CallCredit (Noddle) Fundamental Breach of Data Protection Act 1998

VictimOfImpersonation

Yes, I have done that with Call Credit 10 days ago and again 3 days ago. They've acknowledged the second but not the first. The person who acknowledged the second also commented that whoever had been allocated the first to respond to actually had 28 days to respond. I've no idea how much time they claim for themselves to actually clean the file - oh pardon me - I do now! Thanks rizla king!

With Experian they too know exactly what is wrong (dob mismatch) but as a test I challenged them to do a general clean-up and we are monitoring how long it takes for an individual's record to be cleaned when fraud is reported by the customer to the card provider. Hopefully the card provider (which is big and plenty ugly enough) will by now (over three weeks) have told them to clean up my record, and probably by now the card provider will also have picked up the phone to discuss exactly where the security hole is - it is not for me to re-negotiate upon the failings of the "live" data sharing / instant credit check contract that they have entered into.

rizla_king

Part of the requirements on what a CRA must do when you dispute information fall under the Date Protection Act, but there are also basic requirements that were set down in previous legislation that still apply as well.

They just got amended slightly to reflect the DPA.

http://www.legislation.gov.uk/ukpga/1974/39/section/159

Tiddlywinks

VictimOfImpersonation wrote: »

OK so you may have similar knowledge to me in some respects but you are adopting a contrary position.

The question then is not so much who is right, but why are you adopting the contrary position and ridiculing mine?

I am not adopting any position - this is not a battle.

I will continue to point out, however, that the CRAs are not the decision makers nor the card issuer in the case you keep using as an illustration.

They are not to blame for the fraud.

VictimOfImpersonation wrote: »

What have "newbies" got to do with it? I think in that one word you have betrayed your position. Cigarette companies even seek to groom children. Pay Day Loan companies even seek to groom children. With regard to those who are oblivious to the ways of the institutions you grandly call them, CRAs and their banking partners and other credit data providers, there is obviously a body of opinion to be influenced there too.

You wish to influence them one way. I consider it would be better if they were educated for their own benefit, not any corporate benefit.

You are sounding a little paranoid now... 'newbies' are not children but those new to the site who may be seeking information... I don't want them to stumble over your opinions and assume them to be fact to be acted upon.

VictimOfImpersonation wrote: »

I note too that you have said that you are "well-versed" in "terminologies", and have "managed" data-sharing "initiatives" and data matching "projects". Your language is to an extent Freudian and might suggest that you are a project manager, not a specialist, and perhaps the versing you claim was biased by the interests versing you. Clearly those initiatives and projects did not employ you as a data analyst because you have failed to acknowledge the ease with which the data can be cleansed.

I am not going to engage in debate about who has the biggest credentials - that is frankly pathetic.

This is an anonymous board with no way of knowing who or what I am - and that suits me just fine. If you want to think of me as a pleb then so be it! I don't care because this is not real life.

As to data cleansing, that cannot be done without the input from the provider of the original said data as they provided it to the CRAs with an assurance of its accuracy. To change it would be inappropriate without communicating with the data provider first.

VictimOfImpersonation wrote: »

By suggesting that "roles of those institutions" have been confused, you dissemble from reality. The reality is business contracts exist between them which involve data sharing and all parties fail in their duties as data controllers. The CRAs I have identified have been reckless, and the bank may also have been reckless. In all these threads, no-one has commented on breach of DPA 1998 55(1) except me. No one has denied it. Rizla king has posted statistics showing that their are numerous complaints against CRAs which demonstrate a constant stream of inaccurate data controlling from all three CRAs.

Those who "manage" DPA and FOI requests are not data specialists in my experience - they are redaction specialists who often stretch their work to the very limits of the e.g. 40 day statutory deadlines and then release a biased restricted idea of the bare minimum in responses to SARs.

I conclude that you, Tiddlewinks, are in no better position to be advising those who are ignorant of the ills in the business than I, and your motives are yet to be understood. Mine are public interest motives pure and simple - is their a public interest angle in yours we have missed ?

You keep mentioning 55(1) - you are wrong in so many ways... have you been trained in how to read legislation? I have - you are just wrong.

My motive? To address your inaccuracies.

Your motive? Not public interest as you assert as there are better ways to achieve your goal than this. Getting better acquainted with the relevant legislation and guidance from the Regulator would be a good start.

VictimOfImpersonation

I will continue to point out, however, that the CRAs are not the decision makers nor the card issuer in the case you keep using as an illustration.

They are not to blame for the fraud.

I don't understand

• why you say neither the CRAs nor the card issuer are "the decision makers"
• why you say they are "not to blame for the fraud".

Are you splitting hairs on what decision you are saying they are not making?

Are you splitting hairs on the difference between not instigating a fraudulent act and not preventing one from succeeding?

There is certainly no public interest in you doing so.

I have explained three security holes - one old one that cause me a great deal of upset, where CallCredit issued a full credit report to fraudsters in my name which went undiscovered for months, and the more recent one where a card issuer entered into a contract with another CRA (Experian) to provide a live data link via which an instantaneous "credit check" was made the moment a punter clicked "Submit" for a new credit card application on the card issuers website. This facilitated an "instant decsion" to issue a card in my name with no data correct apart from my partial name and address!

The third one was where CallCredit received the data on the new fraudulent agreement containing reams of inconsistent data and did not flag it as an alert.

Explain your own assertions carefully please:

You keep mentioning 55(1) - you are wrong in so many ways...

Say why please. Feel free to mention those ways that are so many.

...have you been trained in how to read legislation?

Yes over decades, and as a result of it have successfully challenged new law in court and even experienced the great satisfaction of having legal opinion unequivocally changed in my name !

... I have - you are just wrong.

You must explain why.

My motive? To address your inaccuracies.

Then address them. Don't just keep telling me I am wrong.

Your motive? Not public interest as you assert as there are better ways to achieve your goal than this.

What better way than to gain two weeks of headline publicity on MSE's Credit Files and Ratings forum? Furthermore, MSE clearly thinks there might be an axe to be ground else they might surely have driven these threads into the buffers by now. I feel sure they will have pressure exerted to do something about them, and far from that happening we interestingly saw yesterday a new poll questioning what punters really know about CRA data published by MSE themselves.

rizla_king

55 Unlawful obtaining etc. of personal data.

(1) A person must not knowingly or recklessly, without the consent of the data controller—

(a) obtain or disclose personal data or the information contained in personal data, or

(b) procure the disclosure to another person of the information contained in personal data.

(2) Subsection (1) does not apply to a person who shows—

(a) that the obtaining, disclosing or procuring—

(i) was necessary for the purpose of preventing or detecting crime, or

(ii) was required or authorised by or under any enactment, by any rule of law or by the order of a court,

(b) that he acted in the reasonable belief that he had in law the right to obtain or disclose the data or information or, as the case may be, to procure the disclosure of the information to the other person,

(c) that he acted in the reasonable belief that he would have had the consent of the data controller if the data controller had known of the obtaining, disclosing or procuring and the circumstances of it, or

(d) that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest.

(3) A person who contravenes subsection (1) is guilty of an offence.

(4) A person who sells personal data is guilty of an offence if he has obtained the data in contravention of subsection (1).

(5) A person who offers to sell personal data is guilty of an offence if—

(a) he has obtained the data in contravention of subsection (1), or

(b) he subsequently obtains the data in contravention of that subsection.

(6)For the purposes of subsection (5), an advertisement indicating that personal data are or may be for sale is an offer to sell the data.

(7)Section 1(2) does not apply for the purposes of this section; and for the purposes of subsections (4) to (6), “personal data” includes information extracted from personal data.

(8)References in this section to personal data do not include references to personal data which by virtue of section 28 [F1or 33A] are exempt from this section.

VictimOfImpersonation

55(1) is not just about hacking or stealing, is it?
55(2) is not just about letting off the usual suspects every time they claim they are just following procedures or that they are just receiving not giving or falsely asserting some other neutral position*.

So on the basis that no right acting data controller would consent to release inaccurate data to anyone, any other data controller recklessly obtaining it and retaining it and then causing other organisations to procure it (e.g. via a subsequent search) is guilty of the offence.

*As a possibly interesting aside, just yesterday I also had the card issuer asserting that they are not responsible for the fraud - it was a fraudster that intercepted the fraudulently applied for card they issued (they forgot to acknowledge that they sent it to a known vulnerable existing customer address where they knew previous serious ID Theft using CRA data as an aide memoire had occurred, but this time the fraud was conducted using wholly inconsistent data!) and which they routinely sent out, I was reminded! :doh:

So often new law ends up being interpreted and relied upon for long periods based on the summaries and guidance notes that surround its enactment, and these often later prove to be far too limiting and sometimes even misleading.

The letter of the law is what counts and by golly we need it to count to bring these corporates to heel.

VictimOfImpersonation

Careful with your language BillJones. Your post could very easily be taken as a sinister threat.

Meantime, Credit File & Ratings regulars may have noticed that two threads (one mischievous and one by me questioning a location (or two) which bore an uncanny resemblance to the name of the mischief poster) have just disappeared.

luvchocolate

this is just ridiculous, there was no threat in the above post.
I for one will not read any more this ranting...

meer53

If the CRA's and MSE feel the way most people on here do, they'll have stopped reading your posts.

VictimOfImpersonation

Oh I think we can be sure they are all being read, meer53, probably unhappily, and by the card providers also. Afterall, it keeps getting your attention doesn't it?

Large corporate interests do not shed this type of bad press by doing nothing.