The ICO exists to empower you through information.

The First-Tier Tribunal (Information Rights) has ruled on the ICO’s action to require Experian Limited to change how it handles people’s personal data. The Judgment supported aspects of the ICO's decision, while allowing Experian’s appeal in other areas.

The Tribunal found, in support of the ICO, that Experian had not processed the personal data of over 5 million individuals transparently, fairly or lawfully because it failed to notify them that it was processing their data for direct marketing purposes. However, it rejected the ICO’s view that Experian’s privacy notice was not transparent, that using credit reference data for direct marketing purposes was unfair, or that Experian did not properly assess its lawful basis.

The ICO will take stock of today’s judgment and carefully consider next steps, including whether to appeal.

Stephen bonner

“The credit reference agency industry holds data on almost every adult in the UK. Information is screened, traded, profiled and enhanced to provide direct marketing services, and that process must happen in line with the law and in an open and honest way.

“Since we began our work with credit reference agencies, we’ve seen companies make significant changes to improve how they respect people’s information rights, notably being clearer in how data is used.”

- Stephen Bonner, ICO Deputy Commissioner

Today’s ruling follows a hearing that took place over a six-day period on 17, 19-21, 31 January and 11 February 2022. The Commissioner has been granted permission to appeal the Judgement.

The ICO issued the Enforcement Notice to Experian Limited in October 2020 following a two-year investigation into how the company and two other major credit reference agencies (CRAs) were using the personal information of UK adults for direct marketing purposes.

Notes for editors
  1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five Acts / Regulations.
  3. Article 5 of the GDPR requires that personal data shall be:
    • Processed lawfully, fairly and in a transparent manner in relation to individuals;
    • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
    • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
    • Accurate and, where necessary, kept up to date;
    • Kept in a form which permits identification of data subjects for no longer than is necessary; and
    • Processed using appropriate technical or organisational measures in a manner that ensures appropriate security of the personal data.
    • Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
  4. Section 149 of the DPA 2018 contains a provision for the Information Commissioner to issue an Enforcement Notice. It orders specific actions by an individual or organisation to resolve breaches (including potential breaches). An individual or organisation can be fined for failing to comply with the terms of an enforcement notice.
  5. Organisations issued with an ICO Enforcement Notice have the right to appeal to the First-Tier Tribunal (Information Rights) within 28 days of receiving the notice.
  6. An appeal against a decision of the First-tier Tribunal can be made to the Upper Tribunal.