Just got a reply from ICO re my complaint...
30th November 2006
Thank you for submitting your complaint and supporting information regarding Barclaycard. Please accept my apologies for the delay in my reply. Our investigation into this matter has taken longer than initially anticipated.
Complaints such as yours are treated as 'requests for assessments' under section 42 of the Data Protection Act 1998 (the Act). When we receive a request for assessment, in most instances we have a duty to assess whether it is likely or unlikely that the processing in question has been carried out in compliance with the Act. However, we have discretion as to how we carry out the assessment and as to what action, if any, to take.
I understand from your correspondence that you made a subject access request (SAR) to Barclaycard and made specific reference to bank statements and to charges levied on your account. Barclaycard responded by confirming that it would supply you with information from your bank statements from May 2004 onwards; however statements prior to this date would only be provided at a cost of £3 per sheet. It went on to explain that this was because these older statements were only stored on microfiche which is not a relevant filing system for the purposes of the Act so did not have to be provided as part of a SAR.
It may first be helpful to clarify that although the information contained within your bank statements, such as details of transactions, is considered to be personal data under the Act so must be supplied in response to a SAR, the Act simply states that personal data must be supplied in an 'intelligible form'. This means that the information you have requested must be provided if it is held as personal data, but not necessarily in its original format i.e. as a bank statement.
As you may be aware, the Act only applies to 'personal data' i.e. information which is processed electronically and which relates to a living, identifiable individual. Information which is held in some manual (non-computerised) records can also be personal data for the purposes of the Act if it is stored in what is known as a 'relevant filing system'.
The Information Commissioner's Office (ICO) produced guidance to help data controllers such as Barclaycard decide whether or not manual records were stored in a relevant filing system; however this was amended following a Court of Appeal ruling a number of years ago (Durant v FSA 2003). In light of the outcome of this case, the ICO revised its guidance and narrowed its interpretation of what constitutes a relevant filing system. This guidance suggests that unless the filing system is highly structured, it will fall outside the scope of the Act and led us to conclude that in our view most manual records fall outside the definition of personal data.
We recognise that the definition of a relevant filing system is open to interpretation and that not all parties will agree. During recent months we have once again been reviewing our interpretation of what constitutes a relevant filing system and intend to publish new guidance in the near future, although this is not as a direct result of the recent issues surrounding bank charges. The new guidance is likely to represent a significant shift in emphasis from our existing guidance and our view will be that many more manual records are likely to fall within the scope of the Act.
Following your complaint and others like it we contacted Barclaycard for a detailed explanation of its microfiche system, including how the information in it is stored and retrieved. It was not clear from the response whether or not the system was a relevant filing system; therefore Barclaycard invited me and a number of my colleagues to inspect it and see the system in operation.
Following our visit, we concluded that the microfiche system used by Barclaycard is a relevant filing system for the purposes of the Act. This means that in our view the information is personal data and should have been supplied as part of your SAR within 40 days and for a maximum fee of £10. As a result, it is our view that it is likely Barclaycard has contravened the sixth data protection principle, as this requires data controllers to process personal data in accordance with data subjects' rights.
As I explained above, we are currently reviewing our guidance on relevant filing systems and are placing greater emphasis on the types of systems that are covered rather than those that are not. This will be based on practical examples of non-computerised filing systems. Our decision in this case has been made with this shift in emphasis in mind and it appears that Barclaycard disagrees with us. In light of the Durant ruling and our subsequent guidance, it is difficult to maintain that Barclaycard has acted unreasonably in this matter and it could plausibly argue that its interpretation and subsequent actions were consistent with the accepted view. If this occurs it will be for the Information Tribunal and ultimately the courts to decide which, if either, interpretation of a relevant filing system is correct.
We have informed Barclaycard of the outcome of our investigation and I will now write to it under separate cover with details of your complaint. If it has not done so already, I will instruct Barclaycard to provide you with the personal data you requested as part of your SAR.
It may be helpful to explain that a contravention of one of the data protection principles is not itself a criminal offence and the Information Commissioner has no power to 'punish' a data controller. In such instances, the Commissioner will seek a resolution to the contravention and once satisfied that it has been remedied then in general no further action will be taken.
In addition, section 13 of the Act gives individuals the right to claim compensation if they have suffered damage as a result of a contravention of the Act. If this is something you are interested in pursuing, I recommend obtaining legal advice and pursuing the matter through the courts. The Information Commissioner is cannot comment or advise upon any claim for compensation.
Thank you for brining this matter to our attention. Your case will now be closed.
Casework and Advice Officer