Should a CCA be provided under SAR? - discussion

[Peterbard]

I contacted the ICO some time ago to clear this up.

I got through to one of their people.

 

He told me that the request included any personal data, and that this would include any documents which contained such information.

When I asked about the requirements of the CCA he was somewhat bemused, they would not even consider the requirements of another act, the request is made under the DPA and that is all that they are concerned with.

 

Personally I have make many SAR requests and have always recieved a copy of the agrement when available.

[Peterbard]

An agreement is not considered "personal data".

 

Really, and does this just apply to regulated agreements, what about an agreement to take a ride on a bus, what about an agreement which had not been executed, what about an agreement when one or both of the parties disputed that there was an agreement.

 

Personal data is personal data, I think you will find.

[jackreacher]

Check out shamrockers Claimants skeleton,para 15 for another reason not to comply with s78

 

file:///C:/Users/Dan/Downloads/aktiv-kapital-skeleton.pdf

 

Posted Today

[goodatresearch]

What not? Its information specifically relating to an individual that can be identified. If a contract signed by 2 parties isn't personal data, then what is?

 

An agreement is not considered "personal data".

[sequenci]

I understand that the data doesn't have to be provided in a particular format so long as it's understandable. As such the actual agreement may not be provided - though the data held within it could be provided albeit in a different format.

[goodatresearch]

When I made a SAR and one hadn't been provided I ask them if there is one available or is is the case they've only checked relevant filinig systems.

 

They've come back and reluctantly admitted they don't have one at all.

 

I contacted the ICO some time ago to clear this up.

I got through to one of their people.

 

He told me that the request included any personal data, and that this would include any documents which contained such information.

When I asked about the requirements of the CCA he was somewhat bemused, they would not even consider the requirements of another act, the request is made under the DPA and that is all that they are concerned with.

 

Personally I have make many SAR requests and have always recieved a copy of the agrement when available.

[Peterbard]

I don't know if this is already on here but anyway

 

http://ico.org.uk/for_organisations/data_protection/the_guide/~/media/documents/library/Data_Protection/Detailed_specialist_guides/PERSONAL_DATA_FLOWCHART_V1_WITH_PREFACE001.ashx

 

‘Personal data’ is defined in Article 2 of the Directive by reference to

whether information relates to an identified or identifiable

individual.

[BRIGADIER2JCS]

What not? Its information specifically relating to an individual that can be identified. If a contract signed by 2 parties isn't personal data, then what is?

This was discussed fully some considerable time ago the scenario is not new.

One of the reasons I remember is that the agreement leaves the creditors hand when it is passed to the data subject at the inception of the account.

 

 

For more information you will need to look through the CAG archives.

[Peterbard]

Notably above there are no exclusions for the type of document, this is irrelevant, the criteria is that it contains personal data. the only conflicting matter which may have an effect on production, is the associated inclusion of restricted information, ie information involving another source which the data controller feels should not be reproduced in an unredacted form.

This would not be a factor in an agrement.

[goodatresearch]

Yes your right, for example instead if providing direct copies of statements, they provide the data in the statements.

 

But as I've said microfiched data should be supplied, Barclay's tried to argue otherwise and the ICO told they they were wrong. Therefore if you ask for everything on microfiche they should comply. I did this with one bank and they provided me with a microfiche of a statement which contradicted the info in the made up, sorry recon CCA.

 

I understand that the data doesn't have to be provided in a particular format so long as it's understandable. As such the actual agreement may not be provided - though the data held within it could be provided albeit in a different format.

[goodatresearch]

Rather a weak argument. Its still personal data and therefore if they've retained the data it should be disclosed.

 

 

This was discussed fully some considerable time ago the scenario is not new.

 

 

 

One of the reasons I remember is that the agreement leaves the creditors hand when it is passed to the data subject at the inception of the account.

 

 

For more information you will need to look through the CAG archives.

[Peterbard]

Rather a weak argument. Its still personal data and therefore if they've retained the data it should be disclosed.

 

Indeed, and being one of the ones who discussed it I can tell you that the ourtcome was ot what the Brigg would have you believe.

 

The simple fact is that we are talking about different things, the DPA requirement is not concerned about the form of the document, rather what it contains, it can be a bus ticket or a contract, if it contains identifiable personal data it must be disclosed.

[Guest]

.... Its still personal data and therefore if they've retained the data it should be disclosed.

 

 

ditto. if an app'n form, or an actual agreement, exists and contains identifiable data (which it wld do ordinarily, as defined, eg name/address), then it is data subject to a dsar according to the ICO guide/flow chart on what is such data (which says for eg that statements wld be subject to dsar cause for eg they have a name/address on it). and so, shld be produced if in a 'relevant filing system' (which it wld be ordinarily).

 

its ironic. a cca request doesn't have to produce an actual copy of an application (which some rely on as the agreement), a recon wld suffice to satisfy such a request. but, a dsar 'should' produce such a copy. as you say caro, sometimes a dsar produces a copy form, which hasnt been forthcoming re a cca request.

[caro]

Some organisation do as a matter of course supply agreements with the SARs, but many others stick by the " no obligation" statement.

 

 

As there is no specific requirement with in the DPA compelling the supply of the agreement it's not a case of being allowed to withhold them rather the lack of any compulsion to do so.

 

There would be a compulsion if it was classed as personal data.

 

I wonder why some DO provide the agreement if they don't have to.

 

BTW andy I do understand what you mean, but not how it's not personal, but if it appears an application is.

Edited September 4, 2014 by caro

[BRIGADIER2JCS]

C page 27 is relevant I think.

[BRIGADIER2JCS]

There would be a compulsion if it was classed as personal data.

 

I wonder why some DO provide the agreement if they don't have to.

 

BTW andy I do understand what you mean, but not how it's not personal, but if it appears an application is.

 

 

Nowhere in the document posted here does is it stated specifically or even vaguely that a Consumer Credit Agreement is Personal Data.

 

 

I does I think follow that CCA 1974 provides for supply of regulated documents WITHOUT A SIGNATURE clearly places such document outside the realm of personal data.

 

 

I have in the past made CCA request on behalf of others and have always been supplied with the document (s) requested.

[Guest]

Nowhere in the document posted here does is it stated specifically or even vaguely that a Consumer Credit Agreement is Personal Data.

 

 

...

 

 

doesnt need to state specifically this document or that doc. if a doc has a name/address on it then it is identifiable, and therefore data as defined. the mention of statements is just a given eg in explanation.

[BRIGADIER2JCS]

doesnt need to state specifically this document or that doc. if a doc has a name/address on it then it is identifiable, and therefore data as defined. the mention of statements is just an eg in explanation.

Read the rest of my post Ford.

Agreements as such are not personal data I can make requests for such documents without having to justify my ID No Signature required for a CCA request???

[Guest]

Read the rest of my post Ford.

Agreements as such are not personal data I can make requests for such documents without having to justify my ID No Signature required for a CCA request???

 

 

read mine, and the ico guide/flow chart

lack of a sig re a cca request doesnt make it not personal data as defined by the ico re a dsar.

a copy statement can come from a cca request (i've had one), but yet the ico regard statements as data!

if just a recon of terms/conditions, then is unlikely to be 'data'.

[BRIGADIER2JCS]

read mine, and the ico guide/flow chart

lack of a sig re a cca request doesnt make it not personal data.

a copy statement can come from a cca request (i've had one), but yet the ico regard statements as data!

It is a requirement to send only a current statement of the "account" not historical data.

This changes nothing imo.

[Guest]

It is a requirement to send only a current statement of the "account" not historical data.

...

 

yes, thats what was sent (copy final statement signed) in respect of.

[Peterbard]

There would be a compulsion if it was classed as personal data.

 

I wonder why some DO provide the agreement if they don't have to.

 

BTW andy I do understand what you mean, but not how it's not personal, but if it appears an application is.

 

Yes the mention of whether the document is an agreement or a statement is a read herring. The only thing which is relevant is that the document contains personal data in relation to the data subject, if it does it must be disclosed. An agreement must of necessity contain the information about the DS so therefore...

 

There is o restrictions mentioned anywhere in the act which preclude agreements or indeed any other kind of document, unless sensitive material of course.

[Peterbard]

The thing is also that if a copy is requested under a SAR and none is available, they will not send a set of T and Cs, which may add to the confusion, because of course the T and cs do not contain personal data, this may lead I suppose to the mistaken belief that an sar cannot produce an agreement.

[Peterbard]

Nowhere in the document posted here does is it stated specifically or even vaguely that a Consumer Credit Agreement is Personal Data.

With respect this argument makes no sense. If a creditor wrights down particulars of a denbtor on a pice of paper and files it, it is personal data and is therefore required for disclosure, however if that piece of paper is an agreement it doesn't ?

[Mike_hawk]

Of the 3 related instances I've found cause to complain to the ICO it decided the businesses had not complied with s7 of the dpa when failing to include agreements.

 

However; each were ongoing disputes to which the businesses had made reference to the agreements in prior correspondence so would presumably have been within its control and easily accessible.

 

Logically, the application contains personal data, the agreement which underpins the future credit token etc is not necessarily so unless individually negotiated.