Enforcement action taken against Experian
The Information Commissioner’s Office (ICO) has taken enforcement action against Experian Limited (Experian) after a two-year investigation. The credit reference agency (CRA) was found to have committed serious breaches of data protection law.
The ICO targeted three CRAs during the course of its investigation: Experian, Equifax and TransUnion. All three agencies were asked to make improvements and withdraw certain products and services. Equifax and TransUnion complied fully with the ICO’s request, thereby escaping enforcement action. Experian, on the other hand, only partially complied with the request, rejecting the notion that it was obliged to issue privacy information directly to individuals and cease the use of credit reference data for direct marketing purposes.
As a result, the ICO issued an enforcement notice to Experian, which requires the company to make changes within nine months. If it fails to do so, it could face a fine of up to £20 million or 4% of its annual turnover.
The ICO has published a report of its investigation, which highlights the significant data protection breaches that had been committed. For example, all three companies had used personal data for marketing purposes, rather than simply to fulfil their statutory duties as CRAs.
Furthermore, the privacy information on the companies’ websites did not clearly explain how they were using customers’ data. This reflected a more general failure to be transparent, which is a fundamental pillar of data protection law.
The CRAs were also found to have been using certain lawful bases incorrectly.
Changes required by the enforcement notice
Experian must make the following changes if it is to escape more serious action.
Screening of customers
Experian must stop using the personal data acquired from the credit referencing side of its business for marketing purposes. The CRA had been identifying prospective customers from the data provided by analysing subjects’ financial status. People who are subject to credit reference checks have no choice as to whether their data is shared with Experian, and the ICO noted that the CRA’s use of it for this purpose was unexpected.
Deletion of data
The company had been acquiring personal data under the lawful basis of ‘consent’ and then processing it using the lawful basis of ‘legitimate interests’. This was contrary to data protection law, and all such data must now be deleted.
Improvements to privacy information
As noted above, Experian’s provision of privacy information was found to be insufficient. It must now make sure that it is clear what personal data is collected, who it is being sold to, why it is being sold, and what it is being used for.
According to Elizabeth Denham, the Information Commissioner, “the ICO’s investigation uncovered “data protection failings that likely affected millions of adults in the UK.”
Ms Denham was encouraged by the fact that two of the three CRAs decided to comply fully with the ICO’s recommendations, but noted that more needed to be done. “Now I expect the data broking sector to make the same commitments.”