TRANSUNION INTERNATIONAL UK LIMITED · DRN-6236733

The complaint Ms G and Mr O complain TRANSUNION INTERNATIONAL UK LIMITED trading as TransUnion (TU) are providing their address to companies about fraudulent accounts and have refused to stop doing this. Ms G and Mr O have also complained about TU’s actions and customer service when contacting them for help. What happened I issued a provisional decision setting out what’d happened, and what I thought about that. The provisional decision covered both what I thought we can’t consider – and what I thought we can consider. This decision only focuses on the issues I think we can consider. So I’ve copied the relevant elements of that outcome below, and they form part of this decision. A number of accounts have been taken out by a third party individual (I’ll refer to them as TP) who seemingly didn’t repay them. At least one of these accounts was updated to use the same address as Ms G and Mr O’s. This has led to numerous companies calling at the address looking for TP for repayment of the accounts which were outstanding. Mr O said this has been going on with TU since October 2023, and they’ve repeatedly refused to rectify the wrong information they’re providing to debt companies. Ms G and Mr O are also unhappy with the customer service they’ve received from TU. Two elements of the customer service Ms G and Mr O have mentioned are: • TU’s delays in completing subject access requests (SARs) as well as call recordings not being provided, and contradictory information given to another company who was supporting Ms G at the time • TU have shared information regarding Ms G and Mr O’s health with their bank without their consent, leading to reputational harm and the withdrawal of benefits TU ultimately provided a response to Ms G and Mr O’s main complaint concerns, and accepted they’d delayed replying to their contacts properly. When saying this, they explained there had been an error regarding providing the call recordings due to human error and they said sorry. Unhappy with TU’s response, Ms G and Mr O asked us to look into things. One of our Investigators did so. He found one element of Ms G and Mr O’s complaint wasn’t something we could consider – but we could look at the rest. For those elements, he felt £500 compensation was a fair outcome. Ms G and Mr O didn’t accept that outcome, and said they’d be providing a detailed response to the issues raised. In the meantime, the complaint was passed to me in preparation for Ms G and Mr O’s response. Having begun my review, I was concerned the majority of Ms G and Mr O’s complaint points weren’t something we could consider under the rules I’m required to apply.

-- 1 of 6 --

Because of that, I wanted to explain my thoughts at the earliest opportunity possible for Ms G and Mr O and give them the chance to reply. As such, I think it’s appropriate I continue to issue my provisional decision before Ms G and Mr O responded in full, so they could then respond to everything at once. In realising this, I also arranged for us to ask TU if they’d be prepared to still honour the £500 compensation award our Investigator had recommended. I asked TU this because I could see they’d accepted they’d not handled things well for Ms G and Mr O from a customer service perspective – but I can’t require them to make this payment for the issues our Investigator suggested as I don’t think I can look at most of them. TU said they were prepared to honour the £500 compensation. What I’ve provisionally decided – and why I’m satisfied the rules allow me to look at: • Ms G and Mr O’s concerns about SAR’s – including delays in providing all the information required, communication around this, and conflicting information TU gave to a company supporting Ms G and Mr O at this time. • Ms G and Mr O’s concerns about TU sharing their health information with their bank. My thoughts on what I can look at For these points I think it’s important to explain I’ve considered all of the information provided by both parties in reaching my decision. If I’ve not reflected or answered something that’s been said it’s not because I didn’t see it, it’s because I didn’t deem it relevant to the crux of the complaint. This isn’t intended as a discourtesy to either party, but merely to reflect my informal role in deciding what a fair and reasonable outcome is. I also need to factor in that TU have agreed to honour the offer of £500 our Investigator recommended. I say that because if I find there are issues with the SAR and disclosure of medical information – or if I accept Ms G and Mr O’s testimony on this but don’t necessarily have the evidence to support it – I’d need to weigh that up against the compensation available. Addressing concerns with the SAR first, I’ve seen from Ms G and Mr O’s submissions they and a cyber security company supporting them at the time have submitted SARs to TU. I’ve also seen in Ms G and Mr O’s most recent submissions there is some information about the SARs they’ve said TU didn’t share with us. The first SAR request I can see happened in October 2023 – Ms G wanted call recordings of phone calls on 13 and 23 October 2023. From what I can see, there was a delay before TU then asked Ms G for identification on 3 November 2023. I understand Ms G then provided the identification TU had asked for on 20 November 2023. TU have said the SAR was then processed on 4 December 2023. I think the problem with the SAR TU provided to Ms G is that it didn’t include the call recordings she’d asked for. When asking for them, Ms G was telling TU they hadn’t provided what she’d asked for. TU didn’t seem to understand it was the call recordings Ms G was asking for – not a call transcript.

-- 2 of 6 --

The information from TU shows they sent Ms G the call recordings in February 2024. I’ve got an email from TU to Ms G dated 23 February 2024 which says they’ve attached the call recordings. I’ve no reason in itself to doubt this – as I’ve seen the email. But I also understand Ms G says she didn’t get the call recordings until July 2024 – when TU say they sent the call recordings for a second time. I don’t have all the information to prove whether TU did attach the call recordings in February 2024 as they said they did. So, I’m going to accept Ms G’s comments they didn’t do this. In addition to the above, I know Ms G and Mr O have concerns over TU’s lack of responses to their contacts about the SAR – and I can see from the information provided by Ms G and Mr O, they have also made further SAR’s – both directly and they’ve said through a cyber security company – and have had concerns over this as well. I don’t have all the details to fully understand exactly what happened, but I don’t think I need that. I say that because I’m satisfied TU haven’t treated Ms G and Mr O fairly overall on this point and I think the impact on Ms G and Mr O for this element of their complaint is relatively limited. I say that because I can’t ignore that the reason Ms G and Mr O wanted the SARs, and the vast majority of the impact on them, is what they say is TU’s intransigence in refusing to rectify the issue with their address. But…I don’t have the authority to look at any concerns regarding this. It’s clear the overall issue has had a very significant impact on Ms G and Mr O – so I don’t intend to diminish what’s happened. But, as I can only look at the SARs, and even though I can only consider the customer service around it, that’s all the impact I’m able to take into account. I’ll come back to this at the end. The second issue I’m satisfied I can consider is Ms G and Mr O’s comments that TU shared sensitive and inaccurate medical information with their bank about both of them. Ms G and Mr O have said because of this disclosure, their bank has now withdrawn an enhanced current account they had with them – and they’ve lost benefits such as medical / travel insurance policies connected to that account. TU have told us they didn’t disclose any information to any third party. None of the information I’ve been provided with so far shows me TU did disclose any health information to Ms G and Mr O’s bank. I’m conscious our service has a complaint against the bank – and at times Ms G and Mr O have made reference to information on that case as being relevant to this one. So, I’ve also reviewed that case. In it, Ms G sent our Investigator an email dated 9 December 2024 at 2.14pm (according to our records) which said: 2. I confirm that I had a personal Premier current account & a joint account with my husband at … for many years, plus an … credit card. However I recently closed my personal … account due to …'s ongoing utter disregard for the severe ramifications caused to us by their customer's fraudulent activity/for my welfare/for other organisations.

-- 3 of 6 --

In this Ms G has given the reason for the closure of the account as being solely due to their bank’s behaviour towards her in dealing with the issue of the third party. In view of the lack of information showing TU did disclose this information, and Ms G’s comments which suggest the reason for closing hers and Mr O’s account with their bank was for a different reason, I’m not currently persuaded TU have acted unfairly on this point. But, I’m conscious Ms G and Mr O have said our Investigator didn’t consider all of the information. So, I’ve thought about whether it’d change matters if TU had disclosed this information. The main issue Ms G and Mr O have talked about is the benefits of the account being lost. If I were to accept TU had disclosed this information, and that Ms G and Mr O didn’t close their account because of how they’d been treated (as she’s told us), I still wouldn’t be persuaded this was TU’s responsibility. I say that because what a bank does with information they’re given by another party is still down to them. If Ms G and Mr O think they’ve been treated unfairly by their bank on this particular point, then they could raise a complaint about it to their bank if they wanted to. But, this wouldn’t excuse the disclosure in the first place. Sharing this information with TU would be their personal data, and given it is medical information – which is intrinsically sensitive and which Ms G and Mr O have said is inaccurate – this wouldn’t be acceptable. As I said above, at this point TU have agreed to honour the £500 our Investigator awarded. The issues I can consider are: • The customer service provided around the SARs • The potential disclosure of sensitive and inaccurate medical information If I were to fully uphold both of these points, taking into account everything I’ve said above, I’d find that £500 compensation is a fair outcome. Responses to my provisional decision TU didn’t reply by the deadline. Ms G and Mr O provided a detailed explanation. I’ve summarised what I consider to be their key points, relevant to this decision under the two headings of points I’m addressing: SAR • They’ve forwarded emails which have been withheld from us by TU • These emails show TU failed to provide all the documents as required by the law – so TU had broken the law TU’s disclosure to Ms G and Mr O’s bank about their mental health • I’ve said I didn’t see TU’s letter to their bank saying they both had mental health issues, and they ask why TU didn’t provide this • They said I’ve got access to their complaint file of a complaint made to us about their bank, and the letter from TU to their bank is in there

-- 4 of 6 --

What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. SAR The emails Ms G and Mr O have forwarded to us are what they say demonstrates TU have never complied with their SARs – or those who have done a SAR on their behalf. But, the emails ask for the personal data of another party – which isn’t something I think it’s likely Ms G and Mr O are entitled to. I can’t decide what should or shouldn’t be included in a SAR. I can see Ms G and Mr O are aware of the Information Commissioner’s Office (ICO). They’re the correct body to investigate potential data breaches. My understanding is there are exemptions to what can and can’t be provided in a SAR. This also means I can’t decide if TU have broken data protection law by not providing the documents Ms G and Mr O have said TU should. I’m aware Ms G and Mr O’s concerns do extend beyond their request for what I consider to be TP’s data. They’re also concerned at the customer service provided – and I’ve seen enough to uphold this. TU’s disclosure to Ms G and Mr O’s bank about their mental health I’ve not seen anything from TU to show they did disclose anything regarding Ms G or Mr O’s mental health to their bank. If TU do have a letter – bearing in mind they’ve said they didn’t do this – then they should have shared it with us. But, I’d also expect Ms G and Mr O to do this if they had this letter, which they don’t appear to have. Ms G and Mr O have also pointed me back to the complaint file we have for their concerns about their bank – saying the letter about TU is in there. I’ve reviewed a selection of documents from their bank in that case rather than the whole file – and not found the letter when I’d expect to have done if it was there. So, I’ve still got no evidence TU did disclose anything regarding Ms G and Mr O’s mental health to their bank. Summary I’ve seen enough to uphold Ms G and Mr O’s concerns about the SAR. In terms of the mental health disclosure concerns I don’t have enough to uphold this. But, and this is crucial, even if I were to accept TU have disclosed Ms G and Mr O’s mental health to their bank, I still wouldn’t find TU needed to do more than pay the £500 they’ve already offered to do. My final decision TRANSUNION INTERNATIONAL UK LIMITED have made an offer of £500.

-- 5 of 6 --

I’m satisfied that offer is fair in all the circumstances, so my decision is TRANSUNION INTERNATIONAL UK LIMITED should pay Ms G and Mr O £500 compensation. Under the rules of the Financial Ombudsman Service, I’m required to ask Ms G and Mr O to accept or reject my decision before 16 April 2026. Jon Pearce Ombudsman

-- 6 of 6 --