Credit Reference Agency Information Notice (CRAIN)

Version: 1.2

In Brief

We (Equifax, Experian and TransUnion, collectively referred to as “we” and “us” throughout this Privacy Notice) are credit reference agencies and we play an important role in the UK’s financial ecosystem. This Credit Reference Agency Information Notice (referred to as “this Privacy Notice”) explains how we collect, process and share personal data about consumers and businesses (referred to as “you”).

This section briefly summarises the key processing activities common to all of us. For more detail, please refer to the rest of this document. We recommend reviewing each credit reference agency’s own privacy notices, which explain the specific processing activities of that credit reference agency. Links to these documents can be found in Section 14.

Throughout this Privacy Notice, where we use “data” we mean the data types as described in Section 4.

What do Credit Reference Agencies do?
  • We collect information about you from various sources and build databases that hold this data.
  • We need to hold relevant permissions from the Financial Conduct Authority to collect and share this financial information about you.
Where do Credit Reference Agencies get information from?
  • The primary source of information we collect is from public records, such as court judgments (CCJs) and electoral register information, financial information from financial account providers, and information generated by us based on the information received and/or our own analytical research.
  • In addition, we may also collect information from payment accounts via the use of open banking, gambling organisations, employers, utilities suppliers, telecoms businesses as well as (business data only) from publicly available business websites.
Who uses the information, and what do they use it for? 
  • Financial account providers and other organisations carry out searches against information with one or more of us.
  • Organisations can carry out searches for several reasons. These include assessing creditworthiness and ability to afford financial products, checking the accuracy of other information, preventing and detecting crime (such as fraud or money laundering), checking identity, locating individuals (for example to recover debts that they owe), calculating how much their insurance premiums should be, employment verification, including assessing their suitability for a job or a tenancy, and helping to protect individuals from the impacts of problem gambling.
  • When an organisation carries out a search of someone’s data, we will record details of that search. This is known as a search footprint. Depending on the type of search they can be visible to the individual and/or to other organisations that may conduct searches on that individual. Some organisations may draw adverse inference from the presence of some search footprints, for example if a person has multiple debt collection searches recorded. 
  • We link people who appear to be financially associated, for example, through a joint account, joint application for credit or a joint County Court Judgment. This information on financial associates may be checked by companies when undertaking credit searches for the purposes of assessing credit risk. This is because your link with financial associates may affect your ability to repay debt. Examples of this include, acting as guarantor for a personal loan that another individual is taking out, or in the capacity as a director or business owner, where the relevant business is applying for a commercial loan. See the table in Section 4 for further information on how the financial associate’s data affects your credit report and score.
  • We also use some data for marketing-related purposes. Each of us provide different marketing services, to help organisations to better direct their marketing to consumers and (where relevant) business owners and directors, for example excluding individuals from advertising for credit products they would not be eligible for. We may also use the data to predict information or characteristics about the population, to inform product and marketing strategy, to help organisations identify who they want to market their products and services to, and how they should be delivered.
  • The data relating to you held by each of us might be different. This is because not every financial account provider supplies data to every one of us.
What else do Credit Reference Agencies do with my information? 
  • We also use the data in our databases for other activities, including analytics and profiling. This can help financial account providers build scorecards to use in assessing credit applications.
  • We carry out several types of data processing to help achieve the aims described above. These include loading data, matching and linking data together, generating credit scores, as well as testing, developing and building products and services for our clients.
  • Individuals have certain rights that they can exercise in relation to the personal data held by us. For example, they have the right to obtain a copy of the data, to ask us to correct it if it is inaccurate, and to object to the processing of the data. The ICO's website[1] provides more details on the available rights and details of how these rights can be exercised are set out in Sections 9, 10, 11 and 12 below. Personal data about individuals in their role as owners, directors, and employees of UK businesses may also be obtained, processed and shared by commercial data sharing credit reference agencies not referenced in this Privacy Notice. For further information please refer to the Business Information Providers Association’s website[2]

Please note:

  • If you are looking for information about the role that data plays in lending decisions made by financial account providers, you may wish to consult Understanding your credit information and how lenders use it. This is published on the website of each of us, Equifax[3], Experian[4] and TransUnion[5].
  • This document describes our common processing activities detailing how we use and distribute the data described in Section 4.
  • We are independent businesses. Not all of the products and services described in this document are provided by all three of us, or in the same way, and not all of the data is used by each of us.
  • This document does not cover all personal data that we use and distribute; for example, this document does not cover processing of personal data in relation to our services you sign up to directly, such as services which allow you to view your own credit report and score. 
  • Each of us offers other products and services (including marketing services) not covered by this Privacy Notice. Section 14 provides links to our own privacy notice(s) which outline other uses of data not fully described here that may be unique to one of us or includes additional detail about our core activities processing. The same links about our core processing activities are shown here below: 

Experian | Data Privacy[6]

Experian | Marketing Transparency Notice | Business Information Experian UK[7]

Equifax | Privacy Hub | UK[8]

TransUnion | Privacy Centre[9]

1. WHO ARE THE CREDIT REFERENCE AGENCIES AND HOW CAN THEY BE CONTACTED?

There are three main credit reference agencies in the UK.

Each is regulated by the Financial Conduct Authority (“FCA”) and authorised to conduct business as a credit reference agency. The full names and contact details for each are set out below.

Credit reference agency Contact details
Equifax Limited

Post: Equifax Limited, Customer Service Centre PO Box 10036, Leicester, LE3 4FS

Web address: https://www.equifax.co.uk/Contact-us/Contact_Us_Personal_Solutions.html

Email: UKDPO@equifax.com

Phone: 0333 321 4043 or 0800 014 2955

Experian Limited

Post: Experian, PO BOX 9000, Nottingham, NG80 7WF

Web address: https://ins.experian.co.uk/contact
TransUnion International UK Limited

Post: TransUnion, Consumer Services Team, PO Box 647, Unit 4, Hull, HU9 9QZ

Web address: https://www.transunion.co.uk/consumer/consumer-enquiries

Phone: 0330 024 7574

In this Privacy Notice, these three companies are referred to as Equifax, Experian and TransUnion respectively and collectively referred to as “we” and “us” throughout. 

Controllers 

Each of us is a controller of the data that we hold. This means that we have certain responsibilities under data protection law to make sure that the data is used fairly and lawfully. 

Where we operate as part of a group of companies, we may share joint responsibility with the other members of that group when sharing data with them. You can contact the relevant credit reference agency using the details above if you want to enquire about any of those group companies or exercise any of your rights in respect of your personal data.

2. WHAT DO CREDIT REFERENCE AGENCIES USE DATA FOR?

We use data in products and services that we offer to our clients. The purposes for which those products and services are used are described below, but please note that different clients may use the products and services in different ways. Consumers should check the privacy policies of the organisations that they deal with for details about how they use any products and services provided by us.

 
(a) Credit risk assessment, financial vulnerability, and affordability checks 

Each of us use data to provide credit reporting services, financial vulnerability and affordability checks to our clients.

CREDIT RISK ASSESSMENT

Organisations use credit reporting services to see how people and businesses are managing payments in respect of their credit commitments and how they have done so in the past. For example, if a person applies for a bank loan to buy a car, the bank may use credit reporting services to check whether that person has kept up with their repayments on any previous credit agreements. It will then use this information, together with information from other sources, to assess the risk of offering the loan, including identifying any financial vulnerabilities.

A financial account provider may also take into account the creditworthiness of a director or business owner as part of its assessment, when considering whether to agree to lend to a business associated with such individuals.

It is important to note that once a search has been undertaken with one of us, it is for the credit provider to decide whether or not to accept that person’s application for credit. While we may help clients to analyse the data or create application models, we are not the decision maker.

AFFORDABILITY AND FINANCIAL VULNERABILITY CHECKS 

Organisations use affordability checks made available by us to help understand whether people or businesses are likely to be able to afford to make payments, and to highlight financial vulnerabilities. For example, when you apply for a loan, the lender will check whether you have previously suffered a CCJ or missed credit payments, which might impact your ability to afford the repayment instalments.

Organisations might also check your affordability by reviewing the transaction data or the level of income and expenditure in relation to your payment account. This could include the use of open banking or current account turnover data provided by Current Account providers (“Current Account” refers to bank accounts designed to manage your income and day-to-day spending).

The information provided as part of the affordability checks may affect a person’s or business’s ability to obtain credit or other services. For example, where an individual has their own business, a lender may take into consideration the personal credit commitments of that individual, as well as how the business is maintaining its financial commitments, prior to granting credit.

Affordability checks are also used by organisations in the gambling sector to help identify and protect potentially vulnerable people from the impacts of problem gambling by helping organisations set appropriate spending limits and implement appropriate engagement strategies. These checks are used to support gambling organisations comply with their regulatory obligations.

These activities help promote responsible lending, prevent people and businesses from getting into more debt than they can afford, and reduce the amount of unrecoverable debt and insolvencies.

 
(b) Checks to validate and verify client data, and help prevent and detect fraud, money laundering and other criminal activity 

VALIDATION AND VERIFICATION

We use data to provide validation and verification services to clients. For example:

  • Where some products and services are only available to people of a certain age, organisations may check whether the person they are dealing with is eligible by looking at data held by us. For example, if a person is signing up to join a gambling website for people who are at least 18 years old, the organisation may check to see if the age or date of birth provided by the person matches the data held by us. 

HELP PREVENT AND DETECT FRAUD, MONEY LAUNDERING AND OTHER CRIMINAL ACTIVITY

We also use data to help prevent and detect fraud, money laundering and other criminal activity, and apprehend and prosecute offenders.

  • When a person applies to an organisation for a product or service, the organisation might ask that person to answer questions about themselves, and then check the answers against the data held by us to see if they match. For example, they may ask “What is your current address?” If the address provided does not exist on our records (for example, because it is a fictitious address) or does not match the data held by us (for example, there is no record of the person at the address provided), this may be an indicator of a mistake or fraud. 
  • When a person wants to make a payment to another person, the organisation making that payment might want to understand more about them. By using data about the person making the payment and the intended recipient, the organisation can determine if there are indicators of fraud present. If there are, the organisation may query the payment or take steps to stop it.
  • Government and quasi-government bodies may use our services to check for potential fraud or other criminal activities, whether people are entitled to certain benefits, and to help recover unpaid taxes, overpaid benefits and similar debts. For example, if a person is claiming single person discount for council tax, a local authority may check with us to see if any other adults are living at the same address. Conversely, public bodies may use our services to identify individuals who may be entitled to discounts but are not claiming them. For further details on government use of our data, refer to Section 2(m).
  • Law enforcement agencies (including police forces, security services and border control) may also access/ use data held by us to assist with the investigation, prevention or detection of crime and criminal activity.  

An indication of invalid or unverified information, fraud, money laundering or other criminal activity may affect (amongst other things) the outcome of an application for a product or service, a tenancy agreement or employment. If clients using the services identify potentially fraudulent activity, they may also pass the applicant’s details to a fraud prevention agency such as Cifas and/or to the police.

For more details about the fraud prevention services offered and the personal data used by each of us please refer to Section 14

 

(c) Customer management

We use data to provide products and services for organisations to use for customer management purposes. Customer management is the ongoing maintenance of an organisation’s relationship with its customers. This could include activities designed to support:

  • data accuracy: for example, to correct or update client customer data held on the organisation’s records, such as correcting spelling mistakes or adding missing fields; or providing services to link records together in order to show a single customer view; and
  • ongoing relationship and account management activities: for example, to help organisations make decisions relating to credit limit adjustments, transaction authorisations, card reissue, lending requests, and to identify and manage the accounts of customers including those at risk of financial difficulties, showing signs of financial stress, in arrears, or going through a debt collection process. This may include ongoing monitoring of individuals’ data, and sending alerts to clients in specified circumstances.

 

(d) Tracing and debt recovery

We use data to provide products and services that allow organisations to trace people. This is typically needed where a person has moved address or changed their telephone number and has not provided their new contact details. We help organisations locate customers they have lost contact with by providing them with updated addresses and other contact details.

The products and services are used to support organisations’ debt recovery and debtor tracing activity. For example, if a person owes money to an organisation and moves to a new house without telling the organisation where they have moved to, the organisation may use these services to help find that person to recover the money that is owed to them.

We also assist debt collectors in predicting, analysing and evaluating the costs of debt recovery to enable them to determine appropriate collections strategies. 

These products and services are also used to find people to let them know about assets that they may have forgotten about or not be aware of, such as old dormant savings accounts or pension funds, or to find people to let them know about assets of a deceased person which they have an interest in, such as administrators or beneficiaries of a deceased person’s estate.

Please also see Section 2(h) below which describes how we may provide tracing services for marketing purposes.

 

(e) Tenant vetting

We use data to provide products and services that allow landlords to verify some of the information provided by their prospective tenants, as well as confirming that they are who they say they are and that they are likely to be willing and able to pay their rent on time. Landlords can use this information to help decide whether to agree to the tenancy, or how much of a deposit they should ask for.

 

(f) Staff and job candidate vetting

We use data to provide products and services that allow organisations to verify some of the information provided by their staff and job candidates and confirm that they are who they say they are. They also enable employers to assess whether the staff member or candidate has a history of managing their own financial commitments well, or whether they are financially compromised. This can be used to help them decide whether the person would be or will continue to be a suitable member of staff.

 

(g) Insurance risk assessments and pricing

We use data to provide products and services for organisations to use to assess insurance risk. For example, an insurer may find that a person’s financial standing and history can be used to help predict how likely that person is to make a claim on an insurance policy, or how large that claim might be. This can help the insurer to decide (i) whether to provide insurance to a person, (ii) how much the insurance premium should be, and (iii) whether to allow payment for insurance on a credit instalment basis.

(h) Marketing and marketing-related services

OVERVIEW 

We offer our clients marketing services. Some of these marketing services use data and some do not, and some impact consumers while others affect directors and/or business owners. For details about the marketing services offered and the personal data used by us for these services, please see the following links: 

  • Experian | Consumer Information Portal[10]
  • Experian | Marketing Transparency Notice | Business Information UK[11]
  • Equifax | Privacy Hub | UK[12]
  • TransUnion | Marketing Services Privacy Notice | UK[13]

As well as other rights, consumers have the right to object to the processing of their personal data for direct marketing purposes, including any profiling that is related to direct marketing. Section 11 sets out more details on how this right can be exercised. 

If we provide marketing services, we may use an individual’s title, name (including aliases), address, date of birth, gender and address links information (see Section 4 for more detail), as well as limited information relating to their financial standing.  

SCREENING OUT 

We use data to provide screening services to our clients. This means that we identify people who clients may wish to screen out of marketing lists. Screening is used to help ensure that individuals do not receive irrelevant or inappropriate marketing information. These individuals will most often be consumers, but we also provide screening services which impact on company directors and/or business owners for our clients who carry out business-to-business marketing activities.

For example, a client may want to screen out from its marketing list someone who is deceased, or who is under 18, or does not reside at the address they hold, or who may not be interested in a product or service or is unlikely to be accepted for it.  

OTHER MARKETING-RELATED ACTIVITIES 

In addition, we may use data to offer some or all of the following marketing services: 

  • We may supply the open version of the electoral register (where people have not opted out from their electoral register data being used for marketing and other purposes) to organisations for marketing purposes. This can include identifying new potential customers, verifying that names, addresses and dates of birth collected from other sources are accurate and complete, and informing customers of any errors. 
  • We may identify when someone has moved away from an address so that marketing is not sent to them at that old address.
  • We may trace individuals to a new address so that their marketing preferences (opt-outs) collected at a previous address can continue to apply at their new address and so that marketing is not sent to them at their old address. 
  • We may help build insight using profiling techniques used by organisations to help them identify people that they want to communicate with about particular products and services. This insight might predict, for example, age, marital status, household composition, length of residency at an address and gender. It can help give organisations insight into the likely characteristics of the UK population at an individual, household and postcode level. Data also helps us to validate the insight being created. This insight might also be used to help clients assess the financial standing of a person so that they can personalise their interactions with them and make communications more relevant and suitable. For example, they could use the insight to select products or offers that they believe would be relevant to that person. 
  • Models and insight created by us can be matched to clients’ own contact lists so that they can make better informed decisions about how they interact with individuals (both consumers and company directors and/or business owners). 
  • We may confirm whether individuals are resident at the address that we or our clients hold for them. This can be done by checking the data to see if there are any open credit accounts at an address and whether the accounts have recent activity, such as where a recent payment has been made. If they do, then it is likely that they have the correct address details. This will help ensure that an individual does not receive marketing for someone else and our clients do not send marketing to the wrong address. 
  • We may also use data to help keep our own marketing suppression lists (or those of our group companies) accurate and up to date. For example, if you have previously asked to be excluded from marketing activity and your data indicates that you have since moved or changed your name, that information can be used to make sure that you continue to be excluded from marketing activity at your new address or under your new name.
(i) Profiling, statistical analysis and anonymisation

We use, and allow our clients to use, data to carry out profiling of consumers through statistical analysis. This includes the creation, validation and use of scorecards, models, and attributes in connection with the assessment of risks relating to credit, fraud, affordability, financial vulnerability and debt collection. It is also used in verifying identities, to monitor and predict market trends and to enable clients to refine lending and fraud strategies, and loss forecasting. This can include drawing inferences about individuals on the basis of the data available, such as inferences about whether a credit application they have made has been accepted or declined.

These practices profile consumers (typically a client’s own customers or previous applicants) to help determine the likelihood that a consumer with certain characteristics will act in a way that will produce certain outcomes; for example, to repay credit, to be able to afford credit, to claim on an insurance policy, to commit fraud, to respond to certain collection strategies or to become insolvent. 

We may also convert personal data into statistical or aggregated form so that individuals are not identified or identifiable (thereby creating anonymised data). Anonymised data is not personal data, and we may use such data to conduct research and analysis, including to produce statistical research and reports or for any other purposes.  

We may share this anonymised data with organisations, such as those identified in Section 5. For example, this non personal data may be shared with government and public sector organisations to help them: assess the impact of changes to the financial economy on consumers and businesses; to inform policy setting and monitor the effectiveness of policy implementation; or to enable tailored economic support and other key resources to be directed to the groups that need it the most.

 

(j) Data management activities

We use data to carry out certain processing activities to support our own business operations. This includes supporting the effectiveness, efficiency and security of our databases, products and services, both in the context of our credit reference activities and more widely. For example: 

  • Data loading: data is checked for integrity, validity, consistency, quality and age to help make sure it is accurate. These checks pick up issues such as irregular dates of birth, names, addresses, account start and default dates, and gaps in status history. 
  • Data matching: data is matched to our existing databases to help make sure it is assigned to the right person, even when there are discrepancies like spelling mistakes or previous names or different versions of a person’s name. We use data to create and confirm identities, which we use to underpin the services that we provide. 
  • Data linking: when we compile data into our databases, we create links between different pieces of information. For example, people who appear financially associated with each other may be linked together and a person can be linked with their previous and current addresses. Also, where someone has an alias, such as a maiden name and married name, these names will be linked. 
  • System maintenance and testing: data may be used when carrying out system maintenance, repair and testing, and security activity. 

Each of us have our own processes and standards for data management activity.

 

(k) New development and testing

We use data to help develop new products, services and technologies and to test them. This may include the controlled use of artificial intelligence or machine learning techniques. We may combine data with information from other parts of our businesses and use data to develop products, services and technologies in other parts of our businesses. Where appropriate, we will anonymise data before it is used for these purposes.

 

(l) Compliance with laws

We use and disclose data where required by law. For example, this can happen in response to a court order or a request from a regulator, or in order to comply with a request from a person (or by a third party acting on their behalf), to exercise their legal rights in respect of any personal data, such as by requesting a copy of it.

(m) Government and public sector organisations

We may provide data to government and public sector organisations. For example, their uses of this data could include:

  • the assessment or collection of any taxes, duties, or other such impositions; recovering unpaid income tax, council tax or national insurance contributions; 
  • recovering unpaid television licence fees; 
  • benefits eligibility assessment and monitoring (for example, by checking for changes in circumstances that would affect established eligibility); 
  • the assessment or collection of any payments due to a public sector organisation in carrying out a statute or other legal obligation; 
  • the detection and prevention of a crime, and the apprehension and prosecution of offenders;
  • the detection, prevention and recovery of improper payments or overpayments from public funds; and
  • for the purposes of any legal proceedings (including prospective legal proceedings). 

3. WHAT ARE THE CREDIT REFERENCE AGENCIES’ LEGAL GROUNDS FOR HANDLING DATA? 

Data protection law requires us to always have what is referred to as a “lawful basis” (i.e. a reason or justification) for processing personal data. There are a number of lawful bases available, but the majority of our data processing activity is on the basis that:

  • the processing is necessary to pursue our legitimate interests and those of third parties (such as our clients), and those interests do not unduly prejudice the rights and freedoms of individuals; or
  • the processing is necessary to comply with a legal obligation binding on us.

For information about any other lawful basis relied on by each of us, please review our individual privacy notices (see Section 14).

LEGITIMATE INTERESTS

We use data to pursue our legitimate interests, those of our clients and those of individuals. The following table explains these legitimate interests. We have carried out assessments and concluded that these interests are not overridden by the interests or fundamental rights and freedoms of individuals.

Interest Explanation
Promoting responsible lending and helping to prevent over-indebtedness

Responsible lending means that lenders only sell products that are affordable and suitable for the borrowers’ circumstances. This is in the interests of borrowers so that they do not become burdened with debt that they cannot afford to repay, and the stress associated with that. It is also in the interests of lenders in that it reduces bad debt and collections activity.

We facilitate responsible lending by providing services that allow lenders to access information about a person (and anyone they have a financial association with, such as a joint account holder), including how they are managing current debt, have managed debt in the past and whether they have sufficient income to repay the debt.

Helping prevent and detect fraud, money laundering and validate and verify identity

We provide identity, anti-fraud and anti-money laundering services to help clients meet legal and regulatory obligations. These services benefit individuals by facilitating prompt access to services through identity verification, and helping to protect them against fraud, and other criminal activity.

Prevention and detection of fraud, money laundering and other criminal activity is in our legitimate interest and that of our clients. It is also to the benefit of wider society and therefore in the public interest.

Customer and data management activities for the benefit of consumers and businesses

We provide services which help businesses maintain the quality of their own customer data they hold and to make informed decisions about how they engage with their customers.

It is in our legitimate interests to offer these services to our clients, but it is also in the legitimate interests of both the consumer and businesses by helping ensure that the information held about them is accurate, comprehensive and up-to-date and that informed and responsible decisions can be made, particularly in the context of lending decisions.

Supporting tracing and debt recovery We provide services that support tracing and collections where the client has a legitimate interest in conducting activity to find its customers and to recover debt, or to reunite, or confirm that an asset relates to the right person.
Enabling landlords to check the suitability of their prospective tenants  We enable landlords to verify some of the information provided by their prospective tenants, as well as confirming that they are who they say they are and that they are likely to be willing and able to pay their rent on time. This helps the landlord to decide whether to agree to the tenancy, or how much of a deposit they should ask for; and it reduces the risk that the tenancy relationship will subsequently break down. It also helps tenants to avoid getting into legal difficulties where they have agreed to pay rent that they cannot afford.
Enabling employers to check the suitability of their current and prospective staff We enable employers to verify some of the information provided by their staff and job candidates and confirm that they are who they say they are. They also enable employers to assess whether the staff member or candidate has a history of managing their own financial commitments well, or whether they are financially compromised. This can help reduce the risk of fraud and can help the employer to decide whether the person is or would be a suitable member of its staff. All of which is in the legitimate interest of those employers.
Enabling insurers to calculate and price risk more accurately We enable insurers to consider certain kinds of data when they are assessing risk. This data can help the insurer decide whether to provide cover to a person, and how much the insurance premium should be. This enables them to better forecast their future liability and to price their insurance products more accurately and competitively. For consumers, it means that insurance policies are priced more fairly, with the lowest-risk individuals paying less for their insurance. 
Supporting government and public sector organisations in the performance of their duties

We enable government and public sector organisations to consider certain kinds of data to help them in the performance of their duties. For example, this could include the assessment or collection of taxes; benefits eligibility assessment and monitoring; and the detection, prevention and recovery of improper payments or overpayments from public funds. This enables them to protect public money and ensure it is used effectively. This is in the public interest. For consumers, it means that their tax contributions are utilised efficiently and effectively and that the right benefits and entitlements are granted to them.

Supporting compliance with legal and regulatory requirements

Our services may be used by our clients to help them comply with their own regulatory obligations, for example, complying with anti-money laundering obligations and regulations set by the Financial Conduct Authority (‘FCA’) which require lenders to assess the creditworthiness of individuals who apply for loans. This is in the legitimate interest of clients.

Our services are also regulated and may use data to ensure our own legal and regulatory compliance. As part of this compliance, regulators may also ask us to provide information to assist them. For example, the FCA may ask for data to help inform them of areas of potential harm to allow them to identify areas where they should focus their resources.

Further, these regulatory obligations are in place in the interests of wider society, so facilitating compliance with them indirectly benefits society as a whole, which is in the public interest.

Promoting responsible, efficient and informed marketing activities for the benefit of consumers and businesses We provide services to support organisations in ensuring that their marketing strategies are responsible, informed and efficient. This helps them to reduce waste (driving costs down and increasing competition) and avoid sending communications to individuals who are less likely to be interested in receiving them or who should not receive them.
Commercial interests  It is in each of our legitimate interests to provide the services described above to our clients to generate sales revenues.
Enabling gambling organisations to meet their obligations to protect individuals from the impacts of problem gambling

Our services may be used by organisations to help protect individuals from the impacts associated with problem gambling and gambling related harms. Excessive spending on gambling at the expense of payment of priority household debts (such as mortgage or rent payments) could have a significant financial impact on the individual and family unit.  This is in the legitimate interests of gambling organisations and supports them to comply with their regulatory obligations, whilst also being in the legitimate interests of individuals. 

There are wider societal benefits, including reducing the burden on public health services and impacts on the economy.

Our use of data is subject to an extensive framework of safeguards that balance the legitimate interests set out above with the fundamental rights and freedoms of the people whose data we use and share. The framework includes information given to people about how their data will be used and how they can exercise their rights to obtain their personal data, have it corrected, erased, or restricted, object to it being processed, and complain if they are dissatisfied. It also includes extensive due diligence checks on clients, robust contractual arrangements, and internal data management processes that we have in place. These safeguards help sustain a fair and appropriate balance and to protect the rights and freedoms of individuals.

LEGAL OBLIGATIONS 

In some circumstances we are required by law to use or share data in particular ways. This happens, for example, when a court, law enforcement agency or regulator makes a legally binding request or order for disclosure of data. It also happens when individual consumers exercise their rights, for example by requesting a copy of their own personal data from us.

4. WHAT KINDS OF DATA DO CREDIT REFERENCE AGENCIES USE, AND WHERE DO THEY GET IT FROM?

Each of us obtains and uses data (including your personal data) from different sources, so we often hold information that is different to some degree from that held by the others. 

However, most of the personal data we each hold falls into the categories outlined below from the sources described (please note that some of this data may relate to individuals from the Crown Dependencies[14] as well as from the UK).

Information Type Description Source
Identifiers

We hold personal data that can be used to identify people, such as name, date of birth, and current and previous addresses.

We may also hold business data including name, address and details of company shareholders and directors. 

This data is part of some of the other data sources mentioned below in this table.

Data about postal addresses is obtained from commercial sources such as Royal Mail.

Data about businesses may also be sourced from public websites, including Companies House and companies’ own websites.

Electoral register data  We hold information from the electoral register (also known as the ‘Electoral Roll’). There are two versions of this. One is known as the open register (also known as the ‘Edited Electoral Roll’ or ‘EER’) and can be used for a variety of purposes including marketing. The other is the full register which we can only use for limited purposes.  This data is supplied by local authorities.
Credit account performance data

We receive personal data about how people are managing to repay their credit commitments.

The data includes the name of the lending organisation, the date the account was opened, the account number, the amount of debt outstanding (if any), any credit available (including overdraft limits) and the repayment history on the account, including late and missing payments. This may also include transactions that have been made on a buy now pay later basis.

This data is provided from banks, building societies and other financial services providers such as credit card companies, credit suppliers, credit unions, hire purchase companies and buy now pay later organisations. It is also provided by utilities companies, mobile phone networks, retail and mail order companies and insurance companies. 
Rental related data

Some of us receive personal data about whether people are managing to pay their rent on time.

The data includes tenancy reference, start date, end date, rental amount, arrangement amount and outstanding balance. 

This data is provided by social housing providers and private landlords. You can also sign up to certain services which identify your rent payments from your bank account transactions and report them to us. 
Current Account turnover data

This data includes the name of the organisation providing Current Accounts, current account numbers, sort codes, the number of account holders, the current balance, a figure for credits on each current account and sometimes a figure for debits.

This data is provided from organisations who offer people Current Accounts, such as banks and building societies and e-money institutions.
Application salary data This data consists of the salary declared by a person when they are applying for credit. It also includes whether that figure is net or gross, and whether the salary has been verified (e.g. with copies of salary slips). This data also includes the date that an application was made.

This data is provided to us by organisations who collect declared income from individuals when they apply for credit.

This information is provided as a separate file of data, although declared income can sometimes be provided together with other data (see search footprints below).

Open Banking data

This data includes details of the financial transactions within your account(s) accessed via Open Banking (including details of payment amounts, dates, payees and payers).

This data is made available by your account provider, where access to the account has been specifically authorised by you.

For example, this may be to help support a credit application you are making to a lender or as proof of your income.

We are only permitted to obtain this data through being FCA registered Account Information Service Providers or though working with firms that hold this FCA permission.

For more details of how each credit reference agency provides open banking services, please see the privacy notices of each credit reference agency, a link to which is provided in Section 14.

Judgment data

We obtain data about court judgments and decrees. This may include, for example, the name of the court, the nature of the judgment, how much money was owed, and whether the judgment has been satisfied. 

The government makes court judgments and other decrees and administrative orders publicly available through statutory public registers. These are maintained by Registry Trust Limited, which supplies the data on the registers to us.
Insolvency data We obtain data about insolvency-related events. This includes data about bankruptcies, administration orders, individual voluntary arrangements, debt relief orders, sequestrations, trust deeds and debt arrangement schemes. This data includes the start and end dates of the relevant insolvency or arrangement.

This data is obtained from The Insolvency Service, the Accountant in Bankruptcy, The Stationary Office and Northern Ireland’s Department for the Economy – Insolvency Service, the London, Belfast and Edinburgh Gazettes and Registry Trust Limited.

Business insolvency data is obtained from the London, Belfast and Edinburgh Gazettes.

Fraud prevention indicators

This data consists of information which indicates that an individual has demonstrated behaviour that appears to be consistent with that of known fraudulent conduct. It also consists of information where an individual has been a victim of identity fraud or feels that his or her personal data is vulnerable due to a data breach.

This data is generated internally by us and also obtained from third parties such as Cifas, a not-for-profit fraud prevention membership organisation.

Search footprints

When an organisation uses us to make enquiries about a person, we keep a record of that enquiry. This is known as a ‘search footprint’. This includes the name of the organisation, the date, and the purpose for which the enquiry was made.

We may also receive additional data that was provided as part of the search, such as employment status, disclosed income (income sometimes provided separately as application salary data) and contact information.

Some footprints are visible only to us and the individual about whom they are made. Other searches are also visible to other organisations, and in some cases can therefore affect credit decisions (e.g. where an organisation draws a negative inference from a debt collection search).

We generate search footprints automatically when enquiries are made about a person.

Each credit reference agency only creates search footprints for searches against its own records.

Scores We and our clients use data to produce scores including in relation to credit, affordability, fraud, identity, collections and insolvency. We use algorithms known as ‘scorecards’ to produce scores. Similarly, other organisations create their own scores from data obtained from us as well as other sources.
Other third-party data  This data includes phone numbers and email addresses, data concerning politically exposed persons (PEPs) and people on sanctions lists as well as mortality data. We receive this data from reputable commercial sources under contracts agreed from time to time.
Other additional information credit reference agencies create (not already referred to in this table)

We derive certain additional information from the data. For example:

Summarised and aggregated data: we can summarise data, for example by providing a count of the total number of accounts or judgments a person has, or the total amount of debt. We can also aggregate data about different consumers together, for example to provide an overview of the financial status of particular postcodes and other geographical areas. This may then be anonymised data.

Address links: when we detect that a person has moved to a new house, we may create and store a link between the old and new address.

Aliases: when we believe that a person has changed their name, we may record the old name alongside the new one.

Financial associations and linked people: when we believe that two or more people are financially linked with each other (for example, because they have a joint account, apply for credit together, such as a mortgage or loan, or get a joint County Court Judgment), we may record that fact. Just sharing an address with someone or even being married to them (but not having any joint credit) does not make them a financial associate.

Your financial associates can impact your ability to get credit. They appear on your credit report, and companies may check their credit history when deciding whether to approve you. This is because your financial associates may affect your ability to repay debt. For example, if your partner has been made bankrupt, companies may be concerned that you will need to help them repay their debts before you can repay your own. Credit scores you receive through services you sign-up for may reflect and explain the impact of a financial associate on your ability to get credit.

Flags and triggers: we may create flags and triggers that we use in our systems to highlight that certain data exists or to summarise that data. For example, if we hold fraud data from the fraud organisation known as Cifas, we may create a flag indicating this fact. This flag would highlight to clients that the data is available and give them the opportunity to ask for more details.

We generate this additional information from the data sources already available to us.
Data provided by individuals themselves

People sometimes provide data about themselves directly to us. For example, individuals have the right to ask us to add a short statement that will be displayed when an organisation sees data about them. This statement is known as a ‘notice of correction’ and can be used to allow the person to explain the reason for an entry. The right to do this is explained in Section 10 below).

If a person exercises any of their other legal rights, we will retain data relating to these activities, for example, records will be kept of all actions and correspondence relating to managing complaints.  

This data is provided directly by individuals themselves.

5. WHO DO CREDIT REFERENCE AGENCIES SHARE DATA WITH? 

This section describes the types of organisations we share data with. Before sharing data with any third party we will, where appropriate, complete our own due diligence checks to ensure that the organisation is a real business and has applicable regulatory authorisations in place.

Clients

We supply our products and services to clients in various sectors, such as banks, building societies, other credit providers, buy now-pay later providers, utility companies, mobile phone companies, insurance companies, employers, credit report providers, retailers, gambling organisations, tenant and employee vetting firms, professional services organisations (such as firms of solicitors and accountants), estate agents, landlords, marketing companies, charities and public bodies such as the police, central and local government and regulators. 

Certain organisations that share financial data with us are members of closed user groups which entitle them to receive similar kinds of financial data contributed by other organisations in the group. These organisations are typically banks, building societies, and other lenders, as well as other credit providers like utilities companies, mobile phone networks and other organisations like gambling firms.

Resellers, distributors, partners, agents and other third parties

We sometimes use or partner up with other third party organisations to provide combined products or products which combine our data with other information to help provide our products and services to clients and to help us improve our own products and services. To do this, we may provide data to third parties so that they can provide the services.

Service providers 

We may use other external organisations and other members of our own groups of companies to perform tasks on their behalf (for example, IT service providers, call centre providers and security service providers). To do this, we may provide or make available data to them so that they can perform the tasks.

Fraud prevention agencies 

Each of us is a member of Cifas, a not-for-profit fraud prevention service. Where we believe that you may have been a victim of fraud, we may share that information with Cifas so that other Cifas members can access it. This enables other Cifas members to check when (for example) a credit application is made in your name. Please refer to the Cifas’ privacy notice[15] for more details.

Government and other public sector organisations

We may share information with government and other public sector organisations, including the following bodies: ministerial government departments, such as the Department of Work and Pensions, HM Revenue & Customs, HM Treasury, the Cabinet Office; publicly owned corporations and other arm’s length bodies such as the Public Sector Fraud Authority) and private sector organisations providing services on behalf of a public sector organisations, such as a housing association acting on behalf of a local authority.

Regulators

Regulators, such as the Financial Conduct Authority, Competition & Markets Authority, Information Commissioner’s Office, Ofgem and Ofwat, can sometimes request or require us to supply them with personal data. This can be for a range of purposes such as investigating complaints or in response to legal obligations. The regulators may also need data insights from us when assessing how well a particular industry sector is working.

Law enforcement agencies

This includes police forces, security services and border control.

Individuals

People are entitled to obtain copies of the personal data we hold about them. Details on how to do this are set out in Section 9 below. 

6. WHERE IS DATA STORED AND SENT? 

All three of us are based in the UK and keep our main databases there. We may also have operations and service providers elsewhere inside and outside the UK and the European Economic Area, and data may be accessed from those locations too. Regardless of where the data is processed, we ensure that it is always protected by applicable UK and European data protection standards.

While the UK and countries in the European Economic Area all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection when it comes to personal data. As a result, when we send data overseas we make sure suitable safeguards are in place in accordance with applicable UK and European data protection requirements, to protect the data. For example, these safeguards might include:

• Sending the data to a country that has been approved by the relevant authorities as having a suitably high standard of data protection law. Examples include the Isle of Man, Switzerland and Canada.

• Putting in place a contract with the receiving organisation containing terms approved by the relevant authorities as providing a suitable level of protection.

• Sending the data to an organisation which is a member of a scheme that has been approved by the relevant authorities as providing a suitable level of protection. One example is the UK Extension to the EU-US Data Privacy Framework (UK-US “Data Bridge”) agreed between the UK and US authorities.

Overseas recipients of data include our group companies, clients, resellers and service providers. Please see Section 5 for more information about recipients of data.

More information about the safeguards we each use can be obtained by contacting us at the contact details in Section 1 above.

7. FOR HOW LONG IS DATA RETAINED? 

Each of us may retain data for different periods of time. Information about our respective retention periods can be found at the following locations: 

  • Equifax: Equifax I CRAIN - Data Retention Periods[16]
  • Experian: Experian | CRAIN Data Retention Periods[17]
  • TransUnion: TransUnion | CRAIN Data Retention Periods[18]

These periods are subject to regular review and may change from time to time.

8. DO THE CREDIT REFERENCE AGENCIES MAKE DECISIONS ABOUT CONSUMERS OR PROFILE THEM? 

DECISIONS ABOUT CONSUMERS 

We do not tell organisations what decisions to make about consumers. Our role is primarily to provide information to other organisations which supports them in making their own decisions as this is for each organisation to decide. For example, we do not tell lenders whether to offer credit to consumers; we just provide services that help those lenders make decisions about consumers. An organisation’s own data, knowledge, processes and practices will also play a significant role in those decisions. 

We may provide similar services to our respective clients, but these services may lead to different decisions because (i) each credit reference agency may hold different information from the others, (ii) each client may place differing importance on some information compared to others, and (iii) each client may take into account information available to it from other sources. These are some of the reasons why a person may receive a “yes” from one lender but a “no” from another.

SCORES AND RATINGS 

When requested, we use the data we obtain to produce credit, risk, fraud, identity, affordability, screening, collection and insolvency scores and ratings; these are explained in Section 4 above. In providing these scores and ratings to our clients, we are not making decisions about consumers or telling organisations what decisions to make about consumers – this is for each organisation to decide on the basis of their own criteria.

9. HOW CAN A CONSUMER SEE WHAT DATA THE CREDIT REFERENCE AGENCIES HOLD ABOUT THEM? DO CONSUMERS HAVE A ‘DATA PORTABILITY’ RIGHT IN CONNECTION WITH THEIR DATA? 

DATA ACCESS RIGHT 

Consumers have the right to find out what personal data we hold about them. Each of us provides more information about access rights on our websites.

Credit reference agency How to access your data
Equifax

To get your credit report:

https://www.equifax.co.uk/Products/credit/statutory-report.html

To get other information about how to access your personal data:

https://www.equifax.co.uk/privacy-hub

To make a request by post:

Equifax Limited, Customer Service Centre, PO Box 10036, Leicester, LE3 4FS

Experian

To get your credit report:

https://www.experian.co.uk/consumer/statutory-report.html

To get other information about how to access your personal data:

https://ins.experian.co.uk/contact

To make a request by post:

Customer Support Centre, Experian Ltd, PO BOX 8000, Nottingham, NG80 7WF

TransUnion

To get your credit report:

https://www.transunion.co.uk/consumer/get-your-credit-report

To get other information about how to access your personal data:

https://www.transunion.co.uk/legal/privacy-centre/your-data-rights

To make a request by post:

TransUnion Consumer Services Team, PO Box 647, Unit 4, Hull HU9 9QZ

DATA PORTABILITY RIGHT

Data protection legislation also contains a right to data portability. Where it applies, the right to data portability gives consumers a right to receive their personal data in a standard format. However, this right only applies when personal data is processed on certain lawful grounds, such as consent. This right does not apply to our data because it is processed on the grounds of “legitimate interests”. To find out more about legitimate interests please go to Section 3 above.

10. WHAT CAN A CONSUMER DO IF THEIR DATA IS WRONG? 

When the credit reference agencies receive personal data, they perform lots of checks on it to try and detect any defects or mistakes. Ultimately, though, the credit reference agencies rely on their suppliers to provide accurate data.

If a consumer thinks that any personal data a credit reference agency holds about them is wrong or incomplete, the consumer has the right to challenge it. If challenged, the credit reference agency will need to take reasonable steps to check the data, such as asking the organisation that supplied it to check and confirm its accuracy.

If the data turns out to be wrong, the credit reference agency will update its records accordingly. If the credit reference agency still believes that the data is correct after completing their checks, they will continue to hold and use it. Where the data is part of the consumer’s credit report, they can ask the credit reference agency to add a supplementary statement of up to 200 words explaining their views about the information. This statement will be supplied to organisations who subsequently access the information that the consumer has disputed.

To do this, consumers should contact the relevant credit reference agency using the contact details in Section 1 above. Where more than one credit reference agency holds incorrect information, it may be necessary to contact them separately.

11. CAN A CONSUMER OBJECT TO THE USE OF THEIR DATA AND HAVE IT DELETED? 

This section helps consumers understand how to exercise their data protection rights to object to data being used by us and how to ask for it to be deleted. To understand these rights and how they apply to the processing of data, it is important to know that we hold and process personal data under the “legitimate interests” basis for processing (see Section 3 above for more information about this), and do not rely on consent.

Consumers have the right to object to the processing of personal data by us. This can be done by contacting the relevant credit reference agency using the contact details in Section 1 above.

Although consumers have complete freedom to contact us with objections at any time, under data protection law, a consumer’s right to object does not automatically lead to a requirement for processing to stop, or for personal data to be deleted.

Because of the importance of the credit referencing industry to the UK’s financial system, and the important purposes for which the data is needed (such as supporting responsible lending, and preventing over-indebtedness, fraud and money laundering) we will normally have compelling, overriding grounds to carry on using the personal data following an objection. In many cases, it will not be appropriate for us to restrict or to stop processing or delete data, for example, where the result would be to hide a poor credit history that could enable a person or organisation to get credit they otherwise would not be eligible for.

However, as an exception from the general rule described above, all consumers have an absolute right to object to their personal data being used for direct marketing purposes. If you object to us using your personal data for those purposes, you can get us to stop by contacting us using the details in Section 1 or specifically, in the case of Experian, through the online service at https://www.experianmarketingservices.digital/OptOut

12. CAN A CONSUMER RESTRICT WHAT THE CREDIT REFERENCE AGENCIES DO WITH THEIR DATA? 

In some circumstances, consumers can ask us to restrict how we use their data. Contact details for each credit reference agency are in Section 1 above. 

This is not an absolute right and processing will only be restricted if certain conditions are met (for example, if the processing is unlawful or the personal data is no longer required by us for the purposes for which it was obtained). 

Even where a restriction condition is met, a consumer’s personal data may still be processed (and shared) by us where certain grounds exist. These are: 

  • with the consumer’s consent 
  • for the establishment, exercise, or defence of legal claims 
  • for the protection of the rights of another natural or legal person 
  • for reasons of important public interest 

We will consider and respond to requests we receive and will assess whether any of the restriction conditions apply and, if they do, whether there are any grounds that permit the continued processing of the personal data. 

Given the importance of complete and accurate data, for purposes including, for example, for responsible lending and preventing over-indebtedness, fraud and money laundering, it will usually be appropriate for us to continue processing data on the basis of protecting the rights of another natural or legal person or for reasons of important public interest. Consumers can contact us to ask about this processing of their personal data so that they can understand how their data will be used.

13. WHO CAN A CONSUMER COMPLAIN TO IF THEY ARE UNHAPPY ABOUT THE USE OF THEIR DATA? 

THE CREDIT REFERENCE AGENCY 

Each credit reference agency tries to ensure that it delivers the best outcomes for its clients and for consumers. If a consumer wants to make a complaint to us, they can do so by contacting us at the following addresses.

Credit reference agency Contact details
Equifax Post: Equifax Limited, PO Box 10036, Leicester, LE3 4FS

Email: complaints@equifax.com

Phone: 0333 321 4043 or 0800 014 2955
Experian
Post: Experian, PO BOX 8000, Nottingham, NG80 7WF

Email: complaints@uk.experian.com

Experian Complaints Handling Procedure
TransUnion
Post: TransUnion Customer Relations Team, PO Box 647, Unit 4, Hull, HU9 9QZ

Email: ukcustomerrelations@transunion.com

Phone: 0330 024 7574

Each of us also has a data protection officer who can be contacted about matters relating to the protection of personal data at the relevant credit reference agency. The contact details for each of our data protection officers are:

THE INFORMATION COMMISSIONER’S OFFICE 

If a consumer is not satisfied with how we have investigated a complaint, the consumer can refer their concerns to the Information Commissioner’s Office which is the body that regulates the handling of personal data in the UK. The contact details are: 

  • Phone: 0303 123 1113 
  • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow SK9 5AF 
  • Website: https://www.ico.org.uk

You may also have the right to raise questions or complaints to the relevant supervisory authority or other data protection regulator in the jurisdiction where you are resident. If you are resident in the Isle of Man or the Channel Islands, the relevant data protection regulator’s details are:

Isle of Man Jersey Guernsey
Isle of Man Information Commissioner Jersey Office of the Information Commissioner The Office of the Data Protection Authority

THE FINANCIAL OMBUDSMAN SERVICE

Where the complaint relates to an activity which is regulated by the Financial Conduct Authority (such as credit reporting and affordability checks), consumers also have the right to refer the matter to the Financial Ombudsman Service (FOS) for free. The FOS is an independent public body that aims to resolve disputes between consumers and businesses like credit reference agencies.

If you live in the Isle of Man or the Channel Islands, this service is also available to you because we are UK based businesses.

The contact details are:

14. WHERE CAN YOU FIND OUT MORE?

The work we do is very complex, and this document is intended to provide only a concise overview of the key points. More information about each credit reference agency and what it does with personal data is available at the following locations: 

Credit reference agency Information
Equifax:

Information about other products and services (including marketing services and the use of the legitimate interests relied on for their marketing services):

Experian:

Information about other products and services (including marketing services and the use of the legitimate interests relied on for their marketing services):

Information about fraud prevention services:

Transunion:

Other TransUnion privacy notices, including those covering TransUnion’s marketing services and open banking services, are available at:

The Information Commissioner’s Office also publishes advice and information for consumers in its Credit Explained leaflet[19].

[1] ICO: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/

[2] Business Information Providers Association: https://bipa.uk.com/

[3] Equifax: https://www.equifax.co.uk/efx_pdf/Understanding-your-credit-information-equifax-v2.pdf

[4] Experian: https://www.experian.co.uk/consumer/product-factsheets/understanding-credit-information.pdf

[5] TransUnion: https://www.transunion.co.uk/content/dam/transunion/gb/consumer/collateral/transunion-understanding-your-credit-information.pdf

[6] Experian: https://www.experian.co.uk/privacy/privacy-and-your-data

[7] Experian: https://www.experian.co.uk/business-information/marketing-transparency-notice

[8] Equifax: https://www.equifax.co.uk/privacy-hub

[9] TransUnion: https://www.transunion.co.uk/privacy

[10] Experian: https://www.experian.co.uk/privacy/consumer-information-portal

[11] Experian: https://www.experian.co.uk/business-information/marketing-transparency-notice

[12] Equifax: https://www.equifax.co.uk/privacy-hub

[13] TransUnion: https://www.transunion.co.uk/legal/privacy-centre/pc-marketing-services

[14] The Crown Dependencies are the Bailiwick of Jersey, the Bailiwick of Guernsey (which includes the jurisdictions of Guernsey, Alderney and Sark) and the Isle of Man

[15] Cifas privacy notice: https://www.cifas.org.uk/fpn

[16] Equifax: https://www.equifax.co.uk/privacy-hub/crain/retention

[17] Experian: https://www.experian.co.uk/legal/crain/data-retention

[18] TransUnion: https://www.transunion.co.uk/legal/crain-retention

[19] ICO: https://ico.org.uk/media/your-data-matters/documents/1282/credit-explained-dp-guidance.pdf