Out-Law News | 09 Sep 2013 | 3:26 pm | 3 min. read
The Information Commissioner's Office (ICO) said that the FCA must specify a valid purpose for requiring additional personal data to be submitted by mortgage lenders about their customers in order for the collection of that data to be compliant with the Data Protection Act (DPA).
The FCA in May outlined plans to collect more information than it currently does from mortgage providers in order to better evaluate their sales of mortgages to customers.
At the time it said that it was introducing the new data reporting requirements so it could monitor compliance with new rules stemming from the Mortgage Market Review (MMR) "as efficiently and effectively as possible". The MMR rules are set to take effect from 26 April 2014 and the data collected from lenders will "help to identify potential mortgage fraud" and "identify drivers of conduct risk", the FCA said.
In particular, the FCA said it wants to more closely assess the extent to which mortgage lenders are selling mortgages at affordable rates, and it will require lenders to provide it with details of borrowers' income details and credit commitments, among other data, under the data reporting regime.
"When considering the proposed additional data items in DPA terms, it is important to ensure that each item is necessary, proportionate and relevant to the aim pursued," the ICO said in its response to the FCA's data reporting plans (2-page / 216KB PDF). "Firstly, FCA should ensure that the purpose for which the data items are collected is valid. The requirement to gather data in order to supervise the new rules made as a result of the MMR should serve to validate data collection in this context."
"In terms of the collection of data, it is important to ensure that a balance is found between the rights of the individual and the interests of the FCA," it said. "To find this balance, consideration should be given to the amount of data that it is necessary to gather about an individual to achieve aims under MMR. FCA is best placed to establish the level of data required to achieve their aims ...."
"In general, FCA should ensure that, as well as their being a valid purpose to collect the data, that purpose can only be achieved by gathering the data items in question and the processing is proportionate to the aim pursued. The proposed additional data items should not lead to an accumulation of more data than is required," the ICO added.
Under the FCA's MMR data reporting plans, the regulator also said that it would use the data it collects from mortgage lenders to "to identify and analyse trends in the market" and would conduct "geo-demographic profiling to better understand consumer trends". It said that it would share the data with the Bank of England and the Prudential Regulation Authority (PRA) too.
The ICO said that the FCA should, generally, look to ensure that data is anonymised and aggregated prior to conducting consumer trends analysis or profiling.
"It is clear from the proposed data items to be gathered that the accumulated information will form a detailed picture of an individual’s financial status," the ICO said. "Consideration should be given as to the further uses of the data, once it has been gathered."
The FCA should "wherever possible" should ensure that data use for geo-demographic profiling is "in an aggregated and anonymised format", the ICO added.
The ICO also urged mortgage providers to be open with customers "at the point of data collection" about the fact they will share data with the FCA and specify the "purposes for that data sharing".
The watchdog also said that the FCA should give individuals access to their personal data it stores about them when they request it.
"This right will relate to the data held about an individual, be it a record as provided by a lender or analysis carried out on a lender by the FCA (unless the analysis is aggregated or anonymised)," the ICO said.
The FCA and mortgage lenders should also ensure that the personal data they collect and pass on about individuals is accurate and put policies in place to ensure that data is deleted when it is no longer necessary to store it.