This response will confine itself to those issues of direct relevance to Experian and within our experience as a private sector organisation and will not address progress and implementation of the Freedom of Information Act, nor will it comment on Data Protection Tribunal rulings.

EXECUTIVE SUMMARY

  Experian considers the following key areas require attention in relation to UK credit referencing:

—  Public interest—The Commissioner's interpretation of the Act should take into account broad public interest arguments as well as individual consumer privacy rights.

—  Currency of guidance—A priority should be to review and update all Codes of Practice and Guidance Notes.

—  Speed and clarity of response—Data Controllers require clarity from regulators and responses to issues raised within a reasonable period. Perhaps because of a resource/workload issue, speed of response from the Commissioner's Office is slow and correspondence is frequently outstanding for a number of months. Experian currently has issues waiting for responses going back to mid 2003.

  As background to the specific points raised in the Request for Evidence, it may be useful to the Committee to understand Experian's role as the UK's leading credit reference agency (CRA).

EXPERIAN

  Experian is a global leader in providing information solutions to organisations and consumers. It helps organisations find, develop and manage profitable customer relationships by providing information, decision-making solutions and processing services. It empowers consumers to understand, manage and protect their personal information and assets. Experian works with more than 40,000 clients across diverse industries, including financial services, telecommunications, healthcare, insurance, retail and catalogue, automotive, manufacturing, leisure, utilities, property, e-commerce and government. Experian is a subsidiary of GUS plc and has headquarters in Nottingham, UK, and Costa Mesa, California. Its 13,000 people support clients in more than 60 countries. Annual sales exceed £1.2 billion.

  The nature of Experian's business requires close liaison with privacy and data protection regulators across the World. Within Europe in particular we have regular dialogue with regulators equivalent to the UK Information Commissioner working to EC Directive 95/46/EC.

  Experian's business is based on having robust data protection controls and procedures around its core CRA processes. The company also has statutory responsibilities to consumers under both the Data Protection Act 1998 and Consumer Credit Act 1974.

  A CRA brings together data from many different sources and provides these data to organisations searching the CRA database when the consumer has consented to a search being carried out. Typically this will be in relation to the consumer's application for credit when a lender will have access through the CRA to publicly available information such as the Electoral Register, County Court Judgments and Bankruptcies.

  In addition, Experian hosts the UK's most comprehensive and sophisticated system for enabling lenders to share information about the conduct of credit accounts for the purpose of preventing over-commitment, bad debt, fraud and money laundering with the sole aim of promoting responsible lending.

  The most significant source of information available to lenders is customer performance data that is shared by lenders through a CRA and made available to them on searching the CRA's database at the time they are assessing a credit application. Experian processes over 100 million searches each year and holds more than 300 million records on individual credit accounts from approaching 400 lenders. These include building societies, banks, finance houses, telecoms providers, high street retailers, credit card issuers and the home shopping sector.

  Experian also has a statutory duty to consumers to provide a copy of an individual's credit report on request and to deal with any queries on that report. We receive approaching 1 million such requests each year and employ over 150 staff specifically for this consumer-facing function.

  Data Protection Act compliance by both Experian and its clients is therefore critical.

Turning to the issues raised in the Request for evidence:

The role and responsibilities of The Information Commissioner and the enforcement of the Data Protection Act

  As well as enforcing the Act, it should be a key role and responsibility of the Information Commissioner to work with Data Controllers to assist them to understand and practically implement the Act.

  Data Controllers require clarity from regulators and responses to issues raised within a reasonable period. From Experian's dealings with the Office responsiveness has deteriorated over the past three years with correspondence often being outstanding for a number of months.

  Experian considers that interpretation of the Act should take into account broad public interest arguments as well as individual consumer privacy rights.

  There will be occasions, as recognised by the then commissioner Elizabeth France in the Office's publication The Data Protection Act 1998 Legal Guidance (2001) when ". . . the fact that the processing of the personal data may prejudice a particular data subject does not necessarily render the whole processing operation prejudicial to all the data subjects."

  There is scope within the legislation for this approach and Experian welcomes the stated intention of the Information Commissioner to make data protection simpler. However, this requires a change of approach from the Commissioner's staff who, in our experience, do not yet accept this interpretative remit. Indeed there appears to have been a shift in emphasis from the approach adopted by the Commissioner's predecessor from one of providing pragmatic guidance to one of applying the letter of the Act irrespective of the practical consequences.

EXAMPLE—DATA SHARING AND INDEBTEDNESS

  The most striking example of this relates to data sharing and the impacts on consumer indebtedness—a highly topical subject within Government at present and one which is currently receiving much media attention. Two very high profile cases in March this year—one involving a suicide, the other relating to over-commitment by an elderly pensioner—illustrated how human tragedy can be the end-result of over-borrowing.

  Most major lenders in the UK now share data, but there is no compulsion on them to do so. There is, however, increasing pressure from various quarters, for example the Treasury Select Committee, the DTI and consumer organisations including the Consumers' Association, for all lenders to share full data to help prevent the hardship and misery caused by over-indebtedness.

  The ability of lenders to respond positively to this pressure is affected by the view of the Information Commissioner's Office that the Data Protection Act requires the individual consumer to have been notified that their data were to be shared at the time an account was opened. If this was not the case, the Commissioner's office considers that the lender needs to communicate again with an individual and request positive consent for this to happen.

  Lenders would be prepared to communicate with customers notifying them that their account details would be shared going forward and inviting them to respond with any objection. They do not consider it would be cost effective to invite customers to respond with positive consent.

  Past experience shows that only a small percentage of people contacted would respond, so making the exercise unsuccessful in its aim of significantly increasing the amount of data shared. It is estimated that because of this many million accounts, in particular credit cards and personal loans, are not available to lenders when underwriting a credit application. One major UK lender estimates that they have around six million active accounts falling into this category.

  Experian and the Chair of the cross-industry data sharing committee (Steering Committee on Reciprocity) met with an Assistant Commissioner as recently as 1 March 2004 to debate this issue but no progress has yet been made. Both Experian and the SCOR Chair have subsequently written to the Commissioner's Office re-enforcing the arguments around this critical issue but no definitive responses have yet been forthcoming.

POSITION PRE 1998 ACT

  Under the Guide to Credit Referencing issued in 1995, the then Commissioner considered it permissible to share default data—in other words data relating to a loan where the borrower/lender relationship had broken down—irrespective of a lack of notification at the time the account was opened. The rationale for this was that there had been a contractual breach by the borrower and that the notice sent by the lender advising that default proceedings would be taken (usually within 28 days, giving the borrower an opportunity to remedy the breach) could specify that the default would be filed with a CRA.

CURRENT POSITION

  Unfortunately, the Commissioner's Office now takes the view that there must have been notification/consent at the time the account was opened, for any data, even default, to be shared. This means that even for those cases where an individual clearly cannot meet their repayment obligations another lender may be unaware of this. Although there is no new guidance, the Office considers the 1995 Guide to be out of date and that the views of the then Commissioner have been superseded by the 1998 Act.

  In practical terms this creates significant barriers to full (and even default) data sharing; it is worth noting that the consumers concerned, if they have applied for credit more recently, will have given tacit data sharing consent via a notification clause on application for credit, which is now the accepted method of obtaining consent.

  Experian, the credit industry and the DTI (through its work on the Indebtedness Task Force, of which Experian was a member, and the Consumer Credit Act White Paper) and the Treasury Select Committee all consider that it is increasingly imperative that full data sharing is promoted to protect the consumer. Various consumer groups support this view, in particular the Consumers' Association which considers any barrier preventing full data sharing by as many lenders as possible should be removed as a matter of urgency.

  This privacy barrier must be reviewed in the light of increasing concerns about over-indebtedness. It can never have been the intention of privacy legislation, or the interpretation and practical implementation of such legislation, to stand in the way of a solution to issues of such broad public and national benefit.

Progress on the development of codes of practice for data controllers, in particular relating to third party disclosures and third party data processing by credit reference agencies

  The Commissioner's Strategic Plan and Annual Report outline steps currently being taken in respect of improving and targeting enforcement and this ties into the demonstrable increase in public awareness of their rights under the Act.

  However, enforcement without adequate prior guidance on how the Act is likely to be interpreted in practice does not seem consistent with the public messages put out by the Office around making data protection simpler and more understandable for Data Controllers. In particular there has been insufficient credit sector guidance issued to reflect the 1998 Act's requirements, and more importantly, the Commissioner's interpretation of those requirements.

  This causes confusion and uncertainty. While the Information Commissioner has a positive duty under the Act to issue Codes of Practice, Experian considers that more sector-specific guidance is required for the credit industry, in particular bearing in mind the macro-economic implications of this sector for the UK.

  In respect of credit referencing specifically, the Guide to Credit Referencing is now outdated and goes back to 1995. Recent discussions with the Information Commissioner's Office indicate that their view is that this Guide is no longer relevant. CRAs are therefore having to operate on advice obtained during ad hoc consultation with the Information Commissioner, a far from ideal situation which is compounded by long response times to queries.

  It is therefore considered that a priority should be to review and update all Codes and Guidance Notes. This would benefit data controllers generally and also free up the Information Commissioner's staff in the long run.

THIRD PARTY DATA PROCESSING

  Experian was heavily involved in discussions with the Information Commissioner's Office on the new Third Party Data (TPD) Processing requirements and in drafting the definitive Business Requirements Specification agreed with the then Commissioner, Elizabeth France.

  Since then, Experian has been very active, in its own right and as a member of both consumer and credit industry groups, driving these changes forward and is confident that its clients and the industry generally will be compliant by the Commissioner's deadline of the end of October this year. Experian's own core systems have been compliant since March 2002 and many of its clients are already operating on fully TPD compliant platforms. This has involved significant investment and resource by individual organisations and by the industry as a whole.

  In April the Commissioner's Office finally issued a press release giving six month's notice of the October 2004 deadline for TPD systems' migration. Experian welcomes this clarity from the Commissioner's Office although had been pressing for a firm date for some time to support our own initiatives in driving forward the complex changes required across the credit industry.

John Saunders

Chief Executive Officer

Experian International

April 2004