Just had the following from ICO
Thank you for your data protection complaint about Welcome FinancialServices Ltd (WFS).
I can onlyapologise for the length of time it has taken to reply but we have had asignificant number of requests for advice and information which have led to abacklog of cases and an inability to respond as quickly as we would wish.
Complaintsto the Information Commissioner’s Office
Under the Data Protection Act 1998 (the DPA), those who collect and usepersonal information have to follow rules of good practice for handlinginformation (called the data protection principles). The DPA also gives rights to individualswhose information is collected and used.
When we receive a data protection complaint, we will make anassessment. This is our view aboutwhether an organisation has followed the rules of good practice properly. We do this by saying whether we think it islikely or unlikely that the organisation has complied with the DPA.
We will also give advice about handling personal information and willask the organisation to review its actions if we think things have gonewrong. Our main concern is to ensurethat organisations deal with personal information properly in the future.
Assessments can help us decide whether we should take action against aparticular organisation. If anorganisation refuses to take its responsibilities under the DPA seriously, thenwe may consider formal action to ensure it complies with the law. Please see the enclosed guidance note formore information.
Yourcomplaint to us
In your case, the matters you have raised that are relevant to the DPArelate to the sixth data protection principle. This states that:
‘Personal data shall be processed in accordance withthe rights of data subjects under this Act’.
Individualshave a right under the DPA to make a request in writing for a copy of theinformation an organisation holds about them electronically and in some manualfiling systems, commonly known as a subject access request (or SAR). They are also entitled to be given adescription of the information, what the organisation uses it for and who theymight pass it on to, along with any information it has about the source of theinformation.
Organisationsshould respond promptly to the request and, in any case, within 40 calendardays.
It should benoted that an individual is entitled to copies of their personal data inpermanent form, but not copy documents, or data in a specified format.
You are concerned that you did not receive all the personal data yourequested. In particular you havereferred to ‘exactdates of default, termination and sale, details and proof of exactly who soldto’, although you do not appear to have requested all of these in your requestto WFS.
What wehave done in this case
We have written to WFS to ask:
· what happened in this case;
· if it is likely there has been a breach of the DPA,what it has done (or intends to do) to put the matter right; and
· what safeguards it has in place to help ensure ithandles personal data properly.
This is so we candecide:
· whether it is likely or unlikely that it hascomplied with the DPA in this case; and
· whether we think that further action isappropriate at this point.
You should be aware that we cannot award youcompensation if an organisation has failed to comply with the DPA. However we may ask it to change the way itworks in the future. We encourage allorganisations to take steps to solve problems and to demonstrate to us thatthey take their responsibilities under the DPA seriously.
We have now received a response from theorganisation.
In this case we have decided that it is unlikely that WFS has compliedwith the requirements of the DPA.
This is because it does not appear that WFS fully complied withyour SAR.
WFS explained that your SAR was received on 22April 2010 and that all the documentation it holds was sent on 11 May2010. WFS confirmed that the documentsincluded:
notes made on your account over the life of his loan; and
a Statement of Account.
It also explained that it received another letterfrom you on 1 June 2010 saying that you had not received all the requestedinformation. I understand that the samedocuments were resent to you on 4 June 2010. WFS then received two further letters from you on 3 August 2010 and 24February 2011, again asking that it to send all the information held for your account. In both instances WFS states it again providedyour personal data as held.
WFS explained that although all the information itholds concerning you was sent to you, it was not made clear to you what documentationWFS does not hold. WFS explained in referenceto your ten point list showing on your request that it no longer holds these,or has already provided them to you. Inany case, it should be noted that not all of these documents, such as terms andconditions, are considered to be your personal data and therefore you are notentitled to them under the right of subject access.
In terms of point ‘7’ of your list, describingthe use of your personal data, WFS considered this particular request not to beapplicable.
It also further clarified that your account wassold to HFO Services on 6 February 2008, but that these details are notrecorded within the information WFS holds for you and therefore not included inthe SAR documentation sent you received.
However, section 7(b) of the DPA states that anindividual is entitled:
‘to be given by the datacontroller a description of—
(i)the personal data ofwhich that individual is the data subject,
(ii)the purposes for whichthey are being or are to be processed, and
(iii)the recipients orclasses of recipients to whom they are or may be disclosed’.
You appear to have requested these details in yourSAR, under points ‘7’ and ‘8’. It isrecognised that WFS sold the account prior to your SAR, however, WFS continuedprocessing your personal data by holding your details and, as a result, shouldhave provided the above details in response to your request. The fact that WFS has been able to providethe details of whom your personal data has been disclosed demonstrates thatthis information is available to it to be able to be provided. It is also unclear why WFS is not able todescribe to you the purposes for which your personal data are processed. These descriptions will usually cover thegeneral purposes for processing and the general class or type of recipient ofyour personal data, rather than necessarily the specific organisations.
In light of all of the above, WFS appearsunlikely to have complied with the DPA in this case.
However, the Information Commissioner has decided that furtherregulatory action is not appropriate at this time.
When deciding whether regulatory action is appropriate, we take intoaccount the organisation’s general record of compliance with the DPA (includingany previous assessments we have made) and any other information that is in ourpossession (including information given during the course of thoseassessments).
Most organisations want to put things right when theyhave gone wrong and learn from complaints that are raised with them. Although we are not taking further regulatoryaction at this time, we have asked WFS to consider the information we haveprovided during the course of this assessment and take steps to prevent the situationfrom happening again. We haverecommended that WFS should provide you with the information you areentitled to under section 7(b), unless it has now already done so.
We will keep a record of your complaint and take this assessmentdecision it into account if we receive further complaints about WFS. The information we gather from complaints mayform the basis for action in the future.
This matter is now considered closed. Thank you for brining it to our attention.