The ICO has released a report issuing an enforcement notice against Experian, a Credit Reference Agency, for improper use of individuals’ data.

We are all by now familiar with the cookie consent mechanisms that pervade across websites – some small, innocuous notices and others so large that you cannot access the content of the site without scrolling, ticking and clicking.

Frustrating though they are to both user and organisation alike, they are part of a drive to increase individuals’ awareness of how their data is treated – borne out of the General Data Protection Regulation (GDPR) and the focus it places on the rights of individuals.

The ICO’s latest report

The Information Commissioner’s Office (ICO) has published its report on data broking with one clear message; the rights of the individual are paramount.

While it is acknowledged that the data broking industry is an essential one (especially in the context of regulated activities and services), the ICO has found that the key players and stakeholders in this growing sector are not playing by the rule book.

In an unsurprising but brutal dissection of Credit Reference Agencies (CRAs), it is revealed that they rarely play by the rules and while they hold vast amounts of data legally, and compliantly process that data based on valid lawful bases, they also use that data for ulterior purposes.

How are the Credit Reference Agencies using data?

The biggest concern raised by the ICO is that the CRAs were/are using data collected for one purpose for a wholly different purpose. While it may look like they hold your age, name and address so that they can assist with verifying your ID with third parties, they are also using that information (and the data provided by third parties, or the type of third parties they are dealing with) to enrich your personal data and offer you as a target for businesses to market to.

The ICO rightly point out that this practice, while useful and legal where the individual knows it is taking place, is impossible for individuals to consent or object to if it is being conducted without their knowledge or consent.

ICO enforcement notice

The ICO’s decision to issue enforcement notices against one of the credit reference agencies will likely be a significant blow for that business and serves as a reminder to data controllers that just because an organisation is well known, or just because all processors are “doing it” with respect to certain processing activities, that does not make it legal or compliant.

All controller/processor relationships should be governed by a legally binding contract and the controller should identify the valid lawful basis for the processing taking place. This is largely commonplace, but controllers often leave processors to their own devices – auditing and spot checking of processors, and enforcement against processing agreements will become more common place as a result of the recent ICO decision.