Last updated: 10th October 2023
This page describes how Crediva (also called “credit reference agency/ies” or “CRA/s” in this document) uses and shares personal data (also called ‘bureau data’) it receives about you and/or your business that is part of or derived from or used in credit activity. Except where Crediva does not receive or share certain data in the same way as the three main credit reference agencies in the UK – TransUnion, Equifax or Experian, this Processing Notice largely reflects the same practices as set out in the Credit Reference Agency Information Notice (CRAIN), adopted and issued by them on the 23rd October 2017.
Crediva is one of several credit reference agencies in the UK who deal with people’s personal data. It is regulated by the Financial Conduct Authority (“FCA”) and authorised to conduct business as a credit reference agency.
(a) CREDIT REFERENCE AGENCY PROCESSING
Credit reporting and affordability checks
Different CRAs use the data they gather to provide credit reporting services to their clients.
Organisations use credit reporting services to see the financial position of people and businesses. For example, a lender or creditor may check with a credit reference agency when an individual or business applies for credit and the lender or creditor needs to make a credit decision taking into account that person or business’s credit history.
Affordability checks help organisations understand whether people applying for credit or financial products (like loans) are likely to afford the repayments.
These activities help promote responsible lending, prevent people and businesses from getting into more debt than they can afford, and reduce the amount of unrecoverable debt and insolvencies.
Verifying data like identity, age and residence, and preventing and detecting criminal activity, fraud and money laundering
CRAs also use bureau data to provide verification, crime prevention and detection services to their clients, as well as fraud and anti-money-laundering services. For example:
- When a person applies to an organisation for a product or service, the organisation might ask them to answer questions about themselves, and then check the answers against the data held by CRAs to see if they’re correct. This helps confirm the person they are dealing with is not trying to commit identity theft or any other kind of fraud.
- Where some products and services are only available to people of a certain age, organisations can check whether the person they’re dealing with is eligible by searching CRAs databases.
- If a person applies for credit the lender or creditor might check the personal data that person gives them against the personal data held by CRAs to try and prevent fraud.
- Government and quasi-government bodies can use data held by CRAs to check whether people are entitled to certain benefits and to help recover unpaid taxes, overpaid benefits and similar debts.
CRAs supply information including personal data to their clients for account management, which is the ongoing maintenance of the client organisation’s relationship with its customers. This could include activities designed to support:
- Data accuracy (such as data cleansing – where bureau data can be used to clean or update lender data. This might involve checks that data is in the right format or fields, or to correct spelling errors);
- Clients’ ongoing account management activities. (For example, data sharing with lenders and creditors so clients can make decisions relating to credit limit adjustments, transaction authorisations, and to identify and manage the accounts of customers at risk, in early stress, in arrears, or going through a debt collection process, or to confirm that assets are connected to the right person).
Tracing and Debt Recovery
CRAs provide services that allow organisations to use bureau data to trace people who’ve moved. Different CRA also offers a service that allows people to be reunited with assets (like an old dormant savings account they’ve lost contact with.)
CRAs may also use personal data to support debt recovery and debtor tracing. An example of a tracing activity could be when a person owes money and moves house without telling the creditor where they’ve gone. The creditor may need help finding that person to claim back what they’re owed. CRAs help find missing debtors by providing creditors with updated addresses and contact details.
Statistical Analysis, Analytics and Profiling
CRAs can use and allow the use of personal data for statistical analysis and analytics purposes, for example, to create scorecards, models and variables in connection with the assessment of credit, fraud, risk or to verify identities, to monitor and predict market trends, to allow use by lenders for refining lending and fraud strategies, and for analysis such as loss forecasting.
CRAs carry out certain processing activities internally which support databases effectiveness and efficiencies. For example:
- Data loading: where data supplied to CRAs it is checked for integrity, validity, consistency, quality and age help make sure it’s fit for purpose. These checks pick up things like irregular dates of birth, names, addresses, account start and default dates, and gaps in status history.
- Data matching: where data supplied to CRAs it is matched to their existing databases to help make sure it’s assigned to the right person, even when there are discrepancies like spelling mistakes or different versions of a person’s name. CRAs use the personal data people give lenders together with data from other sources to create and confirm identities, which they use to underpin the services they provide.
- Data linking: as CRAs compile data into their databases, they create links between different pieces of data. For example, people who appear financially associated with each other may be linked together, and addresses where someone has previously lived can be linked to each other and to that person’s current address.
- Systems and product testing: data may be used to help support the development and testing of new products and technologies.
Different CRAs have their own processes and standards for data loading, data matching and other database processing activities.
Uses as required by or permitted by law
Your personal data may also be used for other purposes where required or permitted by law.
(b) WHAT IS A FRAUD PREVENTION AGENCY?
A Fraud Prevention Agency (FPA) collects, maintains and shares, data on known and suspected fraudulent activity. As such credit reference agencies can also act as FPAs.
(c) FRAUD PREVENTION AGENCY PROCESSING
How data may be used by fraud prevention agencies:
FPAs may supply the data received from lenders and creditors about you, your financial associates and your business (if you have one) to other organisations (please see Section 5 for more information on these organisations). This may be used by them and the CRAs to: –
- Prevent crime, fraud and money laundering by, for example;
- Checking details provided on applications for credit and credit related or other products and services
- Managing credit and credit related accounts or products or services
- Cross-checking details provided on proposals and claims for all types of insurance
- Checking details on applications for jobs or as part of employment
- Verify your identity if you or your financial associate applies for facilities including all types of insurance proposals and claims
- Trace your whereabouts and recover debts that you owe
- Conduct other checks to prevent or detect fraud
- Undertake statistical analysis and system testing
- Your personal data may also be used for other purposes where you’ve given consent or where required or permitted by law
The UK’s data protection law allows the use of personal data where its purpose is legitimate and isn’t outweighed by the interests, fundamental rights or freedoms of data subjects.
The law calls this the Legitimate Interests condition for personal data processing.
The Legitimate Interests being pursued here are:
|Promoting responsible lending and helping to prevent over-indebtedness||Responsible lending means that lenders only sell products that are affordable and suitable for the borrowers’ circumstances. CRAs help ensure this by sharing personal data about potential borrowers, their financial associates where applicable, and their financial history. A comprehensive range of measures exists in the UK to underpin the balance so the legitimate interests aren’t outweighed by the interests, fundamental rights and freedoms of data subjects. Further explanation about this balance is set out below.|
|Helping prevent and detect crime and fraud and anti-money laundering services and verify identity||CRAs provide identity, fraud and anti-money laundering services to help clients meet legal and regulatory obligations, and to the benefit of individuals to support identity verification and support of detection/ prevention of fraud and money-laundering.|
|Supporting tracing and collections||CRAs provide services that support tracing and collections where there is a legitimate interest in the client conducting activity to find its customer and to recover the debt, or to reunite, or confirm an asset is connected with, the right person.|
|Complying with and supporting compliance with legal and regulatory requirements||CRAs have to comply with various legal and regulatory requirements. CRA services also help other organisations comply with their own legal and regulatory obligations. One example, many kinds of financial services are regulated by the Financial Conduct Authority or the Prudential Regulation Authority, who impose obligations to check that financial products are suitable for the people they are being sold to. The credit reference agencies provide data to help with those checks.|
CRAs use of this personal data is subject to an extensive framework of safeguards that help make sure that people’s rights are protected. These include the information given to people about how their personal data will be used and how they can exercise their rights to obtain their personal data, have it corrected or restricted, object to it being processed, and complain if they’re dissatisfied. These safeguards help sustain a fair and appropriate balance so CRAs’ activities don’t override the interests, fundamental rights and freedoms of data subjects. You can contact Crediva at any time to access your data or correct inaccurate information. Please see the contact information at the beginning of this form.
People sometimes provide data directly to CRAs. For example, they can ask a CRA to add a supplementary statement to their credit file if they want to explain the reason for a particular entry on the file. The right to do this is explained in Section 10 below.
This could include information in relation to physical and mental health to the extent that you have a disability or vulnerability, which you (or someone acting on your behalf) has made us aware of. Such processing is on the basis of consent, which can be revoked at any time.
Different credit reference agency obtain and use information from different sources, so they often hold different information and personal data from each other. However, most of the personal data Crediva holds falls into the categories outlined below from the sources described.
|Identifiers||CRAs hold personal data that can be used to identify people, like their name, date of birth, and current and previous addresses.|
They may also hold business data.
|This personal data is included with all the other data sources.|
For example, names, addresses and dates of birth, mortality data are attached to financial account data so it can be matched and associated with all the other data the CRA holds about the relevant person.
Data about UK postal addresses is also obtained from sources like Royal Mail.
CRAs also obtain copies of the electoral register containing the names and addresses of registered voters from local authorities across the UK in accordance with specific legislation.
CRAs also have access to public data sources on people and businesses, including from the Insolvency Service, Companies House and commercial business directories.
Crediva uses a numeric personal identifier which is assigned to an individual to allow the identification of their personal data. It is used when information is called from the database and needs to be distinguished from other information in the database.
|Court judgments, decrees and administration orders||CRAs obtain data about court judgments that have been issued against people. This may include, for example, the name of the court, the nature of the judgment, how much money was owed, and whether the judgment has been satisfied.||The government makes court judgments and other decrees and orders are made publicly available through statutory public registers. These are maintained by Registry Trust Limited, which also supplies the data on the registers to the CRAs.|
|Bankruptcies, Individual Voluntary Arrangement (IVAs), debt relief orders and similar events||CRAs obtain data about insolvency related events that happen to people and may also obtain this type of data about businesses. This includes data about bankruptcies, IVAs and debt relief orders, and in Scotland it includes sequestrations, trust deeds and debt arrangement schemes. This data includes the start and end dates of the relevant insolvency or arrangement.||CRAs obtain this data from The Insolvency Service, the Accountant in Bankruptcy, The Stationary Office and Northern Ireland’s Department for the Economy – Insolvency Service, the London, Belfast and Edinburgh Gazettes.|
Business bankruptcies data are obtained from the London, Belfast and Edinburgh Gazettes.
|Search footprints||When an organisation uses a CRA to make enquiries about a particular person, the CRA keeps a record of that enquiry which appears on the person’s credit file. This includes the name of the organisation, the date, and the reason they gave for making the enquiry.||CRAs generate search footprints when enquiries are made about a particular person. The organisation making the enquiry provides some of the data in the footprint (such as the reason for the enquiry).|
|Scores and ratings||CRAs may use the data they receive to produce scores and ratings including credit, affordability, risk, fraud and identity, screening, collections and insolvency scores about people and businesses and credit ratings about people. Organisations that obtain data from CRAs may use it together with other data to provide their own scores and ratings.|
Credit scores and credit ratings are produced from data like whether they’ve any history of insolvencies or court judgments, and how long they’ve lived at their current address. Different CRAs have their own way of calculating credit scores, and most lenders have their own scoring systems too.
|The CRAs produce their scores and ratings using the data available to them.|
Similarly, other organisations create their own scores and ratings from data obtained from the CRAs as well as other sources.
|Other supplied data||CRAs receive data from reputable commercial sources. This includes phone number, income, employment status, relationship status, information relating to outgoings such as rental payments, and previous loan application data to enable Crediva customers to obtain information about individuals in order to calculate risks, associated with those individuals.|
CRAs produce some other kinds of data themselves to manage their databases efficiently and ensure that all the relevant data about a person is on the correct credit file.
|CRAs receive this data from reputable commercial sources as agreed from time to time.|
|Other derived data||Address links: when a CRA detects that a person seems to have moved house, it may create and store a link between the old and new address.|
Aliases: when a CRA believes that a person has changed their name, it may record the old name alongside the new one.
Flags and triggers: through analysis of other data, CRAs can add indicators to credit files. These aim to summarise particular aspects of a person’s financial situation.
|The CRAs generate this data from the data sources available to them.|
|Data provided by the relevant people||People sometimes provide data directly to CRAs. For example, they can ask a CRA to add a supplementary statement to their credit file if they want to explain the reason for a particular entry on the file. The right to do this is explained in Section 10 below.|
This could include information in relation to physical and mental health to the extent that you have a disability or vulnerability, which you (or someone acting on your behalf) has made us aware of. Such processing is on the basis of consent, which can be revoked at any time.
|This data is provided directly by the relevant people.|
This section describes the types of recipient Crediva shares data with. Different CRAs have their own access control processes in place. For example, before it shares data with any another organisation, to check that organisation’s identity and, where applicable, to confirm where it is registered with regulators.
In many cases where an organisation uses CRA services, there will be information accessible, for example, from website or at point of application or service, to explain that an organisation may check your data with a credit reference agency (for things like identity authentication and fraud checking). In some cases, some organisations have the ability to compel CRAs, by law, to disclose certain data for certain purposes.
Business Customers of Crediva
Crediva provides UK consumer credit reference services, specialising in alternative credit scoring models to improve traditional credit risk analysis. Our business customers are FCA regulated organisations. Crediva is committed to provide services for businesses to manage a more diverse range of the UK population, offering solutions that assess credit fairly where previous credit history might not be available.
Fraud Prevention Agencies
If a CRA believes that fraud has been or might be committed, it may share data with fraud prevention agencies (FPAs). These FPAs collect, maintain and share data on known and suspected fraudulent activity. Some CRAs also act as FPAs.
Resellers, distributors and agents
CRAs sometimes use other organisations to help provide their services to clients and may provide personal data to them in connection with that purpose.
Some data, where permitted in accordance with industry rules or where it’s public information, can be shared with other organisations that have a legitimate use for it – ID verification services, for example.
Public bodies, law enforcement and regulators
The police and other law enforcement agencies, as well as public bodies like local and central authorities and CRAs’ regulators, can sometimes request the credit reference agencies to supply them with personal data. This can be for a range of purposes such as preventing or detecting crime, fraud, apprehending or prosecuting offenders, assessing or collecting tax, investigating complaints or assessing how well a particular industry sector is working.
CRAs may use other organisations to perform tasks on their own behalf (for example, IT service providers and call centre providers).
You are entitled to obtain copies of the personal data Crediva holds about you. You can find out how to do this in Section 9 below.
Crediva is based in the UK, part of LexisNexis® Risk Solutions Group, which is a division of RELX Group™. Crediva keeps our main databases in the UK.
Your personal information may be stored and processed in your region or another country where LexisNexis Risk Solutions Group affiliates and our service providers maintain servers and facilities, including Australia, Brazil, France, Germany, Iceland, India, Italy, Ireland, Israel, the Netherlands, the Philippines, Singapore, South Africa, the United Kingdom, and the United States. We take steps, including through contracts, intended to ensure that the information continues to be protected wherever it is located in a manner consistent with the standards of protection required under applicable law.
Certain U.S. entities within the LexisNexis Risk Solutions group of companies have certified certain of their services to the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce. Please view these entities’ Data Privacy Framework Notice here. To learn more about the Data Privacy Framework program, and to view these entities’ certification, please visit //www.dataprivacyframework.gov.
Identification data like names and addresses are kept while there’s a continuing need to keep it. This need will be assessed on a regular basis, and data that’s no longer needed for any purpose will be disposed of.
Court judgments, decrees and administration orders
Generally, court judgments and other decrees and orders are kept on credit files for six years from the date of the judgment, decree or order. But, they can be removed if the debt is repaid within one calendar month of the original date or if the judgment is set aside or recalled by the courts.
Bankruptcies, IVAs, debt relief orders and similar events
Data about bankruptcies, IVAs and other insolvency-related events and arrangements are usually kept on credit files for six years from the date they begin. This period is extended if they last longer than six years. Some data, such as a bankruptcy restrictions order, can also remain on the credit file for longer than six years.
Although the start of these events is automatically reported to CRAs, the end (such as a discharge from bankruptcy or completion of an IVA) might not be. This is why people are advised to contact CRAs when this happens to make sure their credit files are updated accordingly.
Different CRAs keep search footprints for different lengths of time. Crediva keep search footprints for six years from the date of the search.
Scores and ratings
CRAs may keep credit scores and credit ratings for as long as they keep a credit file about the relevant person.
Derived or created data
CRAs also create data, and links and matches between data. For example, CRAs keep address links and aliases for as long as they’re considered relevant for credit referencing purposes
Other third party supplied data such as politically exposed persons (PEPs) and sanctions data and mortality data will be stored for a period determined by criteria such as the agreed contractual terms.
CRAs may hold data in an archived form for longer than the periods described above, for things like research and development, analytics and analysis, (including refining lending and fraud strategies, scorecard development and other analysis such as loss forecasting), for audit purposes, and as appropriate for establishment, exercise or defence or legal claims. The criteria used to determine the storage period will include the legal limitation of liability period, agreed contractual provisions, applicable regulatory requirements and industry standards.
CRAs don’t tell a lender if it should offer you credit – this is for the lender to decide. Credit reference agencies provide data and analytics that help lenders make decisions about lending. The scoring tools and data CRAs provide may profile you, and are often a valuable tool in the lender’s overall processes and with the criteria they use to make their decisions. A lender’s own data, knowledge, processes and practices will also generally play a significant role in that lender’s business decisions – and lender decisions will always remain for lenders to make.
The same analytics from a CRA may lead to different decisions from different lenders, as they can place differing importance on some factors than others. That’s why you may receive a “yes” from one lender but a “no” from another.
The data CRAs provide is just one of the things that a lender might take into account when they make a lending decision. The lender might also take into account data provided by the person applying for credit, as well as any other data available to the lender from other sources. Each lender will have its own criteria for deciding whether or not to lend.
Scores and ratings
When requested, CRAs do use the data they obtain to produce credit, risk, fraud, identity, affordability, screening, collection and/or insolvency scores and credit ratings; these are explained in Section 4 above. CRAs don’t tell a lender if it should offer you credit – this is for the lender to decide. Each credit reference agency, and each lender, will have its own criteria for how to calculate a credit score, but the following factors will usually have an effect:
- How long the person has lived at their address.
- Whether the person has had any court judgments made against them.
- Whether the person has been bankrupt or had an IVA or other form of debt-related arrangement.
Different CRAs may provide or make available further information on profiling where necessary from time to time.
Data access right
You have a right to find out what personal data Crediva holds about you.
If you wish to see what information Crediva holds about you relating to your financial standing, you may obtain a copy of your Statutory Credit Report.
You also have the right to submit a written subject access request to establish whether your personal data is held within our databases, by writing to the following address:
Data Protection Officer
LexisNexis Risk Solutions Group
You can email us at firstname.lastname@example.org to submit your request online.
In all cases, to protect your privacy and security, we will also take reasonable steps to verify your identity.
Data portability right
New data protection legislation also contains a right to data portability that may give consumers a right in some data processing contexts, to receive their personal data in a portable format when it’s processed on certain grounds, such as consent. This is unlikely to apply to bureau data because the majority of this data is processed on the grounds of legitimate interests. To find out more about legitimate interests please go to Section 3 above.
When CRAs receive personal data, they perform lots of checks on it to try and detect any defects or mistakes. Ultimately, though, the credit reference agencies rely on the suppliers to provide accurate data.
If you think that any personal data a CRA holds about you is wrong or incomplete, you have the right to challenge it. The credit reference agency will need to take reasonable steps to check the data first.
If the data does turn out to be wrong, Crediva will update its records accordingly. If Crediva still believes the data is correct after completing checks, we’ll continue to hold and keep it – although you can ask us to add a note to your file indicating that you disagree or providing an explanation of the circumstances.
If you’d like to do this, you should contact us using our contact details in Section 1 above.
This section helps you understand how to use your data protection rights to object to your personal data being used and how to ask for it to be deleted, in connection with bureau data. To understand these rights and how they apply to the processing of bureau data, it’s important to know that CRAs hold and process personal information in bureau data under the Legitimate Interests ground for processing (see Section 3 above for more information about this), and don’t rely on consent for this processing.
You have the right to lodge an objection about the processing of your personal data by us. If you want to do this, you should contact us using the contact details set out in Section 1 above.
Whilst you have complete freedom to contact us with your objection at any time, you should know that under the General Data Protection Regulation, your right to object doesn’t automatically lead to a requirement for processing to stop, or for personal data to be deleted, in all cases.
Please note that, because of the importance of the credit referencing industry to the UK’s financial system, and the important purposes the personal data is needed for (like supporting responsible lending, and preventing over indebtedness, fraud and money laundering) it will be very rare that CRAs do not have compelling, overriding grounds to carry on using the personal data following an objection. In many cases, it won’t be appropriate for the CRAs to restrict or to stop processing or delete bureau data, for example, where the result would be to hide a poor credit history that could enable a person or organisation to get credit they otherwise wouldn’t be eligible for.
If you believe that there are exceptional circumstances in relation to your data and/or personal circumstances, please contact us setting out your concerns. We will use this information to balance the legitimate interests of Crediva against your own interests, rights and freedoms. This information will not be used for any additional purposes.
In some circumstances, you can ask credit reference agencies to restrict how they use your personal data. Your rights are set out at Article 18 of the GDPR. You can find the contact details for each CRA in Section 1 above.
This is not an absolute right, and your personal data may still be processed where certain grounds exist. These are:
- With your consent;
- For the establishment, exercise, or defence of legal claims;
- For the protection of the rights of another natural or legal person; or
- For reasons of important public interest.
Only one of these grounds needs to be demonstrated to continue data processing.
We will consider and respond to requests we receive, including assessing the applicability of these exemptions.
Please note that given the importance of complete and accurate credit records, for purposes including for responsible lending, it will usually be appropriate to continue processing credit report data – in particular, to protect the rights of another natural or legal person, or because it’s an important public interest of the UK.
We try to ensure we deliver the best customer service levels but if you’re not happy you should contact us so we can investigate your concerns.
Your concern can be investigated internally by our group Data Protection Officer. You can contact the Data Protection team by emailing email@example.com
If you’re unhappy with how we have investigated your complaint, you have the right to refer it to the Financial Ombudsman Service (Ombudsman) for free. The Ombudsman is an independent public body that aims to resolve disputes between consumers and businesses like CRAs. You can contact them by:
- Phone on 0300 123 9 123 (or from outside the UK on +44 20 7964 1000)
- Email on firstname.lastname@example.org
- Writing to Financial Ombudsman Service, Exchange Tower London E14 9SR
- Going to their website at www.financial-ombudsman.org.uk
You can also refer your concerns to the Information Commissioner’s Office (or ICO), the body that regulates the handling of personal data in the UK. You can contact them by:
- Phone on 0303 123 1113
- Writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
- Going to their website at //ico.org.uk/make-a-complaint/your-personal-information-concerns/
The work credit reference agencies do is very complex, and this document is intended to provide only a concise overview of the key points. More information about Crediva and what it does with personal data is available here.
The Information Commissioner’s Office also publishes advice and information for consumers in its Credit Explained leaflet, available here.