Credit reference agencies (CRAs) have been working behind the scenes of every significant financial milestone of your life – from when you opened your first bank account to when you last moved house – and collecting records of data.
But your credit score is just the tip of the iceberg. CRAs also run marketing services that use your data, so there might be more details than you expect in your personal data file.
We've examined privacy policies and made subject access requests to uncover how your personal data is sold and used.
What credit reference agencies know about you
All three of the major CRAs – Experian, Equifax and TransUnion – have some form of marketing services, but their scope is very different.
The most limited, TransUnion, only validates information and matches identities, while Equifax models a few additional characteristics from the credit data, such as gender and marital status.
Experian has the broadest range of modelled data and additional ‘propensities’, which are measures of how likely they estimate you are to do or be certain things.
There are as many as 370 modelled data points about an individual, covering everything from how much energy you use to how likely you are to pay for financial advice.
Find out more:Which type of person are you?
As well as modelling specific characteristics, Experian Marketing Services places you into different ‘segments’ with people it thinks are similar to you.
Experian has two different segmentation databases: Mosaic (which has standard, ‘digital’, and ‘shopper’ variations) and the Financial Strategy Segments (FSS 4).
Here are four examples, with wording from Experian and illustrations by Which?:
The data could show, for example, that you're in the FSS 4 ‘dual-pension freedom’ segment, described as ‘content retired couples owning average-value homes whose double pension income gives them a comfortable standard of living’.
The Mosaic segments focus more on shopping habits and responsiveness to different forms of advertising. Each category features aspects such as online activity, education levels and likely modes of transport.
How businesses use the data they buy
The data received by a customer of the CRAs will depend on the extent of their contract.
It could be a list of names and addresses of potential customers who fit certain requested criteria, extracts of the full database or matching the attributes and ‘propensities’ with an existing customer list.
Experian has more than 1,600 marketing clients across a range of sectors, the largest of which is retail.
Experian data is also used by charities and local authorities, for example StepChange Debt Charity used segmentation to find the UK constituencies and wards where people struggle most with debt problems.
How do credit reference agencies get your data?
With all three CRAs, your credit information or transactions are not directly passed on to marketing clients.
However, clients of both Equifax and Experian use information such as a negative credit payment or a county court judgment to remove people from certain financial advertising campaigns, a practice that aims to prevent harm to the recipient.
This data is only shared with members of the Credit Account Information Sharing service (CAIS) – the financial services that give and receive the credit information.
Equifax and Experian take your name and address from their credit reference data and use it to derive further information. So, name, address and date of birth lead them to information about the household, for example length of residence, and other factors such as marital status and gender.
Equifax doesn’t use this credit-derived data for direct marketing, nor does it sell email or telephone marketing lists.
Experian data that comes from its CRA business is ‘non-prospectable’, meaning your name and address wouldn’t be passed on to Experian clients that don’t already have it.
Find out more:The regulator gets involved
CRAs’ marketing businesses haven’t gone unnoticed by the regulator. In 2020, the Information Commissioner’s Office (ICO) published an enforcement notice ordering a change to CRAs’ direct marketing practices but Experian fought this in court, partially winning its appeal.
The First-tier Tribunal ruled that Experian gave adequate notice to the approximately 51 million consumers whose data was collected for credit report services and was being processed through its Consumer Information Portal.
But it said Experian had failed to give adequate notice to the approximately five million people whose data had exclusively been gathered from other sources such as the open electoral register and ordered it to do so within three months.
The ICO appealed this in the Upper-tier Tribunal, but they agreed with the original ruling.
Why a subject access request isn't a magic bullet
You might recall politician Nigel Farage using a subject access request (SAR) to reveal internal NatWest communications about him last year.
In theory, a SAR should reveal what a company knows about you. But in reality we encountered endless barriers.
We found some of the details of what's included in personal data files by submitting SARs to credit reference agencies. But when we submitted 11 SARs to Equifax as part of our research, we found the process confusing and difficult.
After filling in the initial form with details and address history, nine of our volunteers were told their identity couldn’t be verified and were asked to submit ID documents.
Our volunteers were then asked to make a help account and then raise a case to upload their verification documents. Several volunteers were confused at this point and didn’t know how to provide the information.
Once we'd provided the verification documents and Equifax had approved them, we were given no information on how to follow up on the SAR. Many volunteers gave up here.
When trying to follow up to make the SAR request, we found that we couldn't log in because we couldn't set login details, nor could we submit a new registration because our details were already registered.
Caught in a Catch-22, the rest of the volunteers stopped here.
I continued and made repeated requests over the phone and online to Equifax's customer service. I told them I was having issues with the subject access request specifically, but any attempts to help referred to the online help account or MyEquifax – completely different and unconnected services.
My fifth online help case was successful, at which point my request was submitted and I received my SAR information three weeks later.
Find out more:How to limit the use of your data
Make a subject access requestOpt out of marketing servicesTake your name off the open electoral registerChange your online settingsAvoid data broking websitessource https://www.which.co.uk/news/article/how-credit-reference-agencies-make-you-the-product-aAOB92I0cNni