CallCredit (Noddle) Fundamental Breach of Data Protection Act 1998

DevCoder

the bank should have spotted the unusual activity pattern (unless it was one or two very big transactions and even these normally result in a refer to merchant request when the payment is attempted (so if youre in a shop thye have to ring the bank and they will then want to tlak to you to confirm identity).

The CRA is just fed data by the bank , it is not there to detect fraud. also the banks only tend to update the CRA's once a month and even thats dependant on the payment authorisation fully clearing the back office systems.

VictimOfImpersonation

krisdorey wrote: »

The CRA is just fed data by the bank , it is not there to detect fraud.

There we have that rather silly assertion again, Kris. The CRA is a data controller. If it just accepts everything it is fed, stores it and then regurgitates it then sorry to say that QED it is a reckless data controller (DPA 1998 55(1) ).

...also the banks only tend to update the CRA's once a month and even thats dependant on the payment authorisation fully clearing the back office systems.

I think there are a myriad of levels at which banks and other credit provider interact with banks on a delayed basis or a "live" basis. Irrespective of when exactly the incorrect data is received, there is no valid excuse in any time delay or conversely in any time pressures for responding back instantly with a "checked ok" flag to a credit provider making an instant decision on a new app. Inaccuracy must not be tolerated. Instant credit decisions must not be made if credit check data is not 100% reliable.


So there is no excuse at any time for receiving it unchallenged, not subsequently re-verifying it periodically against consistent data already held, or in retaining incorrect data especially when fraud has been notified directly. In Noddle's case it is 9 days I think since I notified them and I have no assurance that they have yet changed their file on me.

CRISPIANNE3

VictimOfImpersonation wrote: »

Recent regulars to this section of MSE's forums will be aware of the ongoing dingdong I have going with Experian company representative.
I singled Experian out for some special attention because I have proof of insecure handling of my personal data which has exposed me to successful ID Theft.

I have also started a thread which calls for reform of all CRAs because they are all unfit for purpose in that I have proved that none are capable of alerting me to the most obvious indication of ID Theft in progress (two did not check the false data that had been passed to them by a bank which itself had also failed to check and one was oblivious), and their other purposes including credit score and alert services which are also being questioned continuously by others in this forum.

I have started this particular thread because I have just this evening found proof that CallCredit were also passed the incorrect dob data but did nothing to check it. So I shall argue that they are equally as guilty as Experian of reckless obtention and retention of data in that regard.

It should not be forgotten that around 4 years ago, CallCredit sold an immediate downloadable Full Credit Report in my name to a fraudster who paid for it using an insecure prepaid Mastercard. CallCredit relied upon that card being in my name for their own security. In fact, very little security checking was ever done by the prepaid card issuer so it was always dangerous to rely on it. CallCredit did not realise the error of their ways. I believe CallCredit (Noddle) online security was tightened in 2010 afterwards, but let's not be complacent looking forward. Now there are other problems and other security holes.

So CallCredit company representative, where are you ? Why has CallCredit still not responded to my direct online report of a fraudulent entry on my Credit Report? Why did you not reject the new incorrect date of birth entry or challenge it when the card provider gave it to you over two months ago? Why did you not alert me to this new account at all when I signed up again recently?

Can any CallCredit company representative do any better than Experian company representative in response to these highlights of fundamental breaches of DPA 1998 55(1) not to mention breaches of trust ?

There is life out there. Please get one and focus on something really worthwhile.

Tiddlywinks

VictimOfImpersonation wrote: »

There we have that rather silly assertion again, Kris. The CRA is a data controller. If it just accepts everything it is fed, stores it and then regurgitates it then sorry to say that QED it is a reckless data controller (DPA 1998 55(1) ).

NOT 55(1)

http://www.legislation.gov.uk/ukpga/1998/29/section/55

Anyway, the CRAs are NOT in a position to check the validity of the data - the data controller for each CRA must simply ensure that they correctly record the information provided to them by the financial organisations.

The ICOs guidance is here:

http://www.scoronline.co.uk/files/scor/high_level_prinicples_document_final.pdf

In your circumstances, where you believe an entry to be incorrect, the ICO advises:

"Where there is a problem with the content of a CRA record, you should contact the organisation concerned to give it an opportunity to put things right."

So, have you contacted the organisations concerned to give them the opportunity to correct the data?

Or would that ruin your hobby of ranting drivel on here?

JuicyJesus

VictimOfImpersonation appears to be doing absolutely everything to fix his problem aside from what will actually fix his problem.

Tiddlywinks

JuicyJesus wrote: »

VictimOfImpersonation appears to be doing absolutely everything to fix his problem aside from what will actually fix his problem.

I agree... he keeps mentioning the ICO and the DPA etc... but even the ICO says:

http://www.ico.org.uk/for_the_public/topic_specific_guides/credit


What should I do if my credit file is inaccurate?

If your credit file is inaccurate, you can raise your concerns with the credit reference agency. However, the problem may lie with the original lender or organisation that supplied the agencies with their information and you may need to contact them instead.
In most cases these issues should be speedily resolved, but in those cases where there is an obvious inaccuracy and it's not corrected, we may be able to help. Please note that it's not our role to decide on financial disputes.

VictimOfImpersonation

JuicyJesus wrote: »

VictimOfImpersonation appears to be doing absolutely everything to fix his problem aside from what will actually fix his problem.

It's not my problem that needs fixing. There is a security hole at the card provider and at two CRAs which makes us all vulnerable to ID Theft. All three know it. In particular the card provider which uses Experian in it's realtime/live check process for online application decisions knows exactly what the problem is, and CallCredit knows exactly what data should be erased. Experian I set a more testing task because they are up to their neck on this as much as the card provider. The challenge of now doing any kind of general dob mismatch query exercise on their database appears to be more than Experian can bear, so they have gone quiet.

I couldn't give two hoots whether they fix my CRA records sooner or later, but will they all fix their security holes? You should all give two hoots about that.

Can I ask you detractors from the real issue if you actually know much about the systems which cause these problems ? Are you confused by the methods by which data is shared? Are you maybe confused about the duties of all data controllers whether they are generally givers or receivers of data? Or do you perhaps know what kind of ongoing vulnerabilities are suffered by the estimated 4 million (Noddle's estimate, not mine) who have suffered ID Theft in the UK, vulnerabilities which may not be protected by CIFA or banks' own systems or CRA systems?

Are any of you part of the 4 million ? I think if you were, you might be thinking a little bit more widely about the enormity of the problems I have highlighted.

I am confused about why you are criticising me JuicyJesus. You started a thread highlighting an ombudsman decision criticising Experian and rubbishing their Credit Scoring. Are you now suggesting that everything else about CRAs' modi operandi is ok?

Tiddlywinks

As I've said before, you don't know me... Don't presume ignorance on my part.

I am well versed in the DPA and FOI and the related terminologies. I have managed bulk data sharing initiatives and data matching projects. I have also managed SAR requests and considered the issues surrounding those. My knowledge is current.

It is you that is confused about the roles of those institutions involved in your scenario.

I will continue to post only because you are spouting rubbish and newbies might actually think you are speaking from a position of knowledge if there is no one to give fact and balance to your rants.

VictimOfImpersonation

OK so you may have similar knowledge to me in some respects but you are adopting a contrary position.

The question then is not so much who is right, but why are you adopting the contrary position and ridiculing mine?

What have "newbies" got to do with it? I think in that one word you have betrayed your position. Cigarette companies even seek to groom children. Pay Day Loan companies even seek to groom children. With regard to those who are oblivious to the ways of the institutions you grandly call them, CRAs and their banking partners and other credit data providers, there is obviously a body of opinion to be influenced there too.

You wish to influence them one way. I consider it would be better if they were educated for their own benefit, not any corporate benefit.

I note too that you have said that you are "well-versed" in "terminologies", and have "managed" data-sharing "initiatives" and data matching "projects". Your language is to an extent Freudian and might suggest that you are a project manager, not a specialist, and perhaps the versing you claim was biased by the interests versing you. Clearly those initiatives and projects did not employ you as a data analyst because you have failed to acknowledge the ease with which the data can be cleansed.

By suggesting that "roles of those institutions" have been confused, you dissemble from reality. The reality is business contracts exist between them which involve data sharing and all parties fail in their duties as data controllers. The CRAs I have identified have been reckless, and the bank may also have been reckless. In all these threads, no-one has commented on breach of DPA 1998 55(1) except me. No one has denied it. Rizla king has posted statistics showing that their are numerous complaints against CRAs which demonstrate a constant stream of inaccurate data controlling from all three CRAs.

Those who "manage" DPA and FOI requests are not data specialists in my experience - they are redaction specialists who often stretch their work to the very limits of the e.g. 40 day statutory deadlines and then release a biased restricted idea of the bare minimum in responses to SARs.

I conclude that you, Tiddlewinks, are in no better position to be advising those who are ignorant of the ills in the business than I, and your motives are yet to be understood. Mine are public interest motives pure and simple - is their a public interest angle in yours we have missed ?

rizla_king

http://www.ico.org.uk/for_organisations/data_protection/the_guide/information_standards/principle_4

When an individual tells a credit reference agency its record of a particular account is wrong, the agency will usually have to contact the lender concerned to confirm that the record is accurate. If the lender satisfies the credit reference agency that the record is correct then the agency can retain it. However, if the agency is not satisfied that the record is accurate, it should amend or remove it. The credit reference agency will mark the record as being in dispute while the lender looks into the matter but it must tell the individual whether it has amended or removed the record within 28 days of receiving the challenge.

You do have to tell the CRA the info is wrong first though.