Principles
Accuracy
Incorrect Association of an Individual’s Personal Details with Another File
We received a complaint concerning an alleged breach of an individual’s data protection rights by an insurance company.
During our investigation, the insurer (Insurer X) advised us that the complainant had in the past requested a quotation for household insurance from another insurance company (Insurer Y), the undertakings of which had been transferred to Insurer X. Insurer Y had failed to delete the quotation (the complainant had never proceeded to take out a policy) in line with its own data retention policy. In addition, Insurer Y had mistakenly linked the complainant’s personal details on the quotation to an insurance claim file in respect of a claim it had received from a person with an identical name.
When a transfer of Insurer Y’s undertakings to Insurer X was being completed, the insurance claim file which mistakenly included the complainant as the claimant (rather than another individual who had the same name) was transferred to Insurer X. The claim when assessed later turned out to be fraudulent and Insurer X had its solicitors write to the complainant advising that their claim was found to be fraudulent and indicating the follow-up action which Insurer X intended to pursue to protect its interests.
At its centre, this case concerned sloppy handling of personal data. Many people in Ireland have the same name and there was no reason why the complainant’s personal details collected when the complainant obtained a quotation should have been added to an insurance claim file. Sufficient checks and balances should have existed in Insurer Y’s data handling processes. However, the more significant issue that arose for this complainant is that they were unable to ascertain, prior to our involvement, how their details came to be in the possession of Insurer X and how the issue that arose had come about.
A number of contraventions therefore occurred in this case – a breach of the requirement of a reasonable retention period due to holding onto the quotation data longer than necessary and longer than was set out in the company’s own retention policy; unlawful further processing of the personal data by associating it with a claim file; failure to respond in a clear and timely manner to the complainant to explain how their data had been sourced and how it came to be processed in the way that it was. The complainant in this case suffered particularly serious consequences as they incurred significant legal costs in defending the accusation of making a fraudulent claim and the threat by Insurer X of instigating Circuit Court proceedings against them.
Failure to update customer’s address compromises the confidentiality of personal data
This Office received a complaint that Allied Irish Banks (AIB) failed to keep the complainant’s personal data up-to-date over a prolonged period, despite repeated requests by the individual to do so, and that it failed to maintain the security of the individual’s personal information. The complainant informed us that he had repeatedly asked AIB to update his address details but that it had failed to do so. As a result, his correspondence from AIB continued to be sent to a previous address. The complainant alleged that, arising from the failure of AIB to update his address, his correspondence containing his personal data, which was sent to his previous address by AIB, was disclosed to unknown third parties at this previous address.
We commenced an investigation of the matter by writing to AIB, outlining the details of the complaint. AIB confirmed to us that, due to a breakdown in internal processes, the complainant’s correspondence address was had not been updated on all its systems in a timely manner, resulting in automated arrears letters continuing to issue to an old address.
In circumstances where AIB had been advised that the complainant had changed address, our investigation was satisfied that its continued sending by post or delivering by hand of correspondence intended for the complainant to the previous address failed to secure the complainant’s personal data against unauthorised access by parties who had access to the letterbox at the previous address.
Efforts to resolve the complaint by means of an amicable resolution were unsuccessful and the complainant sought a formal decision. In her decision, the Commissioner formed the opinion that AIB contravened Section 2(1)(b) of the Data Protection Acts 1988 and 2003 by failing to keep the complainant’s personal data up to date. This contravention occurred when AIB failed to remove the complainant’s previous address from his account despite notification from him to do so. The Commissioner also formed the opinion that AIB contravened Section 2(1)(d) by failing to take appropriate security measures against unauthorised access to the complainant’s personal data by sending correspondence by post and by hand delivery to an address at which he no longer resided, while knowing that this was no longer his residential address.
This case demonstrates the need for all data controllers to ensure that personal data is kept accurate and up-to-date at all times. Failure to do so may result in the disclosure of personal data to unauthorised persons as well as unnecessary distress and worry for data subjects who have updated the data controller with the most accurate information, only to find that the necessary safeguards were not in place to prevent their personal data being compromised by use, as in this case, of a previous address.
Mobile network operator fails to suppress customer marketing preferences
In the Spring of 2009 I received complaints from two customers of a mobile network operator (MNO) about the difficulties they were experiencing when attempting to register their preference to opt out of further direct marketing from their MNO. The difficulties experienced resulted in them receiving further marketing emails, despite indicating to the MNO that they had amended their marketing preferences and opted out. Both individuals informed me that they had made a number of attempts to opt out, including updating their account preferences, and clicking on the unsubscribe link contained in the marketing emails. The first complainant further informed me that he had communicated with the MNO through the ‘contact us’ facility on its website and he subsequently received a telephone call from a representative who confirmed that his details would be removed from all circulation lists. Unfortunately he continued to receive further marketing email.
When my Office contacted the MNO, we were told that in the cases of both complainants, they had provided their email addresses in the context of signing up to its services and neither individual availed of the opportunity given at that time to opt out of email marketing. However, it acknowledged that when both complainants tried to unsubscribe by clicking on a link in the email they received, an error occurred in the server used by the company’s data processor to operate the suppression facility, with the result that the marketing preferences of both individuals were not updated to reflect their preferences. Furthermore, it advised us that due to an administrative error, both complainants’ email addresses were selected as part of a marketing campaign and they received an unsolicited marketing email promoting the company’s newsletter. Regarding the first complainant, the company identified a lag period of up to four weeks between the period that the complainant had the conversation with the call centre representative requesting suppression, and the time that his email address was selected from the system for inclusion in the marketing campaign. The MNO acknowledged that this was unacceptable. However, the company informed us that it had addressed this and had taken steps to ensure that marketing preference changes are recorded and updated in a period of no more than forty eight hours.
As a means of ensuring that issues such as those highlighted in these complaints did not occur again, the company informed us that it was developing an E-learning data protection training programme for all employees which would include a module on the requirements for compiling marketing lists and correctly operating marketing campaigns. In the interim, it would provide updated guidance sessions to its direct marketing personnel. It also assured us that the technical error in the server used by the company’s data processor was a once-off isolated incident and that steps had been taken to mitigate against this occurrence in the future. The company also said that it sincerely regretted that both customers did not receive the high level of customer service that it strives to achieve in the observance of its customers’ marketing preferences and it assured my Office that neither individual would receive any further marketing communications from the company. As a gesture of goodwill for any inconvenience caused to both individuals, the company offered each of them an ex gratia payment of €150 and it extended its apologies to them.
When contacted by my Office, both complainants were happy that the issues raised in their complaints had been dealt with satisfactorily and they accepted the goodwill gesture and apology from the company.
Whilst I am encouraged that my Office has not received any further complaints concerning the marketing operations of that MNO, I was disappointed at the series of flaws in its marketing operations, which placed undue inconvenience on these complainants in attempting to have their marketing preferences recorded and respected. Regulation 13 of SI 535 of 2003 (as amended) is clear on the legal obligations placed on marketers who wish to obtain and use customer contact details for marketing purposes and on the further obligations imposed on marketers to provide opportunities to those customers to object to the use of their contact details for marketing communications. In line with my standard procedures in this area, the MNO was issued with a warning as these incidents constituted its first interaction with my Office in this area and any future matters will therefore be considered for prosecution.
Credit union commits several breaches by failing to update a member’s address record.
In March 2008 I received an unusual and complex complaint against Halston Street Credit Union. The Credit Union had sent correspondence for the complainant’s ex-wife to the complainant’s address. After receiving the registered correspondence at his home address, the complainant informed the Credit Union by phone that his ex-wife did not reside at his address, nor indeed had she ever resided at that address. In fact they had been living apart for twenty-two years. Despite this, two further pieces of correspondence from Halston Street Credit Union to his ex-wife arrived at the complainant’s address on separate dates.
My Office wrote to Halston Street Credit Union in early April 2008 informing it that we were commencing an investigation of this complaint. The complainant was anxious to establish what personal data the Credit Union held in relation to him. He was genuinely concerned that the correspondence he was receiving was prompted by fraudulent use of his personal data by a third party. We advised him to submit a request to the Credit Union under section 3 of the Acts. Section 3 of the Acts provides that an individual may submit a request in writing to a data controller to be informed whether the data controller keeps personal data relating to the individual. If the data controller does have such data, section 3 provides that the data subject should be given a description of the data and the purposes for which it is kept. Under the provisions of the Acts a data controller must respond to such a request within twenty one days. The complainant took our advice but unfortunately did not receive a response from Halston Street Credit Union to the section 3 request that he submitted in mid-July 2008.
Halston Street Credit Union failed to reply to my Office’s initial correspondence despite three separate reminders during the period April to July. One of my officials received a very unsatisfactory call from one of the elected members of the Credit Union which did not provide any response to the issues raised. This situation, coupled with the failure by the Credit Union to meet its statutory obligation to respond to the request under section 3 of the Data Protection Acts, led my Office to form the view that the Credit Union had little regard either for the data protection rights of the complainant or for my Office. For these reasons I instructed two of my senior officers, using the powers conferred on them by section 24 of the Data Protection Acts, to enter and inspect the premises of Halston Street Credit Union to obtain information relevant to the investigation of this complaint. In the course of their inspection, my authorised officers found records which confirmed that the complainant had indeed informed Halston Street Credit Union in June 2007, as he had indicated, that his ex-wife did not live at his address. No action had been taken by the Credit Union on foot of this information in terms of updating the address on file and, as a result, the complainant’s address was used on two further occasions by the Credit Union to send letters intended for his ex-wife. My authorised officers also found the section 3 request that the complainant had submitted in July 2008 on the premises. They confirmed that the Credit Union had not taken any action in response to the request.
Subsequent to the inspection by my authorised officers, Halston Street Credit Union confirmed to my Office that a response issued to the complainant’s section 3 request in mid-September 2008. This was over five weeks outside the statutory requirement. My Office was disappointed to discover that the Credit Union had copied its response to the section 3 request to four separate third parties. The complainant was entitled to have his request handled in a confidential manner. It was, to say the least, very disappointing that the Credit Union copied the response to the request to third parties who had no business in relation to it.
Following my Office’s investigation, we found Halston Street Credit Union to be in breach of section 3(b) of the Data Protection Acts for failing to respond to the complainant’s section 3 request within the statutory timeframe of twenty one days. We found that the Credit Union was also in breach of section 2(1)(d) of the Acts for its unauthorised disclosure of the complainant’s personal data to third parties when responding to his section 3 request. The records of Halston Street Credit Union showed that the complainant first contacted it by telephone in June 2007 to inform it that his ex-wife did not live at his address. The Credit Union’s subsequent failure to take action to remove the complainant’s address from its records led it to process the complainant’s personal data on two further occasions, constituting two additional breaches of his data protection rights under section 2A of the Acts. The failure of Halston Street Credit Union to remove the complainant’s address from his ex-wife’s records caused two further breaches. This time the Credit Union breached the data protection rights of the complainant’s ex-wife, because it sent her personal data on two occasions in August 2007 and September 2007 to an address which it knew from June 2007 to be incorrect.
The sequence of events that culminated in my instruction to my authorised officers to use their powers under Section 24 of the Acts to progress the investigation of this complaint demonstrates the dismissive attitude shown by an elected member of Halston Street Credit Union towards my Office. This uncooperative approach by the Halston Street Credit Union was disappointing and unacceptable. Thankfully my staff do not encounter such attitudes every day and, in the event, the staff and manager in the Credit Union were very co-operative to my authorised officers during their visit. Our approach to complaints, as provided under the Acts, is to try to reach an amicable resolution by engaging openly and honestly with the parties concerned. When a data controller fails to cooperate satisfactorily with an investigation conducted by my Office, I will use my legal powers without hesitation, as this case demonstrates. Neither I nor my staff will be deterred from taking the actions that we consider necessary.
As I reflect on this regrettable and time-consuming incident, I note that it comes down to the Credit Union’s refusal to respond to a person with a genuine complaint. The complaint was well-grounded and reasonable and, if the Credit Union had demonstrated even a basic level of customer service, the matter would have been resolved quickly and without consuming the resources of my Office. In this respect, I accept that a Credit Union has a right to trace the location of a person with whom it needs to communicate for a genuine business reason and using reasonable means. For this reason I have no difficulty with the sending of the initial letter.
A civil summons is served on the wrong person
In February 2008 I received a complaint from a data subject who had received a District Court civil summons from a firm of Solicitors acting on behalf of a property management company. The civil summons named a male and a female as the defendants in the matter. The data subject shared the same full name as that of the male named on the summons. The data subject phoned the solicitors concerned to inform them that he did not know anything about the matter referred to on the summons, that the female named on the summons was not known to him and that she did not reside at his address. When he asked the solicitors where they had sourced his address he was told that their enquiry agent had given it to them.
My Office commenced its investigation by contacting the solicitors concerned to establish if, as alleged, the complainant had been mistakenly served with a summons which was proper to another man of the same name. The solicitors subsequently responded and confirmed that they accepted that the person who received the summons in this matter was not the person with whom their clients had contracted. They informed my Office that they had relied on information provided by an agent. They also asked my Office to convey their sincere apologies to the data subject for any inconvenience that may have been caused to him.
My Office informed the data subject of the response of the solicitors and sought his views about how his complaint against the solicitors might be resolved to his satisfaction. He indicated that this could be achieved by the data controller agreeing to cover the legal and medical costs incurred by him as a direct result of being wrongly served the civil summons. The data subject informed my Office that on receipt of the civil summons it was necessary for him to engage a solicitor to deal with the matter as he had been summoned to appear before the District Court on an appointed date. He also stated that he suffered considerable distress as a result of receiving the summons and that he had attended his doctor as a direct result. The data subject was also concerned that the summons served on him was now a matter of public record in the courts system and he said that it was incumbent on the solicitors to have this matter rectified by requesting the Courts Service to clear his good name.
The solicitors immediately indicated their willingness to resolve this matter as sought by the data subject and confirmed that there was no public record of the proceedings in this matter. In the solicitors’ view, the issue arose as a direct result of the actions of its agent. For this reason, it had been agreed that the agent would make a payment directly to the data subject’s solicitor in settlement of the matter and confirmed that this had taken place. Unfortunately, the agent had not made any contact with the data subject or his solicitor on this matter. Soon afterwards the solicitors sent my Office, on their own behalf, a cheque made payable to the data subject to cover the full costs incurred by him in this matter. They stated that they had been misled by the agent who had indicated that the matter had been resolved with the data subject’s solicitor. They indicated that, as a result, they had dispensed with the services of the agent with immediate effect. The data subject expressed his satisfaction with the outcome and thanked my Office for helping to bring this matter, which had caused him great distress, to a satisfactory conclusion.
This case highlights the distress and inconvenience that can be caused to an innocent individual as a result of the processing of inaccurate personal data. The serving of a summons is a significant action and it can be a matter of great anxiety for an individual to receive a summons, even when that individual is not the legitimate subject of the summons. Greater care should have been taken by all involved in the process of serving this summons.
Right of Rectification of Personal Data Held by a Data Controller
I received a complaint regarding a medical report carried out at the request of the complainant’s employers. The report was a psychological assessment dealing with the complainant’s ability to return to her original workplace after a period of absence on sick leave.
The person concerned had received a copy of the medical report in question from the medical practitioner who carried out the assessment and she considered the contents to be inaccurate. The complainant then requested that the report be rectified to reflect what she considered to be an accurate description of her particular circumstances. However, the data controller, a consultant psychiatrist, reverted to the data subject stating that it was not possible to make the kind of alterations to the independent medical assessment that had been sought.
Under Section 6 of the Data Protection Acts 1998 and 2003, if you discover that information kept about you by a data controller is factually inaccurate or collected unfairly, you have a right to have that information rectified or, in some cases, you may have that information erased. However, this is not an unqualified right and depends on the circumstances of each case. The judgement to be made in such cases is complicated all the more when the matters at issue are medical in nature. If for example, a data controller – in this case, the medical practitioner – considers that data is, in fact, accurate and if the data subject disagrees, then one possible course in the interest of achieving an amicable resolution is for the data controller to annotate the data to the effect that the data subject believes that the data is inaccurate for reasons which should be indicated (this solution is explicitly provided for in Section 6(1)(a) of the Acts).
This course of action was followed in this case and as part of the rectification process, the complainant supplied various annotations to be included in the medical report. Also supplied with each of these annotations was a detailed explanation for such. Having examined the annotations and all the information my Office had to hand, including the medical report in question, my Office was of the opinion that the proposed annotations supplemented the medical report without changing the report materially.
My Office communicated its position to both parties and the medical practitioner concerned helpfully supplemented the medical report in question by inserting the requested annotations. This allowed for the complaint to be resolved to the satisfaction of all parties concerned.
This case clearly indicates the value of the right of an individual to seek the rectification or supplementing of personal information relating to them, in accordance with Section 6 of the Data Protection Acts, 1998 and 2003. In instances such as the case highlighted above, where the personal information is of a subjective nature, the right to rectification is not always appropriate. In this case the individual concerned was satisfied that the annotations she supplied, when recorded with the report, were sufficient to ensure that anyone reading the report had a balanced view of her circumstances.
Financial institution – inaccurate credit rating – rectification – notification of third parties to whom incorrect data had been released
The complainants in this case were refused a loan from two financial institutions. They made an access request under the Data Protection Act to a credit bureau to see their credit records. The records indicated that they had in the past taken out three loans with a third financial institution (“Institution A”). While the two most recent loans were shown as having been paid off, the first loan (which had been taken out about six years previously) still appeared to be outstanding as it did not have a reference code to show that it had been paid. In fact, all three loans had been repaid on time.
The complainants took the matter up with Institution A, which had lodged the details with the credit bureau. On reviewing the details, the institution confirmed that the code, showing the first loan to have been completed, had been omitted from the record, and the institution said it had now returned the correct information to the credit bureau. Institution A also said that, notwithstanding the error, the individuals’ credit record showed a satisfactory credit approval rating.
The individuals complained to my Office about the inaccuracy of their credit record. I asked Institution A for its views on the matter, in light of the requirement at section 2(1)(b) of the Data Protection Act that the personal data kept by a data controller “shall be accurate and, where necessary, kept up to date”. Institution A said that, “due to an administrative error”, a return had not been sent by the institution to the credit bureau when the loan had been settled. The institution also claimed that the omission would not have prejudiced the complainants in any way: any other financial institution considering the credit record would know that the first loan must have been paid, because Institution A would not otherwise have given a second and third loan to the same individuals. Finally, the institution said that the human error involved in the case could not be repeated, as the manual method of making returns to the credit bureau had since been replaced with an automated system.
Arising from my Office’s investigation of the case, I issued a formal decision in which I concluded that Institution A had failed to keep personal data in respect of the complainants up to date, as required by the Act, and accordingly I upheld the complaint. I rejected the argument that other financial institutions could have inferred that the original loan must have been repaid, as I noted that the second and third loans had been issued before the term of the first loan had expired. While taking account of Institution A’s prompt action to correct the inaccurate record as soon as the error was brought to its attention, I explained that the Data Protection Act places a clear and active obligation on data controllers to ensure that data is kept accurate and up to date. In the circumstances, I recommended that the institution should contact all parties who had accessed the inaccurate credit record, notifying them of the correct position. Institution A subsequently complied with this recommendation.
I would emphasise to all data controllers their obligation to ensure the accuracy of their computer records. This is especially important where, as in the case of credit records, inaccuracies can have a significant bearing on people’s livelihood. In this regard, data controllers should be aware of section 7 of the Data Protection Act, which provides that individuals may take a civil action against a data controller, where the individual has suffered damage as a result of the data controller’s failure to comply with the requirements of the Act.
Data about two people combined in one record kept by a credit referencing agency – issue of accuracy
The complainant looked for a loan to buy a car, but he was refused. He then made an access request under section 4 of the Data Protection Act to a credit referencing agency.
The record he received in response showed that he had been lent money by a financial institution some years before, and that that loan had not been repaid according to the agreed terms. However the complainant had never had a loan with the institution in question, or any contact with it whatsoever. His record also showed that three other financial institutions had made enquiries about him to the credit referencing agency in the previous few months.
The complainant made his own enquiries to the institution from which he was supposed to have borrowed money previously. This institution confirmed that he had not borrowed money from it. The complainant was informed that the loan had in fact been taken out by a second party with the same name, and an address in the same general area as his own, but with a different date of birth. The complainant then informed the credit referencing agency that the loan related to a different person, and the lending institution confirmed this to the agency. Subsequently the agency wrote to the complainant saying that it had revised his record to delete the reference to the loan, and offering to send copies of its letter to all financial institutions which had accessed his record.
The complainant was aggrieved at what had happened. He asked me to investigate “wrong or misleading information” (i.e. the details of a loan which he had never had) which had been kept by the credit referencing agency and disclosed to those financial institutions which had made enquiries about him.
I sought the views of the credit referencing agency, which explained how the problem had arisen. When the second party had looked for a loan some years previously, the institution that he had approached had made two enquiries about him to the agency. The agency had no record of the second party, but it did have a record of the complainant. I was informed that two men had the same names and they both lived in the same general area, though their house numbers and street names were different. The credit referencing agency, following its practice when there is some similarity in names and addresses, sent the enquiring financial institution a copy of the complainant’s record “to allow them to determine from their greater access to information on their applicant as to whether there was any connection between the individuals of similar name”.
The complainant had been assigned a customer record number by the credit referencing agency, and this number was included in the copy of his record sent to the financial institution. The institution, when it subsequently approved a loan for the second party, erroneously associated the complainant’s customer record number with it and submitted the details electronically to the agency. As a result those details were automatically appended to the complainant’s existing record with the agency. (The credit referencing agency told me that some time later it had changed its computer systems so that details of new borrowings which contained customer record numbers were no longer automatically associated with existing records. Henceforth this would only be done by human intervention.)
I accepted that it was the financial institution and not the credit referencing agency which had made an error in assigning the complainant’s credit referencing number to the second party’s loan. However the agency was not justified in disclosing the complainant’s record to the institution in the first place. His address was sufficiently different from that of the second party to clearly suggest that two different persons were involved. I was satisfied that the problems which ensued followed directly from this disclosure.
I upheld this complaint by reference to section 2(1)(b) of the Act which provides that information constituting personal data relating to a living individual “shall be accurate and, where necessary, kept up to date”. I noted, however, that the inaccuracy was rectified when the complainant brought it to the attention of the credit referencing agency, and that the agency offered to clarify the situation to those institutions which had recently accessed the complainant’s record.
Direct mail for previous householder – decline direct marketing – inaccurate data – repeated promises
A man who bought a house found that direct mail, from several sources, arrived regularly for the former owner. My Office advised him to tell each sender that the former owner had moved, and when he did so all but one of them stopped the mailings. Post continued to arrive from a third-level educational institution, although it had made a number of promises that the matter would be rectified. This was a matter of some annoyance to the house-owner and he made a formal complaint to me.
I have had complaints before about mail being sent to an address after the sender has been told that the person concerned has moved. In my view this contravenes the requirement in section 2(1)(b) that data “shall be accurate and, where necessary, kept up to date”. If a data controller knows that the information he keeps about someone is out of date, he has an obligation to change it whether or not the data subject has asked for this to be done. In this case, the former resident of the house (who had been a student at the institution) had either forgotten or chosen not to tell the institution that she was moving. But the institution knew from the present owner that she was no longer there, and therefore it was wrong to keep that inaccurate address on its mailing lists.
When contacted by my Office, the institution apologised for the continued mailings. It explained that the inaccurate data had indeed been deleted previously from its mailing lists. However, in the course of computer maintenance work an earlier back-up version of the lists had been restored on the computer system.
This case illustrates a point which needs to be borne in mind by data controllers – generally those with sizeable data-holdings – who keep back-up copies. Given the obligation under section 2(1)(d) to take “appropriate security measures” against the “accidental loss or destruction” of data it is of course proper to keep back-up versions in case data are corrupted or erased. However it is necessary for data controllers to consider what measures they can take so that a back-up version, if restored, accurately replicates the live version of data that it has replaced. My Office drew the educational institution’s attention to this matter and offered some advice on how it might be dealt with.
A customer disputed his credit rating by a financial institution – issue of accuracy – the rating as understood by the institution
A customer made an access request to a financial institution and discovered that the institution had given him a rating with which he did not agree. He acknowledged that he had had some difficulties with his account, but he considered that the rating as it was explained to him by the financial institution suggested that the situation was more serious than it really was.
This financial institution uses a set of guidelines to assign ratings to its customers. I obtained a copy of these on a confidential basis. When I reviewed the facts of the complainant’s case in the light of the guidelines, I took the view that the rating which had been assigned to him was not unreasonable in all the circumstances.
While I had come to the view that the rating was not incorrect, this in itself was not conclusive. Section 1 (2) of the Data Protection Act provides that data are inaccurate if they are incorrect or misleading as to any matter of fact. In other words if the information, albeit factually correct, were expressed in a way that would not be properly understood by a third party then the data controller would not have been meeting its obligations. In the event, this matter was resolved when I received an assurance from the financial institution that the ratings were solely for internal use. They would be seen only by people who also had access to the guidelines on which they were based, and were therefore in a position to interpret them correctly.
I did not uphold this complaint. Nevertheless it appeared to me that the complainant’s concern sprang partly from the fact that his rating, as explained to him by the financial institution, seemed appreciably more negative than it did when seen in the context of the institution’s own internal guidelines to which he did not, of course, have access. Therefore I put it to the institution that it should reconsider the explanations of these ratings which it gave to customers, with a view to making them more transparent and informative.
Credit record indicated that borrower had faced litigation and loan had been partly written off – issue of accuracy – previous concerns about fair obtaining revived
A man who had difficulty in getting a mortgage made an access request under section 4 to a credit referencing agency. He found that there was a record relating to a hire-purchase agreement that he had entered into some years previously. This record showed that part of the loan had been written off. It also purported to show that before that had happened, litigation had been pending against him. (The credit referencing agency uses codes which show the history of a loan over a period of months.)
The man complained to me, and described what had happened with the hire-purchase agreement. The agreement was for four years, but the payment book he was given was for three years only. Believing that once the book was finished the loan was cleared, he stopped making repayments. Some months later the finance company looked for the remaining twelve monthly instalments, together with additional interest that had accrued since the complainant had stopped his payments. Following negotiations between the parties the data controller agreed to accept the twelve outstanding monthly payments and to write off the accrued interest.
The complainant alleged that his record with the credit referencing agency contravened section 2(1)(b) of the Act – which provides that “data shall be accurate and, where necessary, kept up to date” – in two respects: he denied that an element of the loan had been written off, or that litigation against him was ever pending.
My investigation of the complaint established that the hire purchase agreement had, in fact, been for four years, not three, and that the complainant had fallen into arrears in the fourth year. At that point, the account could have been transferred to the company’s legal department for proceedings to be prepared against him. However this was never done. Accordingly, I found that the complainant’s record was inaccurate in stating that litigation had been pending.
My investigation also established that a settlement had been agreed between the complainant and the finance company, in which the company waived the interest due on his late payments. In this respect, I found that the complainant’s record was not inaccurate in stating that an element of the loan had been written off. However, this aspect of the complaint raised an issue about which I have expressed concern before – the consequences for a person who settles a loan for less than the full amount owed. Section 2(1)(a) of the Act provides that information constituting personal data “shall be obtained and processed fairly”. The obligation to obtain data fairly requires a high degree of transparency on the part of a data controller. I have expressed my concern before about whether there is sufficient transparency when loans are settled by agreement with amounts written off.
I reiterated my concern to the finance company in this case. I noted that the company had previously and voluntarily deleted the details of the loan altogether from the credit referencing agency’s records. In this Report, however, I think it correct to point out that the practical consequences for a data controller of non-compliance with the fair obtaining requirement are potentially serious. Section 6(1) of the Act provides that –
“An individual shall, if he so requests in writing a data controller who keeps personal data relating to him, be entitled to have rectified or, where appropriate, erased any such data in relation to which there has been a contravention by the data controller of section 2(1) of this Act; and the data controller shall comply with the request as soon as may be and in any event not more than 40 days after it has been given or sent to him”
The implication of this provision, in the context of cases like this, is that a data subject whose personal data have not been obtained fairly may assert his entitlement to have them deleted altogether.