Contact Andrew Bibby
Using the Data Protection Act to protect your consumer rights
This article by Andrew Bibby, in a slightly different form, was first published in The Observer, 2003
What do you do if you can't get a loan because, let's say, a credit reference company has mixed up your personal details with those of somebody living many streets away?
This was exactly the difficulty facing Paul Ticher and his partner Gill Taylor when they recently decided to remortgage with the Nationwide. The major credit reference company Experian had amalgamated their file with that of a complete stranger, also with the surname Taylor, who lived in a street with a similar name - but hundreds of yards away and with a completely different postcode. It meant that Nationwide were unable to release the funds, and this in turn directly cost Paul and Gill over £150 in extra payments on their old mortgage.
Faced with the prospect of long and protracted correspondence with Experian, Paul Ticher, a consultant and trainer on data protection issues for voluntary organisations, knew he had another route open to him. He used his rights under the Data Protection Act's Assessment procedures to ask the Information Commissioner to rule whether Experian were in breach of their legal data protection obligations.
Three weeks later, the Information Commissioner's assessment came back, confirming Paul's view: Experian, it appeared, had indeed failed to comply with two data protection principles, requiring data to be accurate and relevant. "Armed with that, I asked Experian to reimburse the money I had overpaid on my mortgage plus some money for associated distress," Paul says. The mistakes on the credit files were remedied by Experian and, even better, a few weeks later a cheque for £300 came in the post from the company.
The Data Protection Act brought into UK law potentially powerful safeguards for personal data agreed at European level, but its operation remains a mystery to most people. Paul Ticher believes the Assessment process should be better known. "It could be valuable in loads of cases - look at all the utility companies who are messing up people's accounts, for example," he says. "Anyone who's lost money from inaccurate data could have a claim for compensation".
He is not alone in making use of the Act. Antoinette Carter parked briefly in an empty private car park in Notting Hill Gate one Sunday afternoon to drop clothes off in a nearby charity shop, and found when she returned that the car had been clamped. "When the security guard came to relieve me of the £100 clamp fee, he said he'd seen me on the CCTV monitor," she says. She paid up, but as data protection officer for the British Council, she also knew what to do next: "They had no CCTV signage anywhere. I wrote to the company, said that this amounted to unlawful processing, and received a refund in the post a few weeks later," she says.
Charles Oppenheim, professor of information science at Loughborough University, has an even better story to tell. He has successfully used the Data Protection Act no less than three times to sort out bureaucratic bungling, including the occasion when the loss of his old mortgage records by Abbey National threatened to jeopardise his right to a £20,000 endowment policy payout. "I wrote to the data protection manager at Abbey National and said 'You're in breach of the Act'," he says. "It's a very powerful weapon against large organisations, which can act like juggernauts. It needs a lot more publicity."
The challenging task of upholding the law and promoting compliance with the eight official data processing principles takes place in an office block in the perhaps unlikely location of Wilmslow, Cheshire, where the Information Commissioner is based. By general consensus hopelessly under-resourced for the task it faces, this public agency tends to try to achieve results by persuasion and pressure rather than by sanction. It has no power to award compensation for individuals who have suffered loss. Nevertheless, the Act requires the Commissioner to make formal Assessments on request from individuals who believe that data protection principles, such as data accuracy or relevance, have been breached.
"We're trying to ensure that there's good public awareness of this," says Jonathan Bamford, Assistant Commissioner at the agency. He says that requests for Assessment are more likely to be dealt with quickly if individuals can show that they have already tried to get companies to sort out problems and errors. He also points out that there is a right under the Act to claim compensation through the courts if people can demonstrate they have suffered damage and distress. "The good thing about the right to Assessment is that, by making a judgment, we're giving people a mechanism for them to show to the court - for them to say 'I suffered loss, therefore please award me compensation'," he says.
Nevertheless, very few people appear to be using this facility. Last year, the Information Commissioner dealt with only 12,000 Assessments, a figure which also includes initial public enquiries falling outside the provisions of the Act. Perhaps significantly, 20% of these Assessments and enquiries concerned credit reference files, an area where the Information Commissioner is devoting considerable resources.
As Paul Ticher's case demonstrates, invoking the Assessment procedure can resolve problems without the need for court action. "I'm really pleased with the way the system worked. The mechanism did seem to be there, even if it is slightly creaky, to get things sorted out," he says.
www.informationcommissioner.gov.uk 01625 545700
Return to my home page