Signing a SAR...

[legalpickle]

Hi All,

 

I have been told by some, and heard, that one does not need to sign a Subject Access Request. In principle, I have never signed them, and always advised others not.

 

However, some financial institutions are now insisting that I and a friend sign our Subject Access Requests.

 

Can any of the experienced members on here please point me in the direction of something from the Information Commissioners Office or another reliable source, such as a legal precedent, that expressly makes clear that one does not need to sign a SAR?

 

Ta,

legalpickle

[Conniff]

It depends what you mean. If your meaning is that you leave it blank then I believe they can ask for it to be signed.

If, on the other hand, you mean they require it in hand writing, then they cannot insist on that:

 

Interpretations Act 1978

 

"Writing" includes typing, printing, lithography, photography and other modes of representing or reproducing words in a visible form, and expressions referring to writing are construed accordingly.

 

The request for a friend to sign also can work to your advantage as he is just confirming that is your signature so you can put any sort of mark on the paper, an ink blot with your middle toe would be sufficient as your friend has then confirmed that it is you that has signed it and no one else.

 

Morton v. Copeland (1855) 16 CB 517, 535 per Maule J, who said that signing 'does not necessarily mean writing a person's Christian and surname, but any mark which identifies it as the act of the party.'

[42man]

I have seen a document (it was a leaflet made available on the ICO website - and it has gone now) and I think it was guidance for Data Subjects, and it did say they could request a signature LP....

[42man]

http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/checklist_for_handling_requests_for_personal_information.pdf

[buzby]

I've said it before and I'll say it again, NOT signing is both pointless and disingenuous. If you actually WANT the information, then it is only reasonably you identify yourself as the requestor - the chances are, they probably already know what your signature is, and by giving confirmation of this it allows thm to release your personal information that would otherwise be correclty withheld (as it is of no business of anyone else).

 

The prospect of them possibly using the sujpplied signature to perpetrate a fraud (say, by cutting and pasting your SIG) is easily addressed by those who are suspicious, is to make a slight amendment to your sig, that only you will notice, and in the unlikely event of it being copied, you can prove it. As all signatures vary with no two being identical, I don;t believe any firm would risk a fraud enquiry.

 

Sign - and keep a copy for your files.

[haggis1984]

[http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/checklist_for_handling_requests_for_personal_information.pdf

 

Section 2:

 

2 Do you have enough information to be sure of the requester’s

identity?

Often you will have no reason to doubt a person’s identity. For example, if a

person with whom you have regular contact sends a letter from their known

address it may be safe to assume that they are who they say they are.

 

No

If you have good cause to doubt the requester’s identity you can ask

 

them to provide any evidence you reasonably need to confirm it. For

example, you may ask for a piece of information held in your records

that the person would be expected to know, such as membership

details, or a witnessed copy of their signature. Once satisfied, go to 3.

Yes

 

 

Go to 3.

 

 

In most case when a debtor makes an SAR the bold area would apply. I couldnt disagree more with buzbys statement that it is 'disingenious' to withold your signature on an SAR - indeed there is nothing in the ICOs good practice notes to support this statement. If anything its a disingenious stalling tactic of the creditor to insist on a signature.

[buzby]

Disagree away. I put unsigned letters in the bin.

 

Since there will usually be a payment (in respect of the SAR) we've had the incredible scenario of a CAGger not signing the SAR request, BUT SIGNING THE CHEQUE! Even then, the firm refused to supply the details as they said they would not release anything without the Subject's signature.

 

As for the ICO's 'good practice' - these are guidelines, and not mandatory - and unless you can provide a better reason for NOT providing a signature as a way of proving who you are, you'll be banging your head against a brick wall untill senseless. Life is complicated enough, without causing more problems for yourself. If someone got my private info because of not providing MY signature, I'd sue them for lack of care.

Edited October 6, 2009 by buzby

[haggis1984]

I gave a friend a tenner and got them to write a cheque

 

Never had any prob getting an unsigned SAR satisfied - I just pop a copy of those good practice notes in with the SAR and refer to them. Id advise others to do the same.

[buzby]

Others send a Postal Order - but the point is if there is nothing to prove the requester is actually the Data Subject, the firm has every right to reject the request.

[legalpickle]

Thanks all for your posts.

 

1. Obviously when sending a cheque in your own name, not signing is ridiculous. Whoever did that was plain stupid.

 

2. I am talking about where the address to where the SAR documents are to be sent is the same address as the one on the account. Obviously where it is different, the Data Controller would be irresponsible if they agreed to the request without some proof of identity.

 

3. Conniff: But if one were to sign in a mark that is not the signature that is on record with the company, I believe that this would leave the company in doubt that the request is being made by the account holder. In my opinion this would confuse matters further. The whole point of the signature is to show a proof of identity.

 

4. buzby: I must also disagree that it is "disingenious" to not sign a request. Yes, as I wrote above it's stupid to sign the cheque of your own name and refuse to sign the request, but it has occurred that financial institutions - probably actually a few dishonest people within financial institutions - have copied signatures.

 

I think the conclusion is, that if you don't want to provide your signature, because you do not trust the company not to copy it - which unfortunately has happened before - provide a copy bank statement or utility bill in your name, and a copy of the ICO rules which show that nowhere does it state that one must sign, only that one must provide sufficient evidence that the requester is the account holder, or acting with the authority of the account holder. So combined with the address being the same as the address on record and sending copy of a bank statement in the account holder's name is more than sufficient - and it would be unreasonable to refuse such a SAR.

 

MBNA asked my friend to sign the SAR but sent him a copy of the alleged agreement without him being required to do so after him sending an unsigned CCA disclosure request in the same letter.

 

Another company insisted my friend supply authority from his wife as well - despite them living together - or they would have to censor information on the record relating to her. But they wrote that the account was a joint account, her name & date of birth! [Those are the only details on the account besides for her signature that relate solely to her on the said account].

 

I think all of us intelligent ones can see that this is proof of the incompetence inherent within financial institutions.

 

Feel free to continue this interesting discussion on the DPA. I'm sure we could all benefit from sharing such experiences and knowledge.

[buzby]

I think I mentioned in an adjacent thread - IF the reason of NOT signing is because you are afraid they will somehow 'copy' the signature and by doing so making things more difficult for you overlooks a few blinding obvious points:

 

(1) They probably know what your address looks like anyway, as you have supplied it before in some form previously. If they were going to forge your signature, why would they only do so from your SAR request, not from any previous letters or applications?

 

(2) Notwithstanding (1) above, if you are shown any signature you do not recognse as your own, would permit you to challenge it as forged, and then opens up a whole new raft of trouble for the company- an action for fraud, where there was only a civil dispute previously.

 

(3) Signatures are not what they once were - lack of a signature nowadays does not prove the absence of a contract, a regular payment for services has long established the precedent in this electronic age.

 

(4) If you need to provide a 'specimen' signature to prove you are who you say you are - a minimal modification two one or two letters that you never ordinarily do, but DID on your SAR application would be stunning to discover the same style appearing in another document supposedly signed years previously - that would be fantastic.

 

The situations of using the standard address they've used is NOT good enough - there was an instance when it transpired a son was manipulating his elderly mother's financial affairs and was trying to diddle her, without signing anything. Fortunately HE didn't succeed - which is why a signature is as much anout PROTECTING you as it can ve about possibly harming you.

 

The odds remain on the side of the consumer, but only if he signs. And as you'll note from the embedded ADVERTS within the words promoting the 'SignGuard' signature strip within this message - whilst this prevents photcopying, it has limited use - but why pay for something you don't really need?

Edited October 7, 2009 by buzby

[haggis1984]

I think I mentioned in an adjacent thread - IF the reason of NOT signing is because you are afraid they will somehow 'copy' the signature and by doing so making things more difficult for you overlooks a few blinding obvious points:

 

(1) They probably know what your address looks like anyway, as you have supplied it before in some form previously. If they were going to forge your signature, why would they only do so from your SAR request, not from any previous letters or applications?

 

(2) Notwithstanding (1) above, if you are shown any signature you do not recognse as your own, would permit you to challenge it as forged, and then opens up a whole new raft of trouble for the company- an action for fraud, where there was only a civil dispute previously.

 

(3) Signatures are not what they once were - lack of a signature nowadays does not prove the absence of a contract, a regular payment for services has long established the precedent in this electronic age.

 

(4) If you need to provide a 'speciment' signature to prove you are who you say you are - a minimal modification two one or two letters that you never ordinarily do, but DID on your SAR application would be stunning to discover the same style appearing in another document supposedly signed years previously - that would be fantastic.

 

The situations of using the standard address they've used is NOT good enough - there was an instance when it transpired a son was manipulating his elderly mother's financial affairs and was trying to diddle her, without signing anything. Fortunately HE didn't succeed - which is why a signature is as much anout PROTECTING you as it can ve about possibly harming you.

 

The odds remain on the side of the consumer, but only if he signs. And as you'll note from the embedded ADVERTS within the words promoting the 'SignGuard' signature strip within this message - whilst this prevents photcopying, it has limited use - but why pay for something you don't really need?

 

(1) There is no way it can be stated as fact that they have probably seen your signature elsewhere. When requesting a CA with an SAR theres a fair chance the debtor has never written to the organisation before, and the only copy of the debtors signature the organisation could possbly have is on the agreement. If no such agreement exists there is no way to establish the validity of the SAR signature rendering it useless. In instances such as this when the organisation is aware that they have no signaute on file it is frivilous on their part to insist on a signed SAR.

 

(2) Why even allow for the possibility of fraud?!

 

(3) This point is self defeating - if it's acknowledged that signatures are not what they once were why on earth is one required for a SAR? Otherwise refer to (1)

 

(4) This would be far from fantastic (see (2)). Yes you have an opportunity to push for a fraud conviction and a compo payout but imagine the sheer scale of extra hassle and invonvienience this would cause.

 

With regard to the standard adress issue - if it's good enough for the ICO (lets not forget they are the leading data protection authourity in this country) then it should defo be good enough for commercial organisations.

 

A son manipulating his elderley mother is indeed disturbing. Howver, bringing this into the argument clouds what should be a rational issue with an emotive one. If the son had succeeded whilst the organisation in question had followed the ICO's guidance it certainly wouldnt have been the organisations fault. And in an situation like this how hard would it really have been for him to trick her into signing letters?

Edited October 6, 2009 by haggis1984

[buzby]

(1) Irrelevant. I would claim the chances are greater that your signature would be somewhere in their files - but even if they weren't, NOT signing because they 'might' cpy your signature is ludicrous.

 

(2) Because it protects EVERYONE.

 

(3) Because their lack of use nowadays is working AGAINST te consumer? You seem to think it is a plus! If firms HAVE to obtain a signature to confirm agreement to T&C's consumers woud be in a much strnger position.

 

(4) Hassle for who? The police? Shame. For once it is no longer a 'civil matter' but a criminal one. I'm surprised you cannot see the benefit.

 

What the ICO thinks is 'good enough' is fine for him. His interests are not mine, and probably never will be. Regarding the last paragraph - it was actually the daughter, but the example was not provided for emotive issues, it was for proof that the signature protects you to a greater degree. Following your suggestions for 'proofs' all could be addressed with minimal difficulty by the family - which all changes when the signature is required. As for tricking her - this wasn't an issue, she was already dead!

[haggis1984]

(1) Irrelevant. I would claim the chances are greater that your signature would be somewhere in their files - but even if they weren't, NOT signing because they 'might' cpy your signature is ludicrous.

 

Any reasoning behind this statement? For example I suggested the oppositee with reasoning that most people rarely write to their creditor, so without a signed agreement its likely the creditor has no signature on record.

 

(2) Because it protects EVERYONE.

 

This is not a good reason to even allow for the opportunity of fraud. Its like leaving your car unlocked on the grounds that if someone steals it they may get caught and consequently there is 1 less criminal on the streets.

 

(3) Because their lack of use nowadays is working AGAINST te consumer? You seem to think it is a plus! If firms HAVE to obtain a signature to confirm agreement to T&C's consumers woud be in a much strnger position.

 

It wasnt stated whether the declining use/value of a signature is either good or bad for the consumer. Simply stated that if signatures no longer have the intrinsic value they once had this is even less of a reason for one to be required on an SAR.

 

(4) Hassle for who? The police? Shame. For once it is no longer a 'civil matter' but a criminal one. I'm surprised you cannot see the benefit.

 

Seems to me that the suggestion is in this instance that being a victim of crime would be an advantage to the consumer?! This is mind boggling. Any victim of crime (no matter how frivililous) will tell you that it is far from a walk in the park to secure a prosection.

 

What the ICO thinks is 'good enough' is fine for him. His interests are not mine, and probably never will be. Regarding the last paragraph - it was actually the daughter, but the example was not provided for emotive issues, it was for proof that the signature protects you to a greater degree. Following your suggestions for 'proofs' all could be addressed with minimal difficulty by the family - which all changes when the signature is required. As for tricking her - this wasn't an issue, she was already dead!

 

In this instance your interests appear to be data protection (please correct if this is a mis-assumption). Data protection is exactly the ICOs interest.

 

It appears the story about the criminal son/daughter could mutate indefinitely to support whichever position you wish to take.

[buzby]

My interests are those concerning the consumer - DP breaches are nothing I can realistically enforce through the courts. Fraud, I can - and not at my expense!

 

If the subject of the data request does not sign the request to prove who they are, the ICO will not pursue a claim for non-compliance as the firm would have reasonable grounds to refuse. If you have the time and effort make life difficult for yourself, be my guest - but the simple fact remains, providing a signature to support a SAR is not the same 'open access' to your lifestyle than - say - agreeing to a Direct Debit mandate.

 

As to your last point, it would allow fraudulent activity following your basis for proof, but not mine - so with the point proved, it seems churlish for you to continue to believe not signing a SAR is someow right and proper.

[haggis1984]

My interests are those concerning the consumer - DP breaches are nothing I can realistically enforce through the courts. Fraud, I can - and not at my expense!

 

If the subject of the data request does not sign the request to prove who they are, the ICO will not pursue a claim for non-compliance as the firm would have reasonable grounds to refuse. If you have the time and effort make life difficult for yourself, be my guest - but the simple fact remains, providing a signature to support a SAR is not the same 'open access' to your lifestyle than - say - agreeing to a Direct Debit mandate.

 

As to your last point, it would allow fraudulent activity following your basis for proof, but not mine - so with the point proved, it seems churlish for you to continue to believe not signing a SAR is someow right and proper.

 

lol im pretty satisfied my points been proved too - dont think we can reconcile here. Anyone interested can clearly see (and take into condsideration if theyre so inclined) both our points of view so im happy.

 

To clarify: My contention was never that it is 'right and proper' to send an unsigned SAR (Ive offered no opinion on this one way or the other). My contention was that it is not 'right and proper' for organisations to use it as an excuse to delay processing an SAR as there exists no legislation/guidance which supports this position.

Edited October 7, 2009 by haggis1984

[frettful38]

I made a request for SAR to HSBC in Dec 08. HSBC required my sig to verify who I was, I sent templates from CAG stating that my sig was not required to release my Data information.

 

After several letters back and fro to HSBC, I put a complaint in the ICO. The Information Commissioners response to my complaint against HSBC reads:

 

ICO's letter to me in MARCH 09

 

Dear xxxx

 

From the information you have provided, it still does not appear that you have provided HSBC Bank Plc with your signature, HSBC Banl Plc has already asked you to do so on five occassions. If you still want HSBC to comply with your subject access request then you should provide them with your signature. If, on providing your signature, HSBC Bank Plc still fails to comply with your subject access request without a legitimate reason within the 40 days period, then you should contact us again. Otherwise, as the situation currently stands, this office is unable to advise you any further on this matter.

 

ICO's letter to me in Feb 09

 

 

Dear xxxxx,

 

From all the information that is now available to me, it is my view that there is no strong indication that HSBC Bank Plc has failed to comply with the sixth principle in this case. This is because the provisions of the DPA 1998 ensure that a Data Controller, such as HSBC Bank Plc, is not obliged to comply with a subject access request unless it is supplied with the information as it may reasonably require in order to satisfy itself as to the identity of the individual making the request and to locate the information which that individual seeks.

 

In the light of this evidence there is no evidence that HSBC Bank Plc has not complied with the DPA 1998 in this case and the matter is therefore considered closed.

 

Since then I have sent HSBC my signature after the ICO were of no help. I sent my signature twice, signed and sent once r/delivery and once s/delivery. Still I have not received my SAR. Now I am at the non-compliance of SAR stage, but WILL NOT BE ISSUING any NI forms before getting proper advice, especially with my track record:D

 

The ICO were of no help.They require us to send our signatures if we want to get anywhere.

[haggis1984]

Lol I stand corrected

[42man]

You might find these (below) useful Fretful.....you have now providied signatures at their request.....and you have been MORE than reasonable in providing what they asked for...!!!

 

http://www.consumeractiongroup.co.uk/forum/lloyds-bank/49571-havinastella-lloyds-tsb-3.html

 

http://www.consumeractiongroup.co.uk/forum/legal-issues/200771-starting-court-claim-sar.html

 

http://www.consumeractiongroup.co.uk/forum/legal-issues/204306-fox-cap1-dpa-sar.html

[frettful38]

Thanks 42man, I would chase them up but am very busy on my other thread at the mo,

 

thanks for the support