To cut a long story short they refunded the money (with interest) to my wife's account. What they did not say is that they closed the account down first. The explanation for taking PPI payments is that apparently there was an 'administrative error' - yeah, right! We've now asked for a complete disclosure of information:
I bring your attention to my letter dated xx/xx/xxxx requesting a complete list of charges and transactions relating to my account. Unfortunately, you only sent six years worth of copy statements. As the Data Controller, you should be aware that a Subject Access Request requires you to provide complete disclosure of all data that you hold relating to the history of my account. I refer to complete disclosure in its most rigorous sense since it has now been brought to my attention recently that ALL information, no matter how long held on file, must be disclosed fully and in a format that is legible.
It seems that a lot of banks and credit card companies, including Lloyds TSB, wrongly interpret the Data Protection Act 1998 as only needing to disclose six years worth of copy statements. This is entirely wrong. I would also like to point out that The Limitations Act 1980 has no relation to this request at all and has no bearing on the Data Protection Act 1998.
Since there have been security issues in the past with my account I would be grateful if you would now comply with my original request under the Data Protection Act 1998 and provide the following information:
* Full copies of all contracts which you believe exist between myself and your organisation, including copies of any documents you hold in support of same.
* Details of the identity of any individuals or organisations who have provided you with my personal information together with copies of any letters of instruction provided by them, or any contracts entered into between yourselves and the third party, and the relevant dates to which those contracts related.
* Copies of all documents which include any of my personal information including copies of any contracts or invoices, emails or computer records containing my personal information, or any records which pertain to this information.
* Full details and copies of any documents upon which you relied when you have provided my personal or financial information to any individual, organisation or third party.
* Full copies or transcripts of any computer logs or database records kept in relation to myself or in relation to my financial or personal information.
* Full copies of any correspondence in postal, email or any other format which you have entered into with any individual, organisation or third party which contains my personal or financial information, or which pertains to myself.
* Details of all systems you currently have in place to ensure my personal or financial information is kept securely, including details of those officers who currently have control of same, and at the time it was held or provided to a third party.
* Where any previous information or records held have been deleted or disposed of, the methods used to do so, including dates, certificates or references confirming details of destruction. Where you are unable to provide such certificates, please provide a declaration, signed by an authorised officer of your company, confirming the dates and methods of destruction of this data.
* Full hard copy print outs of any of my personal or financial information held in a digital, magnetic or any other format which is held in any archives, backups or other storage devices / locations. And Audio files, specifically recordings of conversations had between myself and your staff regarding all matters relating to my banking history.
* Your registration number with the Information Commissioners Office.
* Your Consumer Credit Licence number.
* Your VAT registration number.
Where reference to emails is given above, these emails should be taken from your email servers or backups / archives held in a magnetic or digital format. These emails may not be present on a user’s local system, and may require the assistance of your IT department / IT providers, who you should contact immediately for their provision.
Please confirm whether you hold a physical file with details of my personal and / or financial information. If so, please provide details and dates of any instance when this file has left your control, to whom it has been communicated, the method of transportation / communication e.g. Royal Mail, courier, by hand, electronically. Please provide a full copy of this file. Where my physical file has left your offices, please provide details of any precautions taken to ensure that my information has not been lost, stolen, misplaced or made available to anybody who does not have authorised access, including those who would use my information for the purposes of identity theft, or registered with any credit agencies. Please also confirm whether any of the documents held within the physical file are computer generated.
Under S.40 of The Administration of Justice Act 1970, if you believe you have provided my information to any organisation, agent, or individual who could, or may have used it for unlawful purposes, you should contact me immediately, and provide full details of their identification and address, together with full details of any instructions you have provided to them. If you have forwarded or communicated my personal or financial information to any person, company, or organisation, please provide a copy of the authority, signed and dated by myself upon which you have relied prior to doing so. As requested above, you should provide copies of any such communications.
Under the Data Protection Act 1998, as a Data Controller, you are responsible for the complete retraction of all information provided to any third party, should I request you to do so, and have a duty to myself to ensure that any personal or financial information I have provided to you is kept securely, and is only communicated to those to whom I have given my express permission / authority.
I would remind you that I have already paid my statutory maximum £10 fee and I am now giving you 14 days to comply with my original request. If you fail to comply in full I shall not hesitate to escalate this matter by making a formal complaint to the Information Commissioner’s Office and I shall seek a County Court Order to enforce compliance. I look forward to your prompt attention regarding this matter.