Hello Caggers just after a bit of guidance,

I have sent a SAR to HSBC and pretty much been ignored

ended up lodging complaints to FOS and ICO, the end game is all about PPI.

I am corresponding with ICO and they will only get involved if HSBC have refused or ignored my request.

I told the ICO my request has been ignored and sent them a signed receipt for the SAR delivered into a HSBC branch for delivery through internal mail system to HSBC data controller.

The ICO have now come back and said this is not proof the bank have received the SAR and not proof the bank have been given proof of ID.

Is this similar to other folks experience with ICO.

How can I prove when the SAR was delivered to HSBC with my proof of ID that's exactly what it was and nothing else.

Happy to provide more info from the ICO email TIA.

I thought you were abroad?

I thought you were abroad?

Certainly am, so my options are slightly limited, i really thought a signed stamped receipt from HSBC addressed to their data controller was proof enough I have sent them a SAR and being ignored but ICO ar not accepting this just makes it harder than it needs to be.

why did you send your sar into a branch

why not head office UK

It doesn’t matter. It was delivered to HSBC as required by the GDPR, the GDPR does not state that the SAR has to be delivered to the actual DPO in order to be taken as delivered. I would go back to the ICO and tell them that the SAR was delivered to the bank in line with the GDPR and as per the receipt you have and that the ICO is obligated under their statutory duty to investigate this lack of compliance. Inform them if they do not then you will be escalating to the information tribunal. Get ICO to reply in writing that they will not investigate the matter any further and then you have 28 days to refer to the tribunal. I have done this with the ICO previously and it got the matter sorted more quickly.

why did you send your sar into a branch

why not head office UK

I sent a SAR recorded delivery and Royal Mail lost it so I thought it was a guaranteed way of making sure it got there but as far as the case worker at ICO is concerned it only prooves the branch had a letter and not its content and proof of ID.

The ICO caseworker is wrong. There is no obligation for ID. It only required at the discretion of the controller where they are unsure of the data subject requesting the info. And the fact that you sent a letter and state it was a SAR is sufficient to meet the GDPR. Otherwise no company or controller would ever have to reply to a SAR thus totally defeating the objective

to ascertain that the request is from the said person then controller has need to make sure the person requesting is the named person concerned = there for copy of evidence is required, be it council tax copy/passport etc etc always send 2 items, and handing it into a bank counter the person receiving needs to certify the legitimacy of the customer handing request in:

HSBC use to be hot on that and probably still are

to ascertain that the request is from the said person then controller has need to make sure the person requesting is the named person concerned = there for copy of evidence is required, be it council tax copy/passport etc etc always send 2 items, and handing it into a bank counter the person receiving needs to certify the legitimacy of the customer handing request in:

 

HSBC use to be hot on that and probably still are[/quote

It all depends on the relationship between the data subject and the controller. The request for I’d must meet the objective of reasonableness and proportionality. The art 29 working party states

“Thus you should ask for enough information to judge whether the person making the request is the individual to whom the personal data relates whilst at the same time being reasonable and not simply requesting large amounts of information just “because that’s what your system requires”.

 

Thus, if the identity of the person making the request is obvious or you have an ongoing relationship with them (for example as an existing client, employee or currently used contractor) then simpler checks would be more appropriate than if the person had not been in contact with your firm for some time. On the other hand not asking for verification when there is scope for fraud or misuse would be unwise.“

Does the bank's receipt say what it is a receipt for? ie does it specifically state it is a receipt for an SAR + proof id? If, for example, it just said it was a receipt for an envelope addressed to xyz bank plc could ICO be arguing that it could have been anything in the envelope?

What's the exact wording of the receipt (personal details removed)?

HSBC - a few years back made a statement to ICO = That all SAR Request will be timed" after a complaint by me to ICO, = a commitment by HSBC to ICO:- new it was lies as usual from that in-ept Bank