Data Subject Access request issues.

[RFC1872]

I recently made a SAR to Capital bank, I never signed the request. I then recieved a reply from them that stated they will not be complying till they received a signed request, I then sent a signed request whilst protesting that I did not need to. I also stated that I expect them to still comply with the 40 day requirement with the countdown starting on the day they received my original request. They then sent the following see below:

 

[car2403]

Doesn't wash with me, RFC - if you are requesting information quoting account numbers and addresses they hold on file, they can't legitimately say they can't send it because you haven't provided a signature.

 

The fact they are sending the information to the address registered as your address is surely enough to satisfy the "identity" issues.

 

Push back and threaten to take legal action to force their compliance - don't rely on the Information Commissioners Office, as that will take too long. (Data Protection Act S.A.R - (Subject Access Request) enforcement will cost you £30 in a local court and you can ask the Court to Judge on the points they are relying on to not supply you)

 

http://www.consumeractiongroup.co.uk/forum/bank-templates-library/6971-data-protection-act-non.html

[RFC1872]

It is my intention to write back and state that sending my personal financial information has never been an issue for capital bank previously. They have always acceptable to them to send all sorts of financial information to my home address, so it should be acceptable now.

 

I will be adding that I have plenty of time to go along with their little games but I will be presenting all correspondce to both the Information Commisioner and my Member of Parliament. I will also be requesting their complaints procedure as I wish to escalate this issue and will take it the whole way to the FOS. Surely they have a duty to ensure all their staff are trained to understand the legislation in regards to all aspects of conducting my financial affairs.

 

Am i wrong here folks if so please tell me and I will just give in on this issue.

[RFC1872]

Doesn't wash with me, RFC - if you are requesting information quoting account numbers and addresses they hold on file, they can't legitimately say they can't send it because you haven't provided a signature.

 

The fact they are sending the information to the address registered as your address is surely enough to satisfy the "identity" issues.

 

Push back and threaten to take legal action to force their compliance - don't rely on the Information Commissioners Office, as that will take too long. (Data Protection Act S.A.R - (Subject Access Request) enforcement will cost you £30 in a local court and you can ask the Court to Judge on the points they are relying on to not supply you)

 

http://www.consumeractiongroup.co.uk/forum/bank-templates-library/6971-data-protection-act-non.html

 

Superb Chris and thanks just what I needed will be sent off tomorrow. I am still intending to raise a complaint that they are either being deliberately obstructive or they are failing to ensure that those dealing with their customers financial matters are properly trained and supervised.

[2Grumpy]

Id and SARs can be a bit of a grey issue.

 

I agree that if you are writing from an address known to them, quoting account numbers, then that should be sufficient identification. That's what the Information Commissioner's website says. They usually seem to have sufficient confidence in identification to demand payment, issue legal proceedings etc., yet for some reason seem reluctant to send out information that can be helpful. Are they trying to suggest that someone else in the same house is trying to get the information? It seems a little far fetched.

 

What are they going to do if the signature on your id doesn't match either the signature that they have or the signature on your request?

 

Of course there is an additional possibility - that they don't have a copy of your signature but they would like keep one & to make sure that the one provided is your usual one.

 

They say that they are now part of Bank of Scotland - is that HBoS? If so, you could walk in to a branch with your Ids and the letter, show them and tell them to sort it. I must admit that I wouldn't let the documents out of my sight or be copied. They can report that they have seen the Id. That should be sufficient. If they want copies, ask why - I can't think of a legitimate reason for them to keep a copy. If it were me I might agree to them recording the number - maybe - if they could put up a good reason why they should. My reason why they shouldn't - data protection!

 

Intrum Justicia insisted on a copy of a driving licence, passport or birth certificate. I sent a copy of a birth certificate. They have "this does not provide proof of identification" printed along the bottom.

 

From my experience, if they demand Id it's because they have something to hide and hope that asking for something that you wouldn't like to send will put you off.

 

Grumpy

[2Grumpy]

Just noticed in their letter - "it is standard industry practice ..."

 

Who gives a **** about standard industry practice?

 

Tell them where to stuff their standard industry practice and stick to the information commissioner's guidelines instead.

 

I still think that walking into a branch might be the only way forward if it is practical. If you go to court the judge or their solicitor might ask why you didn't just send a copy of your id.

 

Grumpy

[RFC1872]

Ok interesting development on this and one which now means I will be going full steam ahead with LBA and then Sherriff Court. Last week(sorry for delay in updating, been snowed under with work) I recieved info from another S.A.R - (Subject Access Request). Now i have went down the identical route with both the Crapital Bank and and the later S.A.R - (Subject Access Request) referred to above. Now the Crapital Bank one have been sending all sorts of financial info to my address constantly up until I SAR'd them the other SAR has not written to me for a number of years now. Yet its crapital bank that is giving it all the '... due to Data protection blah blah and will you jump through hoops before we send you anything out'. Now both these cases share the one denominator they both share the same Data Controller - but both seem to be behaving in contradiction - lets see the Data Controller explain this one in court Also will be registering a complaint with the Information Commissioner.

 

2Grumpy, so much for their 'standard industry practice', Eh???

[RFC1872]

Just noticed in their letter - "it is standard industry practice ..."

 

Who gives a **** about standard industry practice?

 

Tell them where to stuff their standard industry practice and stick to the information commissioner's guidelines instead.

 

I still think that walking into a branch might be the only way forward if it is practical. If you go to court the judge or their solicitor might ask why you didn't just send a copy of your id.

 

Grumpy

 

Surely this can be risky as why should I be giving out copies of my personal ID and in doing so risk them going astray and falling into the hands of the unscruplous, even worse they may even get to their destination;-). Anyhow like your earlier post how easy is to pop into the council office and run off anyones birth lines. As it is only a copy then scan any set of birth lines, photoshop and add in who you want.

[2Grumpy]

When you get the birth certificate to doctor you might notice the bit about it being a criminal offence to do so printed at the top!!

 

(OK I realise you weren't being serious.)

 

When I sent a copy of a birth certificate I sent it via email, black & white, low resolution, reduced contrast & converted to jpg to introdce a little more fuzzyness, but I agree that it's not a good idea.

 

It's good to see that the data controller there is consistently applying industry best practice there. He does seem to have shot himself in the foot there.

 

I suspect that it is industry best practice to frustrate SARs in case they are used for reclaiming unlawful charges or getting useful information to be used against them.

 

Grumpy

[RFC1872]

When you get the birth certificate to doctor you might notice the bit about it being a criminal offence to do so printed at the top!!

 

(OK I realise you weren't being serious.)

 

When I sent a copy of a birth certificate I sent it via email, black & white, low resolution, reduced contrast & converted to jpg to introdce a little more fuzzyness, but I agree that it's not a good idea.

 

It's good to see that the data controller there is consistently applying industry best practice there. He does seem to have shot himself in the foot there.

 

I suspect that it is industry best practice to frustrate SARs in case they are used for reclaiming unlawful charges or getting useful information to be used against them.

 

Grumpy

 

To be honest with you it was my intention to see how they treat both SARs. I had a feeling they would act in this way, so now I can highlight to my MP etc how the bank are just out of control in how they are treating the law of the land with such contempt.