The ICO has ordered the credit reference agency Experian Ltd to make fundamental changes to how it handles people’s personal data within its direct marketing services. The enforcement notice follows a two-year investigation by the ICO into how Experian, Equifax and TransUnion used personal data within their data broking businesses for direct marketing purposes. A complaint from the campaign group Privacy International to the ICO also raised concerns about the data broking industry, specifically Equifax and Experian.

As a result of the ICO’s work, all three credit reference agencies (CRAs) made improvements to their direct marketing services business. Equifax and TransUnion made the improvements alongside withdrawing some products and services. The ICO is therefore taking no further action against them.

The investigation found how the three CRAs were trading, enriching and enhancing people’s personal data without their knowledge. This processing resulted in products which were used by commercial organisations, political parties or charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people. The ICO found that significant “invisible” processing took place, likely affecting millions of adults in the UK. The ICO explains it is “invisible” because the individual is not aware that the organisation is collecting and using their personal data, which is a clear breach of data protection law.

Findings from the investigation have been published in an ICO report into “data protection compliance in the direct marketing data broking sector”.

Although the CRAs varied widely in size and practice, the ICO found significant data protection failures at each company. As well as the failure to be transparent, the regulator found that personal data provided to each CRA, in order for them to provide their statutory credit referencing function, was being used in limited ways for marketing purposes. Some of the CRAs were also using profiling to generate new or previously unknown information about people, which is often privacy invasive.

The ICO’s enforcement notice requires Experian to inform people that it holds their personal data and how it is using or intends to use it for marketing purposes. Experian has until July 2021 to do this subject to any appeal.

The ICO also requires Experian to stop using personal data derived from the credit referencing side of its business by January 2021, which it does currently for limited direct marketing purposes. As an example, it should stop screening out prospective customers from marketing lists on the basis of financial status. To read the ICO’s press release in full, click here.