SAR -excuses given

[gyzmo]

You may or may not know of my little diary detailing my claim against LTSB. Anyway, I got some info, but here's a summary of what they said in the covering letter: (link first and then the details)

 

http://www.consumeractiongroup.co.uk/forum/payment-protection-insurance-ppi/170134-gyzmo-ltsb-diary-claim.html#post1963450

 

1. Apology for the delay.

The delay they say is down to the lack of a signature, and the need to obtain it by sending a "further info request" form. The lack of signature did not stop them, however, sending me some summary statements in the same envelope, nor did they explain that the form was for a signature! Anyhows, I am not that bothered about that unless I can penalise them for it.

 

The rest is of more concern:

 

2. A loan opened in 1995 is not included due to time passed, and docs no longer available. I'm not too sure if this is problematic (it's a friends credit card, not mine but I am writing this as though it is mine). Is this more to do with Limitation Act?

 

3. They say the majority of contracts are not held in relevant filing systems and therefore are not subject to rights of access under Data Protection Act. EH? Where are they storing them then? A bin? Just where then are they keeping my agreements?

 

4. They want to know if I want copies of any emails that I know of that may have been sent within LTSB. Erm, well given I don't work there and dont have access to a crystal ball....

 

5. They don't provide a concise breakdown of how they arrive at their charges. Hmm, Well they are all over the £12 anyway so I'm claiming on that,

 

6. They don't hold details of manual interventions

 

7. Details of when records have been deleted apparently do not constitute personal data. Pity I asked what information it was that was deleted.

 

8. They want me to give dates and times of phone calls. Well, if they checked their records and see notes "cust called today etc etc" then they will have the info.

 

9. Missing info. as well as any referred to above, there's the agreements (which they apparently do not hold - a CCA is getting fired straight off to them!) as well as other details from a couple of other departments which they are waiting for a response on.

 

Any comments on these points?

[42man]

Have you had a read of this - this might be a better option

 

http://www.consumeractiongroup.co.uk/forum/legal-issues/173201-why-you-shouldnt-use.html

[gyzmo]

Thanks. I'm still stuck on a couple of things though.

 

When they say the majority of contracts are not held in relevant filing systems, they are I believe, referring to CCAs? If so, then where are they stored and how do I get a copy under DPA? They have already stated that anything on microfiche etc has been included.

[palomino]

Your agreement is probably stuck in the middle of large box stored in an old aircraft hangar somewhere. While the box is probably identifiable the logistics of moving all the thousands of other boxes that have been stored in front of the one containing your agreement is probably very expensive - which is why they wriggle and squirm to avoid doing it.

 

You have to be persistent.

[gyzmo]

But can they get away with it under DPA? If they have put it into something that is not classed as a relevant storage system, then a request for that info, given that what they say about the storage system is valid, can be refused. How do I get round it?

[gyzmo]

Anyone?

[bazaar]

Theyre blowing smoke up yer jacksey.

They know exactly what you want, so theyve sent you no agreements?

did you request them on your SAR?

[palomino]

But can they get away with it under DPA? If they have put it into something that is not classed as a relevant storage system, then a request for that info, given that what they say about the storage system is valid, can be refused. How do I get round it?

 

No they can't. They are trying a snow job on you.

[supasnooper]

If they haven't sent you everything you've asked for then take them to court for non-compliance. .....and report them to the Information Commissioners Office. Reporting them to the ICO cost them £500 if they are investigated.

 

http://www.consumeractiongroup.co.uk/resources/templates-library/48-bank-templates/129-data-protection-act-non-compliance-template-letters-

[gyzmo]

But the problem is that they are saying that the agreements are not held in a relevant filing system. If that is true, then they have not, on this point, fallen foul of DPA and I do not see a cause for complaint.

 

My only choices that I can see here are:

1. Call them liars

2. Enquire further as to how they are held

3. Do a few CCAs and, if found, then argue that they must be held in a relevant filing system, otherwise how would they find them?

 

I'm sure 1 is possibly correct, that 2 would take time and 3 even more so (though would have the advantage of at least temporary unenforceability if late)

[supasnooper]

Report them to the ICO then - it's more ammo for you and costs them £500 for being so ignorant of your request.

 

The complaint can be done online and the ICO are taking about 3 weeks to start investigating.

 

Complaints about data protection policy - ICO

 

Get it done now !!

[gyzmo]

Sorry, but I don't think this problem is quite being understood.

 

LTSB have said that the information in question is not held in a relevant filing system.

 

The DPA states that, where information is not in a relevant filing system, it is exempt from a SAR.

 

LTSB then, on that basis, have not contravened the DPA.

 

On what grounds therefore do I have to complain to the ICO?

 

It's all very well saying they are giving me the runaround, but I cannot make an accusation without proof and expect to win. Does the DPA or some other legislation state that this information MUST be kept in a relevant filing system?

[Bookworm]

The grounds to complain is that they have told you that the data isn't kept in a relevant filing system, but haven't told you what that system is supposed to be, so you are asking the ICO to investigate this, as you suspect they are not telling you the whole truth.

 

For a very long time, B/card and Abbey used the same tactic, stonewalling us by saying that microfiche didn't fall under the definition of relevant filing system, and it took an ICO investigation to force them to comply. (and even then, they churlishly said in their letters they didn't agree with the ICO, but would comply nevertheless, presumably out of the goodness of their hearts. ).

[gyzmo]

THANK YOU!!!

 

Now as to the rest of it....

 

Do deleted data not constitute personal data?

Where they are asking for telephone calls, can I ask them to refer as to when any notes have been entered, and such notes indicate that they were entered as a result of a telephone call, that they should then check their records as appropriate?

[Bookworm]

Well, if it's deleted, whether it was personal or not is not going to make a lot of difference. :-? It can't be retrieved.

 

One of the ways in which CAG has changed the way the financial institutions is that before us, they used to keep things for a long time, rather randomly depending on the company. As damage limitation, now all data is routinely get rid of after 6 yrs... funny, that.

 

As to when the data was deleted, no, that would be internal workings and wouldn't constitute personal data.

 

(not sure what the question meant, so answered both possibilities. )

[skeptic]

All the good stuff on the ICO is in the "guidance" sections and particularly here Legal Advice

 

 

Which manual data are covered by the Act?

...Some manual data are now also included within this definition. Non-automated information may be found in a variety of different media e.g. paper files, rollerdex, non-automated microfiches. Data controllers should examine all their non-automated information systems (referred to in this chapter as "manual information") in order to determine how far the Act applies to personal data processed in those systems. To be subject to the Act, the manual information must fall within the definition of "data" in the Act. As indicated at paragraph 2.1© above, data includes information which is recorded as part of a "relevant filing system" or with the intention that it should form part of a "relevant filing system". The term "relevant filing system" means:-

"any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible".

It is not wholly clear how this definition translates in practical terms in all conceivable situations. The Commissioner can only give general guidance; the final decision in cases of dispute is a question for the Courts. Whether or not manual information falls within this definition will be a matter of fact in each case.

The Act does not define what is meant by "readily accessible". In deciding whether or not it is readily accessible, a suggested approach is to assume that a set or sets of manual information which are referenced to individuals (or criteria relating to individuals), are caught by the Act if they are, as matter of fact, generally accessible at any time to one or more people within the data controller’s organisation in connection with the day to day operation of that organisation.

 

When asked to consider the proper meaning of "relevant filing system", the Court of Appeal held that manual records are covered by the Data Protection Act 1998 "only if they are of sufficient sophistication to provide the same or similar ready accessibility as a computerised filing system" (Durant v Financial Services Authority CA 2003 on 8th December 2003).

Durant is, I believe, still the leading case on the point and a full discussion of its impact is here.

They say the majority of contracts are not held in relevant filing systems and therefore are not subject to rights of access under Data Protection Act. EH?

Is this verbatim? Is so, you must be entitled to say that it is irrelevant how the majority of the contracts are held, since the DPA relates to personal data... therefore the only issue is how your data i.e. contract is held.

Indeed, their statement appears to be an admission that some of the contracts are held in relevant filing systems...

[gyzmo]

Thanks for that, I shall bear it in mind when they reply!

[bazaar]

A relevant filing system is defined in the Act as "any set of

information relating to individuals to the extent that, although

the information is not processed by means of equipment

operating automatically in response to instructions given for

that purpose, the set is structured, either by reference to

individuals or by reference to criteria relating to individuals, in

such a way that specific information relating to a particular

individual is readily accessible

 

So you are entitled to ask what they class as a non relevant filing system so that you can determine whether they are trying it on like Barclays have done in the past as BW described

Edited February 10, 2009 by bazaar
tmi + added comments

[gyzmo]

I understand the more basic test is whether a temp employee can find the information without specialised training. If hey cannot, it's not a RFS.

 

Anyhows, my letter has been posted off and I shall await their excuse, sorry, response!

[joneseyblod]

Interesting info on relevant filing systems

Edited February 11, 2009 by joneseyblod
wrong thread