[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]
	United Kingdom Information Tribunal including the National Security Appeals Panel
You are here: BAILII >> Databases >> United Kingdom Information Tribunal including the National Security Appeals Panel >> Credit And Data Marketing Services Ltd v The Data Protection Registrar [1991] UKIT DA90_00001 (28 June 1991) URL: http://www.bailii.org/uk/cases/UKIT/1991/DA90_00001.html Cite as: [1991] UKIT DA90_00001, [1991] UKIT DA90_1

[New search] [Printable PDF version] [Help]

IN THE DATA PROTECTION TRIBUNAL

BETWEEN:

CREDIT AND DATA MARKETING SERVICES LIMITED Appellant

and

THE DATA PROTECTION REGISTRAR Respondent

APPEAL DECISION

Members of the Tribunal: Aubrey L Diamond (Deputy Chairman)

Alex Lawrence and Victor Ross

Introduction

1. There are, we are told, four major credit reference agencies in this country. All of them carry out searches on their databases, at least in some circumstances, by reference to the address rather than by name. That is to say, if Mrs Jones of 1 Any Avenue, Anytown, applies for credit, the information extracted from the database under one of these address-based searches will contain all recorded information about any person, whatever the name, entered under the address 1 Any Avenue, Anytown, irrespective of whether that person has, or is thought to have, any links, financial or otherwise, with Mrs Jones.
2. The Data Protection Registrar ("the Registrar") believes that such extraction constitutes unfair processing in breach of the first data protection principle in the Data Protection Act 1984. Late in August 1990 the Registrar served enforcement notices, each in identical terms, on all four credit reference agencies. All four agencies appealed to this tribunal. This is the fourth such appeal that we have heard.

Formal matters

3. Credit and Data Marketing Services Limited ("CDMS") is a company which inter alia is a credit reference agency, as defined by section 145 (8) of the Consumer Credit Act 1974, and is licensed as such under that Act. It is also registered under the Data Protection Act 1984 as a data user who holds personal data. Its register entry number B1321012 contains amongst other things a description of the personal data which it holds for purpose P035 Credit Reference - the provision of information relating to the financial status of individuals or organisations on behalf of other organisations - and, since March 1989, for purpose P058 - Crime Prevention and Prosecution of Offenders.
4. On 29 August 1990 the Registrar served on CDMS an enforcement notice dated 28 August 1990 under section 10 of the Data Protection Act. In due course the Registrar received a notice of appeal under section 13 of the Act and an amended notice of appeal was served on 21 June 1991. The appeal was heard by this tribunal from 1 to 4 July 1991. CDMS was represented by Mr John Baldwin QC, instructed by Messrs Cuff Roberts of Liverpool. The Registrar was represented by Mr Henry Carr and Mr Mark Vanhegan, instructed by Mrs Rosemary Jay, legal adviser to the Registrar. We heard evidence from six witnesses. Written proofs of the evidence of each witness, and of one further witness who was unable to attend on account of ill health, were exchanged by the parties and made available to the tribunal.

The Registrar's duties and powers

5. Various provisions in the Data Protection Act 1984 are relevant to the action taken by the Registrar.
6. Set out in Part I of Schedule 1 to the Act are eight "data protection principles". The subject of dispute in these proceedings is the first principle, which reads as follows:

1. The information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully.

7. Section 36 (1) of the 1984 Act states that "It shall be the duty of the Registrar so to perform his functions under this Act as to promote the observance of the data protection principles by data users and persons carrying on computer bureaux." Subsection (2) of the same section goes on as follows:

(2) The Registrar may consider any complaint that any of the data protection principles or any provision of this Act has been or is being contravened and shall do so if the complaint appears to him to raise a matter of substance and to have been made without undue delay by a person directly affected …

Pursuant to this duty the Registrar considered the complaints he had received.

8. We will describe in the next paragraph the action taken by the Registrar in considering the complaints. For the moment we will complete the reference to the Registrar's statutory powers. Section 10 deals with enforcement notices; the relevant subsections are as follows:

(1) If the Registrar is satisfied that a registered person has contravened or is contravening any of the data protection principles he may serve him with a notice ("an enforcement notice") requiring him to take, within such time as is specified in the notice, such steps as are so specified for complying with the principle or principles in question.

(2) In deciding whether to serve an enforcement notice the Registrar shall consider whether the contravention has caused or is likely to cause any person damage or distress.

(9) Any person who fails to comply with an enforcement notice shall be guilty of an offence; but it shall be a defence for a person charged with an offence under this subsection to prove that he exercised all due diligence to comply with the notice in question.

It remains to say that sections 13 and 14 of the Act, and Schedule 3, relate to appeals to this Tribunal. Paragraph 4 of Schedule 3 empowers the Home Secretary to make rules of procedure, and we are accordingly governed by the Data Protection Tribunal Rules 1985, S.I. 1985 No. 1568. Rule 19 provides that "In any proceedings before the Tribunal it shall be for the Registrar to satisfy the Tribunal that the disputed decision should be upheld."

The Registrar's action

9. Over a period of years the Registrar, Mr Eric Howe CBE, had discussions with the credit industry. He had apparently made progress to some extent. On 17 July 1990 the Industry Forum on Data Protection issued a press release headed "Credit Industry to drop Use of some Third Party Information". The first paragraph read as follows:

"Britain's major credit organisations have advised the Data Protection Registrar that they have requested credit reference agencies not to provide other surname non-concurrent information after 31 July next year. This means that credit grantors should be given information only about people who live, or who have lived, at the same address at the same time as the applicant."

But nothing came of this initiative. The Registrar did not think it went far enough, and he issued the enforcement notice in this case on 28 August 1990. We were told that no steps were taken to implement the proposal by the credit industry generally. However, in the present case we are told that CDMS does not, in relation to the issue of retail credit cards, use persons with different surnames.

The enforcement notice

10. The operative words of the enforcement notice read as follows:

... the Registrar hereby gives notice that in exercise of his powers under Section 10 of the Data Protection Act 1984 he requires Credit and Data Marketing Services Limited to ensure whether by amendments to any relevant processing system or otherwise:-

that from the 31st day of July 1991 personal data relating to the financial status of individuals ceases to be processed by reference to the current or previous address or addresses of the subject of the search whereby there is extracted in addition to information about the subject of the search any information about any other individual who has been recorded as residing at any time at the same or similar current or previous address or addresses as the subject of the search.

CDM's database

11. To complete the factual background it is necessary to describe the way in which the information obtained by CDMS is stored on computer and extracted. Before the enforcement notice was served a statement describing the system of processing operated by CDMS was agreed between officers of the Registrar and CDMS. The following passages are based on the agreed statement.
12. In order to provide its customers with information about individuals, CDMS stores on computer the following categories of information:

Electoral Registration Information. This comprises the information contained in the official electoral rolls which are revised annually and contain the names and addresses of all persons who are entitled to vote in elections in the United Kingdom.

Court Judgments. Details of those court judgments that are kept on public registers are obtained by CDMS. They cover England and Wales and the Isle of Man (county courts), Northern Ireland (county courts), Scotland and the Republic of Ireland. These are kept on CDMS's files for six years.

Credit Industry Fraud Avoidance Scheme (CIFAS). CDMS obtains the details of names and addresses of individuals and type of fraud alleged appearing on CIFAS's records. These details are retained on a trial basis by CDMS for a period of six months.

Littlewoods Organisation Customer Accounts. CDMS is part of the Littlewoods group of companies. CDMS is supplied with information about Littlewoods mail order agency and account customers. These details include the name and address of the customer applying for an account or agency and whether or not they have been accepted by Littlewoods for these facilities. Littlewoods treat a customer as being in default where an account is 14 weeks in arrears. At this stage the account is referred to Littlewoods' debt recovery department. At the same time CDMS is informed about the default. CDMS then "flag" their record of the customer concerned to indicate that he or she has defaulted. A similar process is followed for "slow payers". The period of retention for details of customers who have defaulted or who are slow payers is six years. CDMS account payers are treated similarly, except that there is no "slow payer" category.

Postal Address File (PAF). CDMS obtains this file from the Post Office. It contains all postal addresses in the United Kingdom. It is updated in line with amendments to the PAF made by the Post Office. A small number of non-PAF addresses are set up on-line, after having been verified by the Post Office.

13. The agreed statement includes a description of the structure of CDMS's credit reference database. It is a single database and is based on the Postal Address File. Each file on the database has as its core the details of PAF addresses. To add the information described above, the key stage in the process is to match the address element of that information with a PAF address. When a match has been made, all the information to be included on the credit reference database is added to the Postal Address File. Matching the address may be done automatically, in which case an exact match is required, or manually, if there is thought to be a sufficient likeness between the two addresses.

Users of the database

14. The database is used for three purposes. It is used to process applications for mail order credit from Littlewoods Home Shopping Division. This is usually done at the stage when a prospective customer applies for a catalogue, and no catalogue is sent unless the credit score is sufficiently high. It is used to process applications for store credit cards and customer personal loans from the credit-granting arm of CDMS. Finally, it is used to process applications for credit from client companies of CDMS (that is, companies which are external to the Littlewoods Organisation).
15. The vast majority of searches are conducted by Littlewoods Home Shopping Division. In 1990 they made approximately 4,750,000 searches. In the same year CDMS's store card and personal lending business made 120,000 searches, and client companies supplied approximately 360,000 names and addresses on magnetic tape for searching.

Search methods

16. The CDMS credit reference database is used to assess the creditworthiness of individuals. Interrogation of the database is always carried out by Littlewoods staff. There is only one level of search carried out, which produces all types of information.
17. Where individuals apply for a Littlewoods Organisation mail order agency or other account or credit card facilities provided by CDMS, the process of assessment is carried out by a credit scoring procedure. In carrying out this procedure, one of the factors which is always scored is any information revealed by a search of CDMS's database, which will include information about all the individuals living at that address at any time.
18. Evidence given by Mr Bryan Mayoh, who is Director of Home Shopping Systems and Credit in the Littlewoods organisation, described what happened when the scoring system indicated that credit should be refused. In order not to lose business that might be satisfactory, an attempt is made to contact by telephone applicants in the top 5 per cent below the cut-off point. They are asked questions about income, liabilities and employment. This practice only started in 1990, and in the last year approximately 2,000 people were contacted in this way, of whom about 500 were approved by the "Authorisations Unit" for the provision of credit.
19. Persons who submit an order form but who do not meet the necessary score for the granting of credit are written to: see paragraph 31 below. Those who challenge the rejection, at this or a later stage, are referred for consideration to a supervisor or to the Authorisations Manager. Of about 3,000 such cases a year, approximately 900 are subsequently accepted. Mr Mayoh agreed that third party information could lead to rejection, and we understand that CDMS is considering seeking more information in at least some of these cases.

The earlier cases

20. In the three earlier cases dealing with credit reference agencies which have been heard by this tribunal, we have held that the extraction of information about persons other than the applicant for credit is capable of constituting unfair processing in breach of the first data protection principle, that the Registrar was entitled to serve an enforcement notice, but that the notice was wider than it need be and should be qualified somewhat. In the present case, Mr Baldwin challenges the allegation that there has been unfair processing by arguing that we have misconstrued the Act.

The CDMS arguments

21. The first data protection principle, which we have already set out above, reads as follows:

1. The information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully.

The principle is set out in Part I of the first schedule to the Data Protection Act 1984. Part II of that schedule sets out a number of rules of interpretation applicable to the principles. That relating to the first principle reads as follows:

1. (1) Subject to sub-paragraph (2) below, in determining whether information was obtained fairly regard shall be had to the method by which it was obtained, including in particular whether any person from whom it was obtained was deceived or misled as to the purpose or purposes for which it is to be held, used or disclosed.

(2) Information shall in any event be treated as obtained fairly if it is obtained from a person who:

(a) is authorised by or under any enactment to supply it; or

(b) is required to supply it by or under any enactment or by any convention or other instrument imposing an international obligation on the United Kingdom;

and in determining whether information was obtained fairly there shall be disregarded any disclosure of the information which is authorised or required by or under any enactment or required by any such convention or other instrument as aforesaid.

22. In the earlier cases we broke the first data protection principle into two halves, the first half dealing with the obtaining of information fairly and lawfully and the second half dealing with the processing of personal data fairly and lawfully. We held that the enforcement notice was served in respect of a breach of the second half, that the rules of interpretation in Part II of the schedule related solely to the first half of the principle, and accordingly that those rules had no relevance. In this case Mr Baldwin challenged this approach.
23. His argument may be summarised in this way. Processing is fair, he submitted, if it is carried out for the purpose contemplated at the time the information is obtained. He arrived at this conclusion by drawing attention to section 2 (1) of the Act which states that the data protection principles in Part I of Schedule 1 are to be interpreted in accordance with Part II of that schedule. Thus, he said, the rules of interpretation apply to the whole of the first principle. The first principle, he said, is concerned with the purpose for which information is held, used or disclosed, and whether the supplier of the information has been deceived or misled as to the purpose. Data would not, he submitted, be processed fairly if it was extracted and used for a purpose different from that contemplated at the time the information was supplied. We may quote from Mr Baldwin's own note of his argument to complete the picture.
24. "In the present case," the argument goes, "personal data is supplied by an individual for the purpose of that individual being supplied with something and it is used only for the purpose of deciding whether or not that thing should be supplied. Such is fair." He goes on: "That this is the right approach is illustrated by the fact that the Registrar has set up third party information as being different from other items of information used in a credit score in that it is or may be, he suggests, irrelevant to whether or not a person will default. The truth is that almost all the criteria used by CDMS in a credit score can be argued to be irrelevant (in the Registrar's sense) to whether or not an individual person will default." [There is a reference to the evidence of one of CDMS's witnesses which listed an example of the information included in a score card: these include information such as the length of time the person has been at his or her address, whether there is a telephone and the number of children, if any. Given considerable weight is a previous home shopping default (whether on the part of the applicant or of someone else once at the same address); given relatively little weight is home ownership.] "But they are all relevant to whether or not that person belongs to a class of persons of whom a certain proportion will default."
25. We do not accept this argument. It flies in the face of the natural meaning of the words used in the first principle, which clearly distinguishes between obtaining (of information) and processing (of personal data), and of the words used in the interpretation rules which clearly relate to obtaining, not processing. Moreover, counsel's own argument fails to reflect the facts. He says that "personal data is supplied by an individual for the purpose of that individual being supplied with something and it is used only for the purpose of deciding whether or not that thing should be supplied." This is a travesty of the "third party information" position: personal data about one individual (not necessarily supplied by that individual) is used for the purpose of deciding whether someone else should be supplied.
26. There is a further argument, based on the definition of personal data in section 1 (3) of the Act:

(3) "Personal data" means data consisting of information which relates to a living individual who can be identified from that information (or from that and other information in the possession of the data user) …"

27. The requirement to process fairly, says Mr Baldwin, must mean fairly to the individual whose personal data it is - that is, the person who can be identified from the information. Here, if there is unfairness, it is unfairness to someone other than the identifiable person, namely to the applicant for credit as against whom third party information is being used. "Third party information," says Mr Baldwin, "is not personal data qua the applicant." But in the first of our credit reference agency decisions, an appeal by CCN Systems Limited and CCN Credit Systems Limited ("CCN"), we identified the unfairness as lying in "the instructions to extract, for the purpose of credit reference (the provision of information relating to the financial status of an individual), material irrelevant to the individual who is the subject of the credit reference." As to the suggestion that the applicant for credit cannot be identified from the information (since by definition third party information relates to another person), it is to be noted that the Act says "(or from that and other information in the possession of the data user)", and CDMS will either have the name of the applicant for credit or some other information (perhaps a reference or code) enabling them or their customer to identify the applicant for credit: after all, the supply of information, including third party information, would be useless if it could not be linked with the applicant for credit about whose application a decision has to be made.
28. A further criticism voiced by Mr Baldwin is that "the Registrar's position is that information is relevant only if it relates in a material way to the ability of the individual to pay." If this is the Registrar's position, it is not ours. We readily recognise that the credit grantor can take into consideration any information that has predictive value, provided that it relates to the applicant for credit and not third parties with whom he is not linked.
29. Section 10 (2) of the Data Protection Act states that "In deciding whether to serve an enforcement notice the Registrar shall consider whether the contravention has caused or is likely to cause any person damage or distress." Mr Baldwin argues that there is no evidence that any credit applicant has suffered damage or distress, and that it is inherently unlikely that he would do so.
30. We mentioned above (paragraph 7) that the Registrar received some complaints, but have to say that none of them demonstrated damage or distress. If a person in a shop is refused credit in a public way (as has happened in another case), this can be very distressing. We have accepted that receiving a letter refusing credit or a credit card may be distressing. But in the mail order business carried on by Littlewoods, the most likely consequence of a "failure" in the credit score procedure is that a mail order catalogue will not be sent: the applicant is not told that he is being refused credit. This, says Mr Baldwin, can hardly cause anyone distress.
31. There will be cases where people have had a catalogue and are only given a credit check when submitting an order form. If they fail at that stage, a letter is sent by Littlewoods saying that "Having carefully considered all the information which you kindly provided, I am sorry to inform you that on this occasion we are not able to meet your request." This letter is clearly misleading, as it gives the impression that the decision is based on information provided by the applicant alone and does not mention the search of the database, let alone third party information. It is little wonder that few complaints are made to the Registrar. Only if an applicant replies to that letter is he told that an enquiry was made to CDMS and of his rights under the Consumer Credit Act 1974, so only the most persistent will find out about the third party information.
32. As to damage, it could no doubt be argued that someone refused mail order credit has lost that opportunity, and may have to pay cash or find different credit terms from a shop or other mail order supplier. However, we heard no evidence of this. CDMS made the point that a large majority of requests for the supply of goods on credit were for goods of a low value (less than £75). A refusal to supply such goods on credit would not, it was said, cause damage or distress of the kind the law would countenance. As CDMS point out, "Credit is a privilege and not a right." CDMS also urged on us that no one did in fact lose the right to obtain goods from Littlewoods' catalogue because they failed a credit check and were not sent a catalogue. Those persons who do receive catalogues are invited not merely to buy goods for themselves but also to act as "agents", receiving a discount for selling goods to others and buying goods themselves, and a person not considered a good credit risk after a CDMS search could obtain the goods on credit through such an "agent", though he would or course lose the opportunity of obtaining the discount.
33. Subject to this last point we accept Mr Baldwin's argument that there is no evidence of damage or distress, but we do not think that this impairs the Registrar's decision that processing was unfair. The Act says that damage or distress must be taken into account, not that it is an essential ingredient before an enforcement notice can be served.

Processing

34. A point taken by Mr Baldwin, but not pursued at any length in oral argument, was that the Registrar was not entitled to find processing unfair because there was no processing. This argument is based on the definition of "processing" in section 1 (7) of the Act:

"'Processing', in relation to data, means amending, augmenting, deleting or re-arranging the data or extracting the information constituting the data and, in the case of personal data, means performing any of those operations by reference to the data subject."

35. In the CCN case we held that CCN was processing personal data by extracting information, and that the extraction was unfair. CDMS, according to Mr Baldwin, is not processing personal data within the definition in section 1 (7) at all because it does not perform any of the operations described "by reference to the data subject", but by reference to an address. CDMS does not extract information by reference to the data subject because it does not search by reference to a name, and indeed at the time it searches it does not know the name either of the applicant for credit, if that person may be regarded as the data subject, or of the persons who may be referred to in the database. Not only does CDMS not know who the data subject is, it may be that no one knows who the data subject is because the name given may be illegible or false.
36. This is the same argument that was taken in the appeal by Equifax (Europe) Limited. We think it may be helpful if we here quote what we said in the earlier case.
37. We said: "What did Parliament mean when it used the words 'by reference to'? As a definition of 'processing', it would seem that the passage is quite adequate without the addition of the last phrase: processing means amending, augmenting, deleting or re-arranging the data or extracting the information constituting the data.
38. "Why, then, did Parliament add the words 'and, in the case of personal data, means performing any of those operations by reference to the data subject'? (We should add that '"Data subject" means an individual who is the subject of personal data', so that both the applicant for credit, if there is any data about him on the database, and the other persons whose details are extracted, are all data subjects, though not perhaps "the" data subject.) Both Mr Carr [who appeared for the Registrar in the Equifax case too] and Mr Chalton [who appeared for Equifax] agreed that the purpose of the added words was to limit the scope of application of the Act, to relieve the burden of supervision imposed on the Registrar, and to reduce the cost of compliance with the Act. But they disagreed on how those words were to be interpreted. ... Mr Chalton equated the phrase to a description of how the data user accessed the data, whether by name or in some other way. Mr Carr, on the other hand, would have regard to the intention and purpose of the processing.
39. "We found two examples given by Mr Chalton helpful. He instanced the Driver and Vehicle Licensing Centre computer in Swansea. It is, he said, possible to access the database by reference to the vehicle number; this, he said, would not be processing by reference to data subjects even if the computer extracted a list of past and present keepers of the vehicle. One might, he said, be interested in the vehicle itself, such as the date it was manufactured.
40. "His other example was the Land Registry computer. One could, he said, access the computer's database either by reference to the names of individuals, such as registered owners, or by reference to title number - in other words, by reference to the land. The first means of access would involve processing, the second, according to Mr Chalton, would not.
41. "We find this particular example helpful for this reason. Mr Chalton is looking at phrase 'by reference to the data subject' as linked to the mode of input into the computer system in order to conduct an operation such as amending data or extracting information. But it is difficult to believe that Parliament, or the draftsman, was looking at the issue through a computer-operator's eyes. What Parliament had in mind, we think, is the difference between approaching the database to conduct operations that had nothing to do with the data subject, and operations that focused on the data subject. Thus using the Land Registry's computer to change the boundaries of a plot of land, or perhaps to extract a copy of a restrictive covenant, would in no way concern the individual identity or attributes of a data subject, and need not attract the control over processing. On the other hand, using the computer to extract the name of a data subject, whether the computer was approached by typing in the name of the data subject or by retrieving his name in some other way, would constitute processing.
42. "If we are right in this, it seems to us not to matter whether the search on Equifax's database was initiated by typing in the name of the subject of the enquiry or typing in the description of a piece of land associated with the subject of the enquiry. In both cases the object of the exercise is to learn something about individuals, not about the land. The data is processed in a way linked to the data subject, and hence by reference to the data subject. (For another use of 'by reference to' where it does not mean the way the computer is operated see section 28 (4).) Equifax emphasised that it did not in most cases even know the name of the individual seeking credit, as if this confirmed that the extraction could not be by reference to the data subject. But Equifax is a credit reference agency, one of its registered purposes is 'the provision of information relating to the financial status of individuals' and it knows perfectly well that its customers have in mind particular individuals with whom it is contemplating entering into credit transactions … We therefore find that the extraction of information constituting personal data by Equifax's address-based search is performed by reference to the data subject and so constitutes processing."
43. We have considered carefully Mr Baldwin's arguments on this issued in the present case, but having thought over the whole matter again we conclude that CDMS is processing data within the statutory definition for the reasons we gave in the Equifax case.

Fraud

44. Although the vast majority of applicants for credit are no doubt honest, there is bound to be a proportion of applicants who are dishonest. Witnesses for CDMS told us that there was a high incidence of fraud in the mail order industry in general, and affecting catalogue companies in particular. "Fraud" was not precisely defined by CDMS's witnesses, but as evidence of fraud we were given the figure of 25,000 defaulters in a typical year who would order goods, pay nothing and fail to return them. There were said to be nearly a million new customers each year, so the figure cited represents 2½ per cent of new customers.
45. No evidence was given as to the nature of these 25,000 defaults, and we were not made aware of any research or investigation into individual cases. It is true that the onus is on the Registrar, but having considered the evidence we find that we cannot accept that every one of the 25,000 defaulters committed a deliberate fraud in the sense of a prior criminal intent at the time of ordering the goods. 25,000 is the number of customers who make no payment at all, but no attempt was made to distinguish between the improvident, the unfortunate and the dishonest.
46. In the improvident we include those who, having seen CDMS's advertising or catalogue, order goods, intending to pay the instalments, but who find that sufficient free money is not available when the time comes. CDMS told us that there was no excuse for retaining goods without payment, and drew our attention to their offer to refund money if goods were returned in new condition within fourteen days, no reason required. By the unfortunate we mean those whose circumstances change between ordering the goods and the time to make the first payment, for example by becoming unemployed or suffering an accident. By the dishonest we are willing to follow CDMS by including not only those who gave false names or other information but also those who made no false statements but who never intended to pay from the outset, and those who intended to pay but changed their minds before payment fell due, without regard to whether a criminal prosecution might have succeeded.
47. All transactions with Littlewoods Home Shopping are based on credit. Most applicants are the subject of a credit scoring system (see paragraph 17 above). But a "control sample" is maintained, consisting of 30,000 randomly selected applicants to whom credit is granted whether or not the applicant would qualify for credit on the points scoring system. This sample is monitored to detect any common factors representing good or bad credit performance. Within this sample the level of bad debt is, we were told, 30 per cent. Extrapolating from this sample, CDMS's witnesses told us that if third party information could no longer be used the 25,000 customers who make no payment (see paragraph 44 above) would increase by 5,800 to 30,800.
48. Although we do not accept that all those who pay nothing are dishonest, we do of course accept (and there is no dispute between the parties on this) that some customers will obtain goods in circumstances amounting to a criminal offence. This brings us to the argument based on section 28 (4) of the Data Protection Act. This argument was presented on the basis that we find, as we do, that CDMS is processing data, and that the data constitute personal data, which we find they do. Mr Baldwin submitted that the Registrar's enforcement notice was clearly too wide because it purported to exercise a power which the Act expressly removed from the Registrar by section 28 (4).
49. Section 28 (4) of the Data Protection Act reads as follows:

(4) Personal data are exempt from the provisions of Part II of this Act conferring powers on the Registrar, to the extent to which they are exercisable by reference to the first data protection principle, in any case in which the application of those provisions to the data would be likely to prejudice any of the matters mentioned in subsection (1) above.

50. It is not necessary to set out the whole of subsection (1), but "the matters mentioned" in that subsection are the following:

"(a) the prevention or detection of crime;

(b) the apprehension or prosecution of offenders; or

(c) the assessment or collection of any tax or duty."

Mr Baldwin was relying specifically on paragraph (a), and told us it was not necessary to turn to paragraph (b), though we think, in CDMS's favour, that this might be relevant in some cases.

51. This is similar to the argument that was directed to us in the appeal brought by Equifax Europe Limited. In that case it was said that the use of false names or addresses could be detected by address-based searches of the database. Thus, it was argued, the Registrar's enforcement notice, preventing the use of address-based searches, would be likely to prejudice the prevention or detection of crime. The Registrar's power to serve enforcement notices is to be found in section 10 of the Act, which is in Part II of the Act, so that, it was said, subsection (4) of section 28 effectively removed from the Registrar the power to serve the enforcement notice on Equifax. In that case we did not accept that the Registrar had no such power.
52. In the present case, Mr Baldwin, in raising the section 28 (4) issue, suggested in oral argument that he was not adopting the argument presented to us in the Equifax case in every respect. He described the proposition, put to us in the Equifax case, that the Registrar could not serve an enforcement notice at all as "unattractive". However, Mr Baldwin's submissions led to a similar conclusion. He made the point that the service of the enforcement notice could not prejudice any action taken by CDMS to prevent or detect crime, and accordingly argued that the enforcement notice was too widely drafted: it should, he said, contain a proviso to the effect that nothing in the enforcement notice prevented CDMS from taking any action to prevent or detect crime. This, it emerged, would in his view have the result that CDMS could, notwithstanding the enforcement notice, continue to carry out address-based searches in all cases. Since CDMS cannot know before making a search whether a crime is being attempted, an address-based search for third party information could, it was suggested, be made in every case. This of course would not simply add a proviso to the enforcement notice: it would for all practical purposes cancel out the enforcement notice. This, it seems to us, is essentially the argument that we rejected in the Equifax case. Having reconsidered it in the present case, we have come to the conclusion that the Registrar does have power to serve the enforcement notice in all those cases in which no crime is committed or attempted. We expressed our view in the following words in the earlier case.
53. "Consider subsection (4) in relation to the case of an honest application. Would the application of the Registrar's power to require Equifax not to conduct address-based searches producing certain third party information be likely to prejudice the prevention of crime? Since there is no crime, and no possibility of crime, in that case, the answer must be, not in that case. Would the application of the Registrar's power be likely to prejudice the detection of crime? A fortiori, since no crime has been or will be committed, the answer must be, not in that case. Would the application of the Registrar's power be likely to prejudice the apprehension of offenders? Again, there are no 'offenders' and there will be no prejudice to their apprehension in that case. Finally, would the application of the Registrar's power be likely to prejudice the prosecution of offenders? Again, for the same reason the answer must be, not in that case.
54. "It is clear that in any case where fraud is attempted the Registrar's notice would be likely to prejudice the prevention of crime. In any such case, therefore, the personal data are exempt from the relevant provisions of Part II of the Act and Equifax are free to process data untrammelled by the notice. But in our judgment section 28 (4) does not prevent the Registrar from serving such an order in relation to all the cases - the vast majority - where no crime is, or is going to be, committed. The phraseology is 'might conceivably prejudice' those matters."

Decision

55. We have dealt with most of the arguments placed before us by Mr Baldwin on behalf of CDMS. For the rest, the arguments were, as both parties recognised, essentially those that had come before us in one or more of the earlier cases, and we adopt our reasoning in those cases. In essence, our finding is that the extraction of "third party information" - information about persons who have no financial link with the applicant for credit - is unfair within the first data protection principle. We recognise that mail order business is popular and has advantages for its customers, and do not believe that our decision will seriously prejudice its conduct. The Registrar was justified in serving an enforcement notice though, as in the earlier cases, the notice was too widely drafted and needs qualification broadly on the lines of the provisos we added in the CCN case.

Form of enforcement notice

56. In our decision in the appeal brought by Infolink Limited we announced that we proposed to exercise our power under section 14 (1) of the Data Protection Act to substitute for the enforcement notice served by the Registrar one drafted in accordance with the findings we made in that case. We promulgated the main part of our decision and announced that there would be a resumed hearing to hear representations on the terms of the enforcement notice. We think a similar adjournment would be convenient in this case, and the hearing is accordingly adjourned to a date to be arranged for this purpose.

Time for compliance

57. The Registrar stipulated in his enforcement notice dated 28 August 1990 that compliance must take effect by 31 July 1991. In this case that time is extended automatically by section 10 (6) of the Act, but in the light of what was said at the hearing we have given consideration to a new period of time for compliance and direct that the date for compliance should be 1 January 1993.

Conclusion

58. For the reasons set out or referred to above this appeal will be allowed in part and an enforcement notice in the terms to be set out after the next hearing will be substituted for that served by the Registrar.
59. No application was made for costs and in accordance with Rule 24 of the Data Protection Tribunal Rules 1985 we make no order as to costs.

A L Diamond Chairman

15 October 1991