So, to the letter itself…
The following was an amalgamation of several previous letters that I had sent for my own cases. This version was written for a friend who was having hell with a bank that adamantly refused to remove a settled default, and the CRAs involved had written back with many stupid replies that didn’t mean anything, or answer the issue.
Within 72 hours of it being received at their Head Office, we received a letter saying that they were happy to remove the default from the credit files, although denied any liability for distress, or breach of duty in relation to the Data Protection Act.
The Company Secretary
GrabItAll Bank plc
Large Ugly Building with nice view of Thames
Somewhere in London
[must go to their company registered address!]
Re: Formal notice to desist from processing or disclosing personal subject data
I have recently conducted an audit of my personal credit reports supplied by Experian, Equifax and CallCredit.
It is noted that there exists, within all three files, an entry referenced as “GrabItAll plc” indicating a former xxxxxxxx Loan (now closed) of £x. This is recorded as “In Default” albeit showing a settlement date of dd/mm/ccyy.
I am contesting that GrabItAll's continued processing of my data is an unwarranted act and I enclose a Statutory Notice to that effect, which is deemed served as of the date noted on the Royal Mail's Recorded Delivery service audit.
My written permission allowing GrabItAll to continue processing, or disclosing, my personal subject data was revoked upon termination of that original contract and I hereby reiterate that revocation. I also do not recall receiving any such Notice of Default being served on me, as required by the conditions of the Consumer Credit Act 1974. Unless the Bank can provide a true copy of the said Notice, then I consider that any default entry on my credit files to be wholly unwarranted.
However, if you can supply the copy, then I also contest GrabItAll's continued processing on the following grounds.
As you are aware, I am afforded principled rights under the Data Protection Act (Data Protection Act), Schedule 1, Part 1 ("The Principles") in relation to the manner in which my data is collated, stored and processed. Of particular note, are Principles 3, 4 and 5:
“3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”
In my case, GrabItAll is still processing data after the cancellation of the contract, whether or not this is a simple renewal process of the default flag, daily or by other timing factor. As that contract is no longer in situ, then my written permission has also ceased from the date of cancellation.
This is confirmed in Principle 2 of the Data Protection Act, which states:
"2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes."
I emphasise the term "specified and lawful purposes" as in ‘those specified within the contract’, and no more. I also emphasise the term "shall not be further processed".
I have taken the matter up with the Credit Reference Agencies, and they had claimed that they had a [quote] “legal right” to maintain this type of adverse entry for up to six years. When I challenged them to quote me the exact Statute that includes this so-called “legal right”, they remained remarkably quiet. Only after my continued insistence of disclosure did they eventually concede that, whilst they have no statutory right, it is [quote] “standard industry practice” but they added that they are “allowed to by Law”. After further challenges, they finally admitted that unless this was a County Court issue, their term actually referred to contractual Law, but continued to emphasise that it was “standard industry practice to record default entries for six years.”
As a highly-educated company secretary for a major PLC, may I respectfully presume that you likewise recognise that “standard industry practice” does not correlate with “legal right”?
Further investigation has also led me to conclude that the only six-year data ‘retention rule’, to which they may adhere to, is in relation to information in the public domain, e.g. Bankruptcy Orders/Discharges, IVAs, CCJs, etc. These are kept in the public domain for six years. But, these are sealed orders issued by a judge through the Courts who oversee the ultimate jurisdiction in all matters relating to Law, be it the criminal code or the Common Law. It is not up to Credit Reference Agencies, or lenders, to decide legal issues.
In addition, the agencies may also hold information that is deemed ‘in the public interest’ for the avoidance of credit fraud or deliberate repayment avoidance; I refer, of course, to CIFAS and GAIN entries on a credit file. My former account was not subject to any such marker, nor is my former civil contract with GrabItAll a public matter.
After scrutiny of all the relevant legislation, including the Consumer Credit Act (As Amended), the various Financial Services Acts and the Data Protection Act, etc., it is clear that there is absolutely no legislation that allows a lender or supplier (including GrabItAll) to collate, process or distribute any other information unless there is express written permission from the data subject.
In fact, Section 10 of the Data Protection Act awards the real authority, regarding privacy of data, to the data subject, not the Data Controller. The Act is also very clear as to the rights of the data subject in respect of withdrawing permission to continue data processing and disclosure:
10. - (1) Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons-
(a) the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and
(b) that damage or distress is or would be unwarranted.
[Continued in Part 3...]