The Information Commissioner's decision - Official

[BankFodder]

Request for Assessment - Abbey.

 

I write to you further to my previous letter dated *******

 

I would like to begin by offering my sincere apologies for the time it has taken to provide you with a substantive reply to your complaint against Abbey.

 

 

Your complaint

 

You complained to the Information Commissioner that Abbey had not properly responded to your subject access request of ********.

 

Abbey informed us that they were providing the automated 'transactional' data to their customers within the statutory 40 days permitted under the subject access provisions of the Data Protection Act 1998 (the Act). Abbey believed that their microfiche system (where all transactional data is stored after 18 months) was not caught by the Act.

 

This meant that many customers only received 18 months of account statements in response to their subject access requests within 40 days. We understand that Abbey were, and are, continuing to provide information held in their microfiche system but that because of the volume of requests involved this has often been outside of the statutory 40 days.

 

 

 

 

 

 

Our view

 

Following a Court of Appeal ruling (Durant v Financial Services Authority 2003) the Information Commissioner revised his view as to what constituted a 'relevant filing system'. The Commissioner's interpretation of the Court of Appeal judgment was that unless a manual filing system was considered 'highly structured' it would not fall within the scope of the Act.

 

The Information Commissioner published guidance following the Durant case. Of particular importance, he said that most manual filing systems would not be caught.

 

We recognise that the definition of a "relevant filing system" can be construed differently. We have been reviewing our guidance on personal data and the proper interpretation of a relevant filing system for some time. In the next couple of months it is likely that we will be publishing revised guidance in this area which is likely to represent a significant move from our earlier view that most manual filing systems are not caught by the Act. This however, has not been driven by the bank charges issue.

 

 

 

Our investigation

 

With the intention of reaching a swift and clear resolution to the matter, we wrote to Abbey for a full description of their microfiche system. We were not convinced that their system fell outside the scope of the Act and so with Abbey's cooperation a small team went to inspect and review their microfiche system in operation.

 

 

Conclusion

 

The Commissioner is mindful that Abbey are responding to requests for microfiche data, albeit outside the statutory 40 days. We also note that they are now charging a nominal £10 fee per request instead of £10 per account.

 

It is our view that Abbey's microfiche are stored within a relevant filing system and that it is likely that they have contravened the sixth principle of the Act, which is concerned with the rights of individuals, including subject access.

 

If necessary, it would be for the Information Tribunal, and ultimately the Courts, to determine which, if either, interpretation is correct. However, we accept that Abbey may have a different interpretation of a relevant filing system. Further, we also recognise that Abbey may well plausibly argue that their interpretation is consistent with our current guidelines. I will now provide Abbey with details of your complaint under separate cover so that they can ensure your request has been, or will be, dealt with.

 

It may be helpful for me to explain that a contravention of one of the Data Protection Principles is not itself a criminal offence and the Commissioner has no power to "punish" a data controller. In such instances, the Commissioner will seek a resolution to the contravention and once satisfied that it has been remedied then in general no further action will be taken.

 

Thank you for bringing this matter to the attention of the Information Commissioner's Office.

 

Yours sincerely

 

 

____________________________________________________________________

If you are not the intended recipient of this e-mail (and any attachment), please inform the sender by return e-mail and destroy all copies. Unauthorised access, use, disclosure, storage or copying is not permitted.

Communication by Internet e-mail is not secure as messages can be intercepted and read by someone else. Therefore we strongly advise you not to e-mail any information which if disclosed to unrelated third parties would be likely to cause you distress. If you have an enquiry of this nature please provide a postal address to allow us to communicate with you in a more secure way. If you want us to respond by e-mail you must realise that there can be no guarantee of privacy.

Any e-mail including its content may be monitored and used by the Information Commissioner's Office for reasons of security and for monitoring internal compliance with the office policy on staff use. This includes the content of e-mails. E-mail monitoring / blocking software may also be used. Please be aware that you have a responsibility to ensure that any e-mail you write or forward is within the bounds of the law.

The Information Commissioner's office cannot guarantee that this message or any attachment is virus free or has not been intercepted and amended and you should perform your own virus checks.

____________________________________________________________________

http://www.ico.gov.uk or e-mail: [email protected]

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Tel: 01625 545 700 Fax: 01625 524 510

The original of this email was scanned for viruses by Government Secure Intranet (GSi) virus scanning service supplied exclusively by Cable & Wireless in partnership with MessageLabs.

On leaving the GSI this email was certified virus free.

The MessageLabs Anti Virus Service is the first managed service to achieve the CSIA Claims Tested Mark (CCTM Certificate Number 2006/04/0007), the UK Government quality mark initiative for information security products and services. For more information about this please visit CSIA - CSIA Claims Tested (CCT) mark

...

[kia]

so does that mean they get away with again!!XXkia

[veryannoyed]

It may be helpful for me to explain that a contravention of one of the Data Protection Principles is not itself a criminal offence...

 

Isn't it? - I was under the impression it was, which was howcome we could force compliance via a court?

[Odd Fellow]

I think this is the best we could have hoped for overall.

 

We know that the ICO has limited powers to "enforce" and we're also aware that ultimately, it would be case law that would fully decide whether it's relevany or not.

 

However, I would doubt that a judge would ignore these findings from the ICO. Whether or not it is enough to keep claims within the small claims court or not is another matter.

 

I would guess that would continue to try to force multi-track on this now as it is still a credible method of scaring the ***t out out claimants and in many cases (because the ICO ruling is not cut & dried) would have the desired effect of claims being dropped.

[Jane Austen]

Received my letter today also. Now I'm waiting for the statements which I originally requested 30th March and sent LBA for on 23rd October. Then I'll be able to put a second claim in for charges up to 2003.