Storing information insecurely, releasing someone else's data without their permission, etc.

EDIT: Here's the official guidance from the regulator: (http://www.ico.gov.uk/for_organisations/sector_guides/financ...)

(http://www.ico.gov.uk/for_the_public/topic_specific_guides/c...)

Page 12 of this document talks about "associations" (http://www.experian.co.uk/downloads/consumer/creditRefAgency...) - credit reference agencies cannot use data about one person at an address to rate a different person at that address, even if they have the same surname, unless there is some financial link.

Re: "associations," I doubt very much it's intentional; more likely a mixup in the data.