Credit referencing agency Experian has been ordered to make fundamental changes to how it handles people’s personal data after an investigation into its data broking activities by the Information Commissioner's Office uncovered serious breaches of privacy laws.
The ruling follows an investigation prompted by campaigning group Privacy International into the use of customer data for direct marketing purposes by Experian, Equifax and TransUnion.
The investigation found how the three CRAs were "trading, enriching and enhancing" people’s personal data to create products which were used by commercial organisations, political parties or charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people.
The ICO found that significant ‘invisible’ processing took place, likely affecting millions of adults in the UK. It is ‘invisible’ because the individual is not aware that the organisation is collecting and using their personal data, in direct contravention of data protection law.
All three credit reference agencies (CRAs) made improvements to their direct marketing services business following the ICO's initial intervention, and Equifax and TransUnion withdrew some products and services.
Experian, however, has continued to share user data without issuing privacy information directly to individuals affected.
Information Commissioner Elizabeth Denham says: “Our investigation uncovered data protection failings that likely affected millions of adults in the UK. The information the CRAs are privileged to hold for statutory credit reference purposes was unlawfully used by them in their capacity as a data broker, with poor regard for what people might want or expect.
"The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data. The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights."
The privacy watchdog has issued Experian with an enforcement notice compelling it to make changes within nine months or risk further action. This could include a fine of up to £20m or 4% of the organisation’s total annual worldwide turnover.
The ICO also requires Experian to stop using personal data derived from the credit referencing side of its business by January 2021. In the enforcement notice, the ICO states that people currently have no choice about whether their data is shared with Experian for credit referencing purposes.
Experian says it will appeal against the ruling.
"We believe the ICO's view goes beyond the legal requirements," states the firm. "This interpretation also risks damaging the services that help consumers, thousands of small business and charities, especially as they try to recover from the Covid-19 crisis."