Burden of proof requirement

The request was successful.

Dear Information Commissioner’s Office,

Dear The Financial Services Authority,

Can you please provide by return confirmation of the burden of proof requirements applied to credit reference agencies such as Experian, Equifax etc and the information which they process in relation to individuals?

It would appear that the current practice is that there are no checks carried out in relation to information supplied to them by financial / banking bodies and that they just accept the word of the submitting body / business as to the veracity / accuracy of any information which they provide.

Given the possible adverse impact incorrect information may have on an individual one would reasonably expect some form of accuracy check to take place.

If this is not currently a requirement / obligation on the part of such agencies can I ask why not?

If it is currently a requirement can I ask who the regulatory third party is that has responsibility for the monitoring and compliance of same?

Yours faithfully,

Conor Small

Dear Information Commissioner’s Office,

I am disappointed to note your lack of response to my FOI request.

Given the recent month long debacle with the Ulster Bank and the incorrect records generated with credit reference agencies as a direct result of same I think it would be even more appropriate for the information which I requested to be made available by return as a matter of urgency.

Yours faithfully,

Conor Small

Information Governance,

Dear Mr Small

Thank you for your emails of 17 June and 18 July 2012.

Although you have indicated that you wish to make a request for information, further to your ‘right to know’ contained in section 1 of the Freedom of Information Act 2000 (FOIA), your email contains an enquiry rather than a request for recorded information held by the ICO.

Where a 'request for information' contains an enquiry, rather than a specific request for copies of information held by the ICO, we deal with such requests as a 'normal course of business' enquiry rather than a formal request for information under the FOIA.

This is in accordance with the guidance given in the ICO publication 'Freedom of Information & Environmental Information Regulations - Hints for Practitioners handling FOI/EIR requests', which states on page 6 "Requests which are not for recorded information, but instead ask questions, such as "please explain your policy on x" or "please explain your decision to do y" are not requests for recorded information and therefore should be treated as routine correspondence.". This publication is available on our website, and can be accessed via the following link:

http://www.ico.gov.uk/upload/documents/l...

We have therefore forwarded your enquiry to our First Contact Team who will respond to you in due course. You may wish to note that the case has been allocated Reference ENQ0453492.

I apologise for not previously advising you that your submission has been handled in this manner. For your future reference you may wish to visit the following page of our website, which provides further details about the ways in which you can contact us:

https://www.ico.gov.uk/Global/contact_us...

Yours sincerely

Andrew Walsh
Lead Information Governance Officer

show quoted sections

Information Commissioner's Office

 Mr C Small
[1][FOI #119307 email]
 
19 July 2012.
 
Case reference number: ENQ0453492.
 
Dear Mr Small,
 
Thank you for your emailed correspondence to the Information
Commissioner’s Office (ICO), dated 21 June 2012, regarding the Data
Protection Act 1998 (DPA98).
 
The DPA98 is specifically concerned with the processing of personal data.
“Processing” includes obtaining, holding, recording, disclosing or using
personal data in any way. Personal data is data which relates to and
identifies a living individual. The DPA98 imposes eight Principles of
“good information handling” on organisations responsible for processing
personal data (“data controllers”).
 
Please accept my apologies for the delay in responding to you. Our office
is currently dealing with large volumes of work. This has meant that we
have been unable to deal with incoming correspondence as promptly as we
would like.
 
As my colleague, Andrew Walsh has explained, your correspondence is being
treated as an enquiry rather than a request under the Freedom of
Information Act 2000 (FOIA).
 
Your enquiry is as follows:
 
“Can you please provide by return confirmation of the burden of
proof requirements applied to credit reference agencies such as
Experian, Equifax etc and the information which they process in
relation to individuals?

It would appear that the current practice is that there are no
checks carried out in relation to information supplied to them by
financial / banking bodies and that they just accept the word of
the submitting body / business as to the veracity / accuracy of any
information which they provide.

Given the possible adverse impact incorrect information may have on
an individual one would reasonably expect some form of accuracy
check to take place.

If this is not currently a requirement / obligation on the part of
such agencies can I ask why not?

If it is currently a requirement can I ask who the regulatory third
party is that has responsibility for the monitoring and compliance
of same?”
 
The Fourth Principle of the DPA98 states that personal data must be
accurate and where necessary, kept up to date.
 
Section 70(2) of the DPA98 states:
 
“For the purposes of this Act data are inaccurate if they are incorrect or
misleading as to any matter of fact.”
 
If personal data can be proven to be factually incorrect, then the
individual can request the data controller correct such data. This can be
done either by contacting the credit reference itself or the lender
 
The DPA98 goes on to state that data controllers will not be regarded as
being in breach of the Fourth Principle in cases where the data controller
has taken reasonable steps to ensure the accuracy of the data and, where
the individual has advised the data controller that he or she disputes the
accuracy of the data, the data indicate this fact (usually by the data
controller placing a note on file to this effect – this is effectively
provided for by the notice of correction procedure – for further details,
please refer to the link to Credit Explained which I have provided below).
These requirements apply either where the data has been obtained from the
individual to whom the data relates or from a third party data controller.
 
Our Guide to Data Protection provides the following explanation for data
controllers in respect of this particular aspect of the Fourth Principle:
 
“It may be impractical to check the accuracy of personal data someone else
provides. In recognition of this, the Act says that even if you are
holding inaccurate personal data, you will not be considered to have
breached the fourth data protection principle as long as:
 

* you have accurately recorded information provided by the individual
concerned, or by another individual or organisation;
* you have taken reasonable steps in the circumstances to ensure the
accuracy of the information; and
* if the individual has challenged the accuracy of the information, this
is clear to those accessing it.”

 
[2]Keeping personal data accurate and up to date (Principle 4)
 
For further information on the DPA98 and consumer credit, please use the
following link:
 
[3]credit explained
 
If individuals have raised their concerns about the disputed entry with
either the lender in question or the credit reference agency and are
dissatisfied with or have not received a response, they can bring a
complaint to the ICO.
 
Under section 42 of the DPA98 an individual can ask the Commissioner to
conduct an “assessment”; that is, give a view as to whether it is likely
or unlikely that an organisation has complied with the DPA98 in the
situation that has been described to us. 
 
If we consider it is unlikely that an organisation has complied with the
DPA98, our aim is to ensure that the organisation understands its
obligations and takes any steps necessary to help ensure compliance with
the principles either in that particular case or in the future.
 
In order to carry out an assessment, we ask that individuals raise their
concerns in writing with the organisation, wait 28 days for a response. If
they are dissatisfied with, or do not receive, a response, at this point
they can bring a complaint.
 
In practical terms, we would advise that individuals raise their concerns
with the lender that has placed the disputed entry on their credit
reference file.
 
In order to carry out an assessment in relation to entries on credit
reference, we ask that individuals provide:
 

 1. Completed complaint form.
 2. An up to date, recent, full copy of the credit reference file
containing the disputed entry or entries.
 3. Evidence that the individual has raised the matter with the lender or
the credit reference agency, and, if applicable, the response
received.
 4. Any documentary evidence that the individual may be able to provide
demonstrating the inaccuracy (this should also be sent to the lender
or credit reference agency in the initial complaint letter).

 
For further details about our complaints procedure, and copies of our
complaint form, please use the following link:
 
[4]Data Protection – When and How to Complain
 
I trust this response has been helpful. If you require any further
assistance, please contact me at: [5][email address]. In the
subject field of your email please include the following text (including
the square brackets) [Ref. XXXXXXXXXX], replacing the ‘X’ characters with
your case reference number, including its three character prefix. This
will add your email to the other information you have already sent to us
about your case, and should occur automatically if you click the ‘reply’
button.
       
Yours sincerely,  
 
       
       
Tim Clarke
 
Case Officer – First Contact Group
Information Commissioner’s Office
Tel: 0303 123 1113. Ext 5686.      
 
Would you like to provide anonymous feedback about your experience as an
ICO customer?
We are committed to learning from the experiences of our customers. If you
would like to provide some anonymous feedback about your experience as an
ICO customer please [6]click here. We use all feedback to help us
continuously improve our service, focussing on the things that are most
important to our customers. The survey contains three questions and we
expect that it takes no more than one minute to complete. No personal data
will be collected as part of completing this survey.

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.gov.uk

References

Visible links
1. mailto:[FOI #119307 email]
2. http://www.ico.gov.uk/for_organisations/...
3. Opens in new window
http://www.ico.gov.uk/for_the_public/top...
4. http://www.ico.gov.uk/complaints/data_pr...
5. mailto:[email address]
6. blocked::http://www.snapsurveys.com/swh/surveylog...
http://www.snapsurveys.com/swh/surveylog...