Credit Reference Agency Information Notice (CRAIN)

Version: 1.2 • Adopted: 2 December 2024

This summary information is taken from the website of TransUnion, where the full Notice can be found.

IN BRIEF

We (Equifax, Experian and TransUnion, collectively referred to as “we” and “us” throughout this privacy notice) are credit reference agencies and we play an important role in the UK’s financial ecosystem. This Credit Reference Agency Information Notice (referred to as “this privacy notice”) explains how we collect, process and share personal data about consumers and businesses (referred to as “you”).

This section briefly summarises the key processing activities common to all of us. For more detail, please refer to the rest of this document. We recommend reviewing each credit reference agency’s own privacy notices, which explain the specific processing activities of that credit reference agency. Links to these documents can be found in Section 14.

Throughout this privacy notice, where we use “data” we mean the data types as described in Section 4.

What do credit reference agencies do?
  • We collect information about you from various sources and build databases that hold this data.
  • We need to hold relevant permissions from the Financial Conduct Authority to collect and share this financial information about you.
Where do credit reference agencies get information from? 
  • The primary source of information we collect is from public records, such as court judgments (CCJs) and electoral register information, financial information from financial account providers, and information generated by us based on the information received and/or our own analytical research.
  • In addition, we may also collect information from payment accounts via the use of open banking, gambling organisations, employers, utilities suppliers, telecoms businesses as well as (business data only) from publicly available business websites.
Who uses the information, and what do they use it for? 
  • Financial account providers and other organisations carry out searches against information with one or more of us.
  • Organisations can carry out searches for several reasons. These include assessing creditworthiness and ability to afford financial products, checking the accuracy of other information, preventing and detecting crime (such as fraud or money laundering), checking identity, locating individuals (for example to recover debts that they owe), calculating how much their insurance premiums should be, employment verification, including assessing their suitability for a job or a tenancy, and helping to protect individuals from the impacts of problem gambling.
  • When an organisation carries out a search of someone’s data, we will record details of that search. This is known as a search footprint. Depending on the type of search they can be visible to the individual and/or to other organisations that may conduct searches on that individual. Some organisations may draw adverse inference from the presence of some search footprints, for example if a person has multiple debt collection searches recorded.
  • We link people who appear to be financially associated, for example, through a joint account, joint application for credit or a joint County Court Judgment. This information on financial associates may be checked by companies when undertaking credit searches for the purposes of assessing credit risk. This is because your link with financial associates may affect your ability to repay debt. Examples of this include, acting as guarantor for a personal loan that another individual is taking out, or in the capacity as a director or business owner, where the relevant business is applying for a commercial loan. See the table in Section 4 for further information on how the financial associate’s data affects your credit report and score.
  • We also use some data for marketing-related purposes. Each of us provide different marketing services, to help organisations to better direct their marketing to consumers and (where relevant) business owners and directors, for example excluding individuals from advertising for credit products they would not be eligible for. We may also use the data to predict information or characteristics about the population, to inform product and marketing strategy, to help organisations identify who they want to market their products and services to, and how they should be delivered.
  • The data relating to you held by each of us might be different. This is because not every financial account provider supplies data to every one of us.
What else do credit reference agencies do with my information?
  • We also use the data in our databases for other activities, including analytics and profiling. This can help financial account providers build scorecards to use in assessing credit applications.
  • We carry out several types of data processing to help achieve the aims described above. These include loading data, matching and linking data together, generating credit scores, as well as testing, developing and building products and services for our clients.
  • Individuals have certain rights that they can exercise in relation to the personal data held by us. For example, they have the right to obtain a copy of the data, to ask us to correct it if it is inaccurate, and to object to the processing of the data. The ICO's website provides more details on the available rights and details of how these rights can be exercised are set out in Sections 91011 and 12 below. Personal data about individuals in their role as owners, directors, and employees of UK businesses may also be obtained, processed and shared by commercial data sharing credit reference agencies not referenced in this privacy notice. For further information please refer to the Business Information Providers Association’s website.
Please note
  • If you are looking for information about the role that data plays in lending decisions made by financial account providers, you may wish to consult Understanding your credit information and how lenders use it. This is published on the website of each of us, EquifaxExperian and TransUnion.
  • This document describes our common processing activities detailing how we use and distribute the data described in Section 4.
  • We are independent businesses. Not all of the products and services described in this document are provided by all three of us, or in the same way, and not all of the data is used by each of us.
  • This document does not cover all personal data that we use and distribute; for example, this document does not cover processing of personal data in relation to our services you sign up to directly, such as services which allow you to view your own credit report and score.
  • Each of us offers other products and services (including marketing services) not covered by this privacy notice. Section 14 provides links to our own privacy notice(s) which outline other uses of data not fully described here that may be unique to one of us or includes additional detail about our core activities processing. The same links about our core processing activities are shown here below: