A two-year investigation by the ICO ended in the Credit Reference Agency (CRA) Experian Limited being ordered to make fundamental changes to the way they handle personal data for direct marketing purposes.
The investigation included two other CRA’s Equifax and TransUnion and looked into their data broking processes. All three CRA’s made improvements to their direct marketing services. However, Equifax and TransUnion withdrew some products and services therefore no further action by the ICO was taken.
It found how all three agencies were trading, enriching and enhancing individual’s personal data without them knowing. This resulted in the CRA’s using products, usually for commercial organisations, political parties and charities, to find new customers. Therefore, they could identify people that could afford goods and services and then build profiles about people. This is known as ‘invisible’ processing because the individual is not aware that their data is being collected and used. This breaches data protection law.
Each CRA failed to be transparent and used the personal data provided, which was to be used for statutory credit reference functions, was used for marketing purposes. Profiling was also being used to generate new or previously unknown information.
The ICO believe that millions of adults in the UK could have been affected.
(1) Elizabeth Denham Information Commissioner said:
“The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data. The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights.”
Experian did make some changes however did not accept all changes they were required to do. They were not prepared to issue privacy information direct to individuals or stop using credit reference data for direct marketing purposes. Therefore, the ICO issued an enforcement notice, which required Experian to make the changes in nine months or risk further action, which could potentially be £20m fine or 4% of their annual turnover. The enforcement notice issued ensured Experian now inform people of how they hold and use their data and stop using marketing lists to screen prospective customers based on their financial status.
The ICO’s work both for engagement and educational purposes continues in this area.
(1) Reference to ICO news article dated 29 October 2020 https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/
See Article 5 of GDPR for further guidance