Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

Credit reference agencies not obliged to ensure 'absolute' data accuracy, says Court of Appeal

Credit reference agencies (CRAs) that take reasonable steps to ensure the personal data they hold about individuals is accurate should not be open to compensation claims from individuals if it turns out the data is incorrect, the Court of Appeal has ruled.25 Feb 2013

The Court said that whilst CRAs are subject to rules set out in the Data Protection Act (DPA) on data accuracy, they have no co-extensive common law duty of care to ensure individuals' credit data is accurate. In its reasoning the Court said that it was "doubtful" whether CRAs would reasonably be able to foresee that inaccurate credit records could cause individuals losses because statutory provisions and guidance had stressed the need for individuals to take steps to ensure that the accuracy of their own records were maintained.

Lord Justice Davis said that UK data protection laws "do not impose an absolute and unqualified obligation on CRAs to ensure the entire accuracy of the data they maintain". He said that High Court Judge Thornton had been wrong to rule that Equifax had acted in breach of the DPA by failing to ensure that records they held about a businessman were not up to date.

Under the DPA organisations are generally required to ensure that personal data they store is "accurate and, where necessary, kept up to date". However, the Act states that organisations that obtain personal data records from third parties should not be considered to be in breach of that principle if the information is inaccurate as long as they had taken "reasonable steps", in the context in which the data had been obtained and was to be processed, "to ensure the accuracy of the data" and wherever a data subject had notified an organisation that in his or her view the data recorded was inaccurate, also included information with the recorded data indicating the data subject's view as to its inaccuracy.

Businessman Keith Smeaton had claimed that Equifax owed him £500,000 in compensation for wrongly labelling him as bankrupt. Although Smeaton had been the subject of a bankruptcy order, the order had been rescinded. Smeaton said that he had been denied bank facilities for his business because Equifax's records had not been up to date.

A judge originally ruled that Equifax had acted in breach of the DPA and that, in addition, CRAs assumed responsibility for consumers' personal data under the common law in a way that could make them subject to a greater scope of compensation claims.

However, the Court of Appeal criticised the judge's findings and ruled in favour of Equifax in the case. It assessed the wording of insolvency legislation, guidance from Government and the Information Commissioner and the actions taken by Equifax before determining that the CRA had taken reasonable steps to ensure Smeaton's personal data was accurate.

Insolvency legislation, although requiring notices of bankruptcy to be advertised in the London Gazette, does not also require notices of rescissions of bankruptcy orders to be advertised unless data subjects pay a fee. Guidance issued by the Government and the Information Commissioner had also made clear that CRAs would not be considered to be ordinarily aware of annulments of bankruptcies unless data subjects had taken steps to notify them, the Court said. Because Equifax monitored the Gazette and had updated its records when notified by Smeaton of the inaccuracy of information about him, the Court ruled the CRA to have acted in accordance with data protection laws.

"Equifax did take steps to ensure that its bankruptcy data was accurate," Lord Justice Tomlinson said in the ruling. "It obtained the data from a reliable and authoritative source in the form of the Gazette, it transferred the data accurately onto its data bases from that source and it amended its data immediately upon being made aware that it was inaccurate."

"Equifax monitored the Gazette. When the electronic data supply was first made available in 2008, Equifax implemented it immediately in order to ensure, as best it could, the continuing accuracy of its data. In my judgment the judge was wrong to conclude that Equifax had failed to take reasonable steps to ensure the accuracy of its data," he added.

The Court said that CRA's should not be bound to any common law duty of care over consumers' personal data accuracy because that duty of care had already been imposed by the DPA. It would be wrong for the two duties of care to co-exist, it said.

The Court endorsed the reasons for that finding which had been offered by Equifax's lawyer.

"Approaching the matter on the basis of the traditional three-fold test of foreseeability, proximity and whether it is fair, just and reasonable to impose a duty, [Equifax's lawyer] supplied four compelling reasons which, to my mind, demonstrate conclusively why it is inappropriate here to superimpose on whatever is the statutory duty a co-extensive duty of care in tort," Lord Justice Tomlinson said.

"Thus:- It is doubtful whether it was reasonably foreseeable that the recording of incorrect data on Mr Smeaton's credit reference would cause him any loss, having regard to the practices operated by the credit industry set out in the Guide to Credit Scoring 2000. A person whose credit application was rejected because of adverse CRA data would be told of that fact and would be entitled to take steps to correct (or dispute) that data and to require the lender to reconsider the application for credit having regard to further, correcting information provided by the applicant," the judgment said.

"It would also not be fair, just or reasonable to impose a duty. In particular, imposing a duty owed to members of the public generally would potentially give rise to an indeterminate liability to an indeterminate class," it said. "It would also be otiose given that the DPA provides a detailed code for determining the civil liability of CRAs and other data controllers arising out of the improper processing of data."

"Apart from the DPA, Parliament has also enacted detailed legislation governing the licensing and operation of CRAs and the correction of inaccurate information contained in a credit file in the CCA (Consumer Credit Act) 1974. This provides for the possibility of criminal sanctions, but does not create any right to civil damages. In such circumstances it would not be appropriate to extend the law of negligence to cover this territory," the ruling said.