[2024] UKUT 105 (AAC)

The extensive nature of Experian’s data processing, sketched out only very briefly at [1] above, was further summarised by the FTT at [2]-[10] of their decision:

“2.

The enforcement notice relates to Experian’s processing of personal data for marketing services for its offline, not online, marketing services.

3.

The direct marketing services business is operated by EMS, which is a separate business unit within Experian but is not a separate legal entity. For that reason, we refer in this decision to Experian, not EMS, as it is the legal entity which is the appellant. Broadly, Experian does not carry out marketing in its own name, but its data processing furthers the direct marketing of third parties, that is, Experian’s customers.

4.

For the purpose of the EMS business, Experian acquires the personal data of individual data subjects from a variety of sources in broadly three strands. It obtains publicly available information from sources such as the Open Electoral Roll (“OER”), Companies House and the register of County Court Judgments. It also acquires data from third parties such as Gardeners’ Club. It also acquires data from its CRA business. It does not process the data from these three strands in the same way.

5.

Experian processes the data to create three different products which are relevant to the notice and the appeal: ConsumerView, ChannelView and Mosaic. There is, in addition to those services, a credit pre-screening product that uses some elements of CRA data only offered to members of Credit Account Information Sharing service (“CAIS”). 

6.

Broadly, Experian has no direct relationship with individuals whose data it processes for the purpose of these products, except in a limited number of cases when individuals contact Experian via the Experian website or where they have a direct relationship with Experian via Experian Consumer Services (“ECS”). 

7.

ConsumerView contains entries at an individual level for some 51 million adults in the United Kingdom, that number changing from time to time due to changes in the UK adult population, as a result of deaths and people turning 18. ConsumerView combines name and address information, with a total of up to thirteen actual attributes. It then processes this data and creates modelled information on the demographic, social, economic and behavioural characteristics of individuals and households on a predictive basis. The actual information reflects known characteristics of a given individual; the derived information reflects characteristics that are calculated or ascertained from other data, the modelled information reflecting predicted characteristics. 

8.

ChannelView’s database contains names, postal addresses, email addresses and mobile phone numbers are predominantly provided to Experian by various third data suppliers who between them collect data from data subjects via some 148 websites in return for access to offers and discounts, price comparison services, the ability to participate in surveys and so on. The total number of records will vary from time to time, but it contains details of at least 24 million individuals. 

9.

Mosaic uses data from public and commercial sources in order to attribute households into fifteen overarching groups, 66 household types and 155 person types. Some of the information through which Mosaic is created is taken from the individual profiles on ConsumerView but there are other non-personal data sources which read into that. Mosaic codes are appended to the individual level profiles within ConsumerView.

CRA-Derived Data

10.

Experian uses data derived from Experian’s CRA business in the following ways:

(1)

to add names and addresses to ConsumerView (about 25.1 million individuals are added to ConsumerView by this route);

(2)

to ensure the accuracy of the 25.9 million prospectable records included in ConsumerView;

(3)

to match and link records from different sources;

(4)

to build the derived and modelled attributes within ConsumerView. 

In this context, “prospectable” means that a name and postal address will be shared by EMS with customers who do not already have that name and address, to help those customers reach new business and supporters. Others are non-prospectable which means that the name and address data will not be shared in this way, but information concerning them can be shared with customers who already have those individuals name and address.

Experian treats the records obtained from the CRA as “non-prospectable”. With the exception of the credit pre-screening product, the only data points derived from Experian’s CRA business that are used by Experian are name, address and date of birth. The CRA derived data is also used to offer a credit pre-screening product to customers who were a member of the CAIS which operates to remove people from the marketing lists through credit, products and circumstances where they would likely be declined if they were to make an application for the product.”

The FTT, in the section of their decision headed “Findings”, recorded several further features of Experian’s data processing activities which were not in dispute and so can be rehearsed here. Thus, “Experian has no direct relationship with the individuals whose data it processes save for those with whom it may also have a direct relationship through ECS” (FTT at [140]). As regards Experian’s data processing products the FTT added:

“141.

ConsumerView is, as is noted above, a product which combines the name and address information for some 51 million UK adults with predicted socio-economic and behavioural characteristics. Not all of the profiles will contain the maximum number of thirteen actual attributes and many of those are obtained from sources which are publicly accessible such as the open electoral register, the Registry Trust (in respect of county court judgments), and Companies House. Three data points (buildings insurance renewal month, contents insurance renewal month and motor insurance renewal month) are not derived from public sources and one data point, that is prospectable, being a person’s date of birth, can be derived either from a public source (the OER) or from a non-public source such as a third party suppliers.

…

144.

We accept, as is clear from the sample profiles shown to us, that ConsumerView profiles will include up to 49 derived data points about individuals and up to 370 modelled points about individuals. These are, as Experian submits, predictions about the likelihood of people having certain characteristics. …

…

146.

… It is important to note that the data obtained via CRA is not prospectable. We note also Ms Shearman’s evidence that data may be marked as non-prospectable if individuals appear on Experian’s NMR file or other industry suppression files such as mail preference and telephone preference. That said, if an individual is marked as non-prospectable, then that will not affect the nature and range of that data that is held about the person unless they apply to have their data removed which, as the evidence demonstrates, applies only to a very small number of people.

147.

With regard to how the ConsumerView database is used by clients of Experian, if they send a list of individual names and ask Experian to enrich it from the ConsumerView database, Experian will use both prospectable and non-prospectable records in answering the request albeit that the information provided to the customer will only have attributes and propensities added and not the name and address (unless of course this is already held). In other circumstances, Experian’s clients may request records containing those attributes and propensities which are of most relevance to their organisation, e.g. whether a customer is more or less likely than average to be interested in direct mail, or what age group they might be in. In response, Experian will provide such clients with prospectable records.

148.

The information held on ChannelView is predominately provided to Experian by various third-party data suppliers … It is used in order to link information held in ConsumerView with records provided to Experian by its customers and suppliers.”

Experian has created a Consumer Information Portal (“the CIP”) on its website, setting out the ways in which it processes data (https://www.experian.co.uk/cip). The adequacy (or otherwise) of the CIP in terms of its transparency was one of the central issues raised by the Information Commissioner’s EN and so also on the appeal before the FTT.

As the FTT noted at [13], in relation to CRA derived data, Experian relies upon the Credit Reference Agency Information Notice (“the CRAIN”), which is the general note produced by and used by CRAs “which sets out the wide variety of sources used by Experian and the other CRAs to obtain data about individuals and how the data may be used”. The CRAIN contains hyperlinks to the CIP. The third party data suppliers display privacy information on their websites with hyperlinks to the CIP. The accessibility of these routes to the CIP was also a central area of dispute before the FTT.