This morning an unfamiliar envelope arrived. It is a letter from Equifax, confirming that some of my personal data has been hacked. The information “included” my name and date of birth, and my “landline telephone number”.
The credit reference agency acquired this information, as a result of consent I had given to some third party, between 2011 and 2016.
The letter confirms the hacker has had access to my personal data since May last year. A number of free services to reduce the risk of identity theft are offered, some eight months after the event.
My immediate reaction is:
Why does Equifax retain information about me?
Where did they get it from and whom have they shared it with?
How long have they held it for?
Although the letter sets out a complaint procedure, and offers to provide a copy of the credit report by post, it does not attempt to provide a complete answer to these questions. In order to request a copy of my credit report, I need to provide more personal data, including previous addresses.
A formal subject access request may be the best way forward. When I am satisfied of what information Equifax retain, I can withdraw my consent to their holding it and ask them to delete the information irretrievably.
On 25 May, when the GDPR comes into force, there will be more stringent requirements for consent. It must be “freely given, specific, informed and an unambiguous indication of the data subject’s wishes …. “
The consent guidelines from the Article 29 Working Party confirm that any consent will need to be addressed in a distinct section of any document, specifying the type of data that will be collected, the purposes for which the data will be retained, and the right of the data subject to withdraw consent at any time.
Most importantly, it should be as easy to withdraw consent as it is to give it.