major credit reference agencies. The Younger Committee on Privacy considered that as the prevailing practices of the agencies were cooridinated, there was no immediate necessity for statutory recommendations to be made but prepared the ground for the Data Protection Act 1984 by recommending that periods should be specified beyond which the information should not be retained.

Finally i hope the above information helps to clarify why we do not intend to undertake any further action in this instance. Your cases will now be closed.



What a load of twaddle - completely at odds with our rights under the CCA and contradictory to the information already received from the likes of the DTI! :mad:

The ICO clearly do not know enough about consumer legislation and their response should have, at the very least, made it clear that this is not their area of expertise and that you should seek advice from the regulatory bodies who DO know!!

Yaff
10-08-2007, 04:56 PM
First they say what can be left out, signatures etc then in the next breath they say it does even have to be an agreement, terms and conditions will suffice!

I begining to think they are in favour of the creditors.

I have to note ICO are aware that my creditors have not just passed the 12 days but committed ******** offences....yet they happen to skip over that bit!

Perseus
10-08-2007, 04:57 PM
I have complained to the Information Commissioners Office regarding various creditors that have admitted they do not hold credit agreements which resulted in myself sending a section 10 request under the Data Protection Act 1998 to cease processing my data as it was inaccurate and furthemore not had my permission to process it in the first place, this is the Information Commissioners Office's response (with the boring bits left out):-


CCA 1974, request for credit agreement.
It may be helpful to explain that sections 77 and 78 of the CCA state that a creditor must give a Consumer a copy of their executed agreement within 12 working days of receiving a request in writing and the appropriate fee. Regulation 3(2) of the CNCD Regulations allows the following to be omitted from any copy:

a) Information in the original which relates to the debtor, hirer or surety or is included for the use of the creditor or owner only and which is not required to be included in the original agreement by the Act or by any regulations as to form and content. Therefore it is not necessary for the copy to repoduce, for example, details of the business or occupation of the debtor, the name and address of the employer or bank details of his income etc,
This is agreed, but only when asking for just 'a copy' which cna be a document comprised of the relevant agreement information. This is not the case if you are specifically requesting a True Copy of the Original Signed Executed Agreement. Either way, the interpretation of the OFT of these s77/78/79 requests, state that any copy must be a true copy. To omit this information by 'reproduction' is tantamount to reconstructive conjecture, unless they copy, scribble out these details then photocopy that again!
b) Any signature box, signature or date of signature.Agreed

Therefore there is no requirement for an organisation to send you a copy of the original agreement. They may simply send you a copy of the Terms and Conditions of the agreement. Absolutely wrong - this totally contravenes the s77 4 a & b, s78 6 a&b and s79 3 a&b
If the owner under an agreement fails to comply with subsection (1)

(a) he is not entitled, while the default continues, to enforce the agreement; and

(b) if the default continues for one month he commits an offence.

Although i appreciate that you do appear to be disputing the existence of these debts, it may be helpful to explain that the failure of a creditor to produce a copy of the signed credit agreement is not, on its own, evidence that the debt does not exist (the inference here is that the debtor is trying to avoid liability, rather than prove that the debt is unenforceable!)and should therefore not appear on your credit file. If the credit grantor can supply some other evidence of the agreement and you have no evidence to contradict this then it
is likely to be proper for the debt to continue to be recorded on your credit reference file.Other than the fact that an unenforceable agreement (declared so by the creditor ie - we have no agreement, you have no liability) or in a court, thereby ruling as void - there is no agreed disclosure rights?


Section 10 notice and consent to share your information

You have complained that the companies are passing information to the credit reference agencies. Your argument is based on the assumption that the credit reference agencies need consent to process account information.
This is not the case. It is expressly sought on application for credit, of course it must be consented to otherwise every creditor would be in breach of DPA principles.

As you may be aware the first data protection principle states that

"Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:

At least one the conditions in Schedule 2 is met: and
in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met"
One of the conditions for processing in Schedule 2 is that the individual has given his consent to the processing. It is our view that consent is not easy to achieve and that organisations should consider other conditions for processing before looking at consent. No one condition carries greater weight than any other. All the conditions provide an equally valid basis for processing. Merely because consent is the first condition to appear in both Schedules 2 and 3 does not mean that organisations should consider it first.But if it is not expressly given, then every Data Controller is breaching DPA principles... There's a pattern emerging here...

Consent is not defined in the Act and so it is helpful to look back at Directive 95/46/EC which defines "the data subjects consent" as:

"....any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed"ie, signing the box declaring to be bound by the terms of an executed agreement, and the content specific to disclosure and agreement of consent is part of that agreement!

In the context of applying for credit, consent to share information with the credit reference agencies cannot be freely given. This is becuase if you dont agree to your data being shared then your application will simply be rejected. In other words you have no choice.

It is our view that the condition for processing below covers the sharing of account data with the credit reference agencies for the duration of a contract and six years beyond.On the production of a signed agreement (executed)

"The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case because of prejudice to the rights and freedoms or legitimate interests of the data subject"ie processing without express permission

We take a wide view of the legitimate interests and we consider that it is in the interests of other creditors to make informed lending decisions.agreed It is important to note here that the fact that the processing may be seen by some to prejudice a particular individual (for example, someone with an adverse entry on his credit reference file may not be able to obtain credit facilities) does not necessarily render the whole processing operation prejudicial to all individuals.unless consent is not given, or formed as part of an executed agreement (deja vue)
as per section 174 (1) of the CCA 1974.

The Act does not prescribe the period for which information is retained by credit reference agencies. However we understand that the Crowther Report on Consumer Credit 1971 expressed support for the view that a statutory time limit should be considered and suggested a period of six years should be adopted. At the time this was already the practice common to some of the major credit reference agencies. The Younger Committee on Privacy considered that as the prevailing practices of the agencies were cooridinated, there was no immediate necessity for statutory recommendations to be made but prepared the ground for the Data Protection Act 1984 by recommending that periods should be specified beyond which the information should not be retained.
6 years is industry standard, not written that it should be - just that it should not be more than!

Finally i hope the above information helps to clarify why we do not intend to undertake any further action in this instance. Your cases will now be closed.Unless you write back and argue!

Well that is a bit long winded but in the short of it all....'No credit agreement, tough, they still have a right to process your data'

Nearly all of my creditors have failed to produce agreements, so therefore in my eyes not having permission to process my data but the Information Commissioners Office clearly feels differently.

I am sad to say i will NOT be contacting the Information Commissioners Office again as it seems clear they are a huge waste of time.

Thoughts.......
What a load of bunkum....
In my opinion of course.
My learned colleagues I'm sure will have comments or views, and Ink may also come up with some detailed info which disproves some of my comments.
I would write back to whomever wrote this letter, and IMO advise where there are short-commings...

Perseus
10-08-2007, 04:58 PM
Took so long replying the last post, everyone posted a reply too - sorry!

Perseus
10-08-2007, 04:59 PM
So how do they view a s7 DPA request to include a true copy of the original???? is that allowed to be conjectured too?

Yaff
10-08-2007, 05:05 PM
What a load of bunkum....
In my opinion of course.
My learned colleagues I'm sure will have comments or views, and Ink may also come up with some detailed info which disproves some of my comments.
I would write back to whomever wrote this letter, and IMO advise where there are short-commings...

Even though my cases have been closed:mad: it is my itnention to respond to this letter. I wonder what kind of response i would get if i forwarded a copy of this to the DTI and the OFT....will they contradict thier own rules and agree with ICO, will be interesting to find out

InKogneeToh
10-08-2007, 05:26 PM
My learned colleagues I'm sure will have comments or views, and Ink may also come up with some detailed info which disproves some of my comments.

Who, me?? :rolleyes::rolleyes::D

Actually.......now you mention it.........

I think what the ICO are saying here is that consent is NOT required under the DPA if the processing is being done pursuant to the 'legitimate interests' of the data processor.

However, where no copy of the credit agreement exists and hence where the debt (although still existing) is therefore not enforceable, then IMO the only processing that would be legitimate is a record showing that an account was opened. Any adverse data such as late payments/defaults etc could not be in the 'legitimate interests' of the creditor and certainly NOT in the interests of the debtor as it is impossible to be late or default on a debt you have no legal obligation to pay!

If a debtor was then concerned the CRA file showed an account with no settlement data against it then I think they would be perfectly within their rights to have a notice of correction added to the file to state that the reason for the lack of payment history is because the CCA says they don't have to pay!!:D:D:D

The Terminator
10-08-2007, 06:00 PM
I've just read the whole thread and agree fully with all the posts.To be honest I don't think the ICO have a clue about how the DPA works.

Regards

Term

zubo
10-08-2007, 06:22 PM
I am of the opinion that if an appointed quango cannot apply the law in accordance with the law but conjenctures opinion which is not based on law but based on committee discussions or industry norms then that quango itself needs to be brought to book.

At least OFT have an interest and are trying, but ICO... I think I am going to rergister a complaint with my MP and ask that these morons be removed from high office which they simply do not deserve to hold.

Legal action maybe to force them to apply the law correctly. It is no good stating that consent is just one of the factors considered, I myself and anything related to me in accordance with the Spirit of the drafters of the Act am afforded principled rights - PRINCIPLED - that means my rights about information recorded about me is much much much more important than whether a DCA's legitimite business interests are best served especially in the absence of that all important thing that it all hinges on - the PROOF, show me thr proof that you have my consent - do NOT conjecture that I had to give consent. The evidence of a fully executed agreement in law is the only way to show consent.

Therefore I would ask whoever wrote that nonsense to either retract it or to suffer the consequences: PROSECUTE THE ICO.

Z

Yaff
10-08-2007, 07:18 PM
The person that wrote the letter is a Casework and Advice Officer. Maybe a letter highlighting the incorrect advice, replaced by the legally correct version should be sent higher up the ICO. And i am not going to spare this writers blushes...fed up with people getting off lightly!

happyhour
10-08-2007, 08:07 PM
Absolutely - I think we are all getting more than fed up with referring these issues to the agencies who oversee them - only to find they haven't a clue what they're talking about - it beggars belief.

Yaff
10-08-2007, 08:09 PM
Right will get drafting.....

Tamadus
10-08-2007, 10:16 PM
I think we now need to add to our list of aims, bringing these quangos into line as well, and making them do their jobs properly.

FANTASY CHARGES
10-08-2007, 10:34 PM
http://www.parliament.uk/documents/upload/HLLConsumerBill.pdf

3.4 Sharing of Information between Creditors
At Report Stage, Norman Lamb, speaking for the Liberal Democrats, moved New
Clause 1. The new clause aimed to allow the sharing of data between consumer credit
companies in relation to the financial standing and credit history of an applicant who
had applied for credit. It would oblige the lender to inform the borrower that such
information was to be disclosed and would give the borrower 28 days in which to
object. Sub-clause 4 of the new clause listed the purposes for which shared data
would be used. These included: the vetting of credit applications; the identification of
an applicant; the management of credit accounts (including debt tracing and
20
recovery); the prevention and detection of possible fraud and the statistical analysis of
credit risk assessment where anonymity would be assured. Mr Lamb set out the
intentions that lay behind the new clause:
In a sense, it goes without saying that the best decisions about whether to lend
are made when both parties - the lender and the borrower - have access to full
information on which to base a judgment about whether it is appropriate to
lend and about the amount to lend in the circumstances. However, at the
moment, all too often, only the borrower has access to the full information.
For many reasons, borrowers may be in denial about their capacity to service a
loan or the amount borrowed on a credit card. We must therefore find a way
of ensuring that both parties have access to the full information to make
objective and wise decisions based on the principle of responsible lending.
(HC Hansard, 14th July 2005, col. 981)
He then moved on to set out some of the specific problems that the new clause would
address. Firstly, it would allow the sharing of data in the absence of a default on
repayment. The absence of a default, he suggested, could lead to information not
being shared and hence the accumulation of unsustainable debt. Secondly, it would
deal with the problem of accounts and credit agreements that pre-dated the conditions
required by the Data Protection Act 1998:
The Data Protection Act 1998 requires lenders to notify individuals that their
data will be shared and the purpose for which they will be used. That
legislation led in due course to the industry including standard clauses in the application process to ensure the consent and knowledge on the part of the consumer for any new agreement after data protection legislation came into
force. There is no problem for new agreements; consumers have given their
consent. However, there is no provision for any account opened or agreement made before the introduction of the standard clauses in contracts.
(ibid. col. 982)
Mr Lamb believed this was a problem because existing arrangements meant that lenders had to contact the holders of older accounts and agreements to obtain consent to data sharing. The new clause would address this problem because the onus would
be placed upon the borrower to refuse such data sharing. He then looked at possible
conflicts between his clause and the Data Protection Act 1998:

FANTASY CHARGES
10-08-2007, 10:41 PM
now this also explains why some accounts dont appear on your credit rating

called there is a field called "started" meaning the date the account was opened on the cras
if they don't know the date .... they cannot log it ??

and i reckon accounts prior to the data protection act 1998 coming into force which i believe was in 2000 should not be listed ??

as mr lamb says

InKogneeToh
10-08-2007, 11:02 PM
I don't think this refers to the recording on CRA files of your account details specifically. It is about the relatively new proposals to share what is called 'white data'. This is information about any credit dealings you may have and includes good info. as well as adverse info. Previously, when a creditor has done a search on your credit files, only the adverse data such as defaults and CCJs has been available to them. With the new proposals, creditors and potential creditors will be able to share amongst themselves ALL of your credit information!

Yaff
13-08-2007, 09:45 AM
Draft deleted.....

Yaff
04-09-2007, 03:38 PM
This is some bits i have put together, it is not in letter format just yet...might need some help with that:-

Thank you for your letter dated ***** the contents which have been noted. The information you gave me does not clarify as to why you do not intend on taking this matter further.

You quite correctly state that under sections 77 and 78 of the CCA a creditor must give a consumer a copy of their Executed Agreement within 12 working days of receiving a request in writing and the appropriate fee, you also highlight what can be omitted from the agreement. I.e. Signatures and details of the business or occupation of the debtor, the name and address of the employer or bank details of his income etc. This DOES NOT include personal address details of the debtor and all the prescribed terms of the agreement, so your assumption that just terms and conditions will suffice is in fact incorrect and contradicts your first two lines of this paragraph as an Executed Agreement are not Terms and Conditions they are a completely separate entity. The Department of Trade and Industry state that for a creditor to send just terms and conditions in place of a properly executed agreement is a breach of the CCA. You also fail to mention that after the precisbied period has passed, meaning the 12 + 30 days, a creditor has committed a ******** offence if they do not produce the documentation are you or the ICO condoning ******** activity?

The Judges of our country are able to understand the wording of the CCA 1974 and they state quite unambiguously that no original agreement = no enforceable debt. Failure of a creditor to produce a signed copy of the executed agreement you say is not evidence on its own to prove that the debt does not exist, so please explain to me how can you be in breach of something that does not exist. I.e. the credit agreement. If there is no agreed schedule of payments, how can they default for not keeping to the agreed payments? A credit reference agency will normally place a mark on your file which, if you are in default of the credit agreement that says "you have failed to keep to the agreement and have missed payments" or words to that effect. Well how can you be in default of an agreement which doesn’t exist? I understand that the Office of Fair Trading had issued guidance to the Information Commissioners Office on this issue where a signed agreement doesn’t exist the creditor should not be allowed to add default marks on the debtors credit file. What other evidence can the creditor supply that proves the agreement existed? Only the original agreement contains the debtor’s signature and this is the only agreement that exists.

With regards to the processing of data you go on to say that it is not the case that the credit reference agencies need consent to process data and the first data protection principle states that

"Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
• At least one the conditions in Schedule 2 is met: and
• in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met"

I have to disagree because even if all the conditions of Schedule 2 were met, there should be no processing of data since the First Principle has not been met "Personal data shall be processed fairly and lawfully. For the processing to be lawful, it has to conform with your legitimate expectations. I.e., when you signed the application did you appreciate that the lender could continue to process your data EVEN AFTER admitting that they could not locate your agreement. I am sure that most people would be unaware of that and it is certainly not spelled out on any agreements I have seen. Therefore you did not expect this outcome so it exceeded your legitimate expectations. And therefore grounds for declaring that the processing is unfair.

In respect of the Information Commissioner's position regarding what constitutes fair and lawful processing and a creditor's right to continue processing even, in the absence of a credit agreement, the following info might be useful:

A data controller under the 1st principle must ensure that certain information is made "readily available" to a data subject, when the data controller first obtains data. The commonest method used by creditors to comply with this requirement is the "fair collection notice" which invariably appears in an agreement which a debtor signs. The information that is required to appear in this notice is:

1.The identity of the data controller
2.The purpose or purposes for which the data are intended to be processed
3.Any other information that is necessary to enable the particular processing to be fair.

If a data subject hasn't been provided with the above, which as I say, will almost certainly appear in an agreement (otherwise how could a creditor prove you've received such a notice?) the creditor will be in direct breach of the 1st principle. So, if an agreement has not been furnished, you cannot be said to have been in receipt of the notice, and it would be for the creditor to prove otherwise!

I am unconvinced at the Information Commissioner's stance, particularly in light of this very important requirement of the Act (often referred to as an Article 10 Notice-under the Directive). Given that the fundamental premise of the Data Protection Act 1998, is an individual's right to privacy, the obligations placed on a creditor in terms of compliance with the various provisions of the Act are strict. It would not be sufficient for a creditor to say for example, that the fair collection notice was sent by 1st class post to the debtor, which is undoubtedly why it's incorporated into the credit agreement, so that they have a signed acknowledgment from the debtor to prove that they have brought the fair collection notice to a person's attention and to cover the issue of consent. As a further argument which is actionable, such unlawful processing is in breach of Article 8 of the Human Rights Act.

An action could also be brought against creditors for breach of confidence under the common law, particularly in view of their fondness of passing confidential information (unlawfully) to 3rd parties, namely the debt collection agencies and the credit reference agencies.
I am more than aware that the Information Commissioner does not exist to "only administer complaints under the Data Protection Act 1998", nor is their function to merely offer an "opinion" on the application of the Act. The Information Commissioner is a regulatory body which possesses a fundamentally important role conferred by the Act itself, which certainly is by no means insignificant and cannot be minimised to that of offering "opinions," they have a clearly defined legislative role. Whether they exercise that function in accordance with the Act, or to the best of their ability, is another argument entirely!

Their remit is by no means as limited, and yes they do have a responsibility to be au fait with how the Data Protection Act 1998 impacts on other areas of law, if that wasn't the case, they wouldn't be offering opinions, albeit misinformed opinions on the application of the Act in respect of credit agreements!
The purpose of informing people about Article 8 of the Human Rights Act and the issue of breach of confidence, is to give individuals all the armoury they need to pursue a case through the Courts, which most people realise will be necessary to get justice in respect of s10.

You state it is the view of the ICO that the condition for processing below covers the sharing of account data with the credit reference agencies for the duration of a contract and six years beyond:-

"The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case because of prejudice to the rights and freedoms or legitimate interests of the data subject"

Now this would only be applicable to a record of the account's existence, not with regard to the processing of adverse data where no agreement exists that can be enforced. The recording of adverse data on a debt that the debtor has no legal obligation to repay would be prejudicial to the 'rights, freedoms and legitimate interests of the data subject'.

I do hope you can answer my questions with the precision it deserves, I find it quite worrying that a governing body can hand out advice which is so clearly incorrect and contradicts the DTI and OFT.

sparkie1723
05-09-2007, 06:05 PM
I also agree with all posts and especially The Terminator.

The ICO has not got a clue about how the Act is supposed to work.

There is one thing though CRA's do have a right to process data that is what they are there for BUT and this is the big but ....as I have said before if it is incorrect then they are as much to blame as the supplier of that info.

Also the ICO may consider that consent is not required....BUt the contract that Banks etc have with the CRA's states clearly that to access the CRA systems they must have the data subjects consent. This is from a letter I received from Equifax during my complaint to them.

sparkie


ConsentEach Equifax client is required to sign a contract prior to gaining access to our system. This contract stipulates that the client in question must seek consent, from the individual concerned, prior to completing a search. Equifax works closely with our clients to ensure that they fully understand this requirement which is specified under the current Data Protection Act.
it is the responsibility of the client in question to ensure that this consent is sought and that appropriate records are maintained to substantiate each search completed with Equifax.
Searches also mean "obtaining information" and "obtaining" under the DPA now means "processing of data".

Even Equifax say that under the DPA consent must be obtained and given, thats the way they interpret the act the ICO has its own interpretation and just because the ICO say one thing does'nt mean they are right....not in my book

TANZARELLI
05-09-2007, 08:40 PM
I think we now need to add to our list of aims, bringing these quangos into line as well, and making them do their jobs properly.

Couldn't agree more with this Tam, they obviously have had some very week training by some overpaid consultant who doesn't know an agreement from a piece of bog roll.

Muppets.

tifonet
11-09-2007, 12:50 PM
i've had the same reply after my complaint about Lowell and their 5 defaults.

ICO say it's OK now since Lowell have updated the records and taken off the 4 extra defaults they maintained for 3 years but which they never had any permission to do so and would never have got any even if they tried.

ICO agree that the fourth data protection principle has been breached and Lowell have accepted their mistake and the ICO also state other breaches of the Act.

Then they say that they have 'no power' to punish data controllers for breaches of the Act. As a regulator, i thought they had some 'power'?

So i've asked them why the Act has any references to breaches and compensation when they say nothing can be done after any company blatantly breaks the law?