Page 1 of 1

CRA breach - erasure?

PostPosted: Wed Oct 11, 2017 10:03 pm
by caffiene
News reports today claim the recent CRA hacking breach has resulted in 15m UK data records being leaked rather than the previous estimate of 'only' 400K.
Tech news has reported the hacking occurred due to an alleged negligent failure to apply a security update to apache.

The CRA appears to have failed to comply with the DPA 7th principle (security).

CRAs do not require consent to process data but instead rely on the balance of their legitimate interests outweighing the interests of the data subject.
In addition to the above, the processing will not be 'fair' unless information is provided to the data subject describing how his data will be used.
The fair processing notice in the credit application describes the processing the customer should expect if he proceeds with his application.

It will usually include 2 points:

1. That data may be shared with CRAs and
2. Data will be processed in accordance with the DPA.

This being the basis for lawfull processing, assuming there is no consent, what are the implications of the breach of the 7th principle?
It would now seem the information provided to the data subject was misleading as he signed up for credit under the erroneous belief his data would be held according to the DPA when in fact it was not being kept secure at all. If so, the processing is not 'fair'.

Also, given the serious potential consequences of the data leak, the 'rights and freedoms or legitimate interests of the data subject' may now outweigh the interests of the CRA.

Can the data subject make the CRA erase his records?

Re: CRA breach - erasure?

PostPosted: Fri Oct 13, 2017 5:42 pm
by dls
CRA = Credit Reference Agency (not obvious necessarily)