Should a CCA be provided under SAR? - discussion

[citizenB]

Some organisation do as a matter of course supply agreements with the SARs, but many others stick by the " no obligation" statement.

 

 

As there is no specific requirement with in the DPA compelling the supply of the agreement it's not a case of being allowed to withhold them rather the lack of any compulsion to do so.

 

I understand that the data doesn't have to be provided in a particular format so long as it's understandable. As such the actual agreement may not be provided - though the data held within it could be provided albeit in a different format.

 

This gives the bank/creditor the option to put right any defects the original might have had !

 

There would be a compulsion if it was classed as personal data.

 

COLOR="red"]I wonder why some DO provide the agreement if they don't have to.[ [/color]

 

BTW andy I do understand what you mean, but not how it's not personal, but if it appears an application is.

 

On behalf of OH, I made several SAR requests - only one bank provided a proper copy of the document. Of the others, CCA requests were made and only a couple of those were ever complied with through that.

 

IMHO, those banks who are reluctant to provide a copy of the agreement via either request, recognise that there is/could be something wrong with the document.

 

Not CCA compliant (Capone-B/shark-Halifax) or in the case where the document might be requested in respect of PPI - documents being pre ticked (MBNA/BOS) not being ticked by the consumer - yet PPI charged for (Halifax/Capone/B/shark) Or simply that there was never an agreement reduced to writing in the first place ? (HSBC-Store cards)

[BRIGADIER2JCS]

Isn't that what this discussion is about.

 

******* Creditors omit it not because if isn't personal data but because they won't admit they have it. Its called being dishonest. *********

 

 

A very sweeping and rather naïve comment I think.

 

 

Perhaps you would like to provide some proof ( reliable not a " one off event)

I'm personally having problems with a SAR, their data controller is stating they have no microfiche docs relating to a certain account at all and when I pointed out a microfiche doc re this account was provided as part of a CCA response, they have denied sending it at all.

 

Before any one says its off topic, it isn't, its very relevant to SAR requests generally, and especially requests for agreements. They don't provide them because it wouldn't serve their purpose and they don't give a toss about their statutory duties.

 

 

This seems like a grudge against banks rather than a valid discussion on the SAR situation.

 

 

What ever is said here will not alter the current situation, the obligation/compulsion to supply an agreement does not exist.

[sequenci]

This gives the bank/creditor the option to put right any defects the original might have had

 

Sure does.

 

I know a few data controllers and some of the stuff they do is a little, er, naughty. (None of them work in financial services for the record).

[goodatresearch]

Oh dear, dear me. You have not provided any sensible or logical argument to support the rather bizarre argument that an agreement is not personal data so you resort to personal attacks, accusing me of being naive and having a grudge. You also seem to be always justifying banks dodgy dealings, yet again your saying my experience is a one off event (a different post).

 

In the real world, people dont go over the hill blindly and without question. Being annoyed when financial institutions dont comply with their statutory duties is not having a grudge. If we didn't question these things there would have no need for CAG to exist.

 

Everything iv said is valid to this SAR discussion. Unfortunately for the bank the data controller has contradicted herself in writing on more than one occasion and this serves my purpose, so if I have been niave and grudging as you say, its worked for me.

 

 

 

 

 

 

 

 

 

 

 

This seems like a grudge against banks rather than a valid discussion on the SAR situation.

 

 

What ever is said here will not alter the current situation, the obligation/compulsion to supply an agreement does not exist.

[BRIGADIER2JCS]

Oh dear, dear me. You have not provided any sensible or logical argument to support the rather bizarre argument that an agreement is not personal data so you resort to personal attacks, accusing me of being naive and having a grudge. You also seem to be always justifying banks dodgy dealings, yet again your saying my experience is a one off event (a different post).

 

In the real world, people dont go over the hill blindly and without question. Being annoyed when financial institutions dont comply with their statutory duties is not having a grudge. If we didn't question these things there would have no need for CAG to exist.

What ever you say here the simple fact is there is no specific compulsion/obligation on a creditor to supply an agreement with a SAR.

 

 

So ranting on here will not help, go and do your research, contact the ICO as I did then post some real data here!

[goodatresearch]

Follow your own advice, read post #73.

 

 

This discussion concerns what should be provided following a SAR, specifically should agreements be provided. When people disagree with you and provide examples of their personal experiences it is not ranting.

 

After doing my research and repeatedly asking the bank difficult questions, they have put their foot in their mouth on more than one occasion, all in writing. In particular, the microfiched doc they sent as part of the CCA response, the one the data controller is stating doesn't exist as destroyed years ago, the one their CCA department are saying they didn't send, is mentioned in their CCA response letter. Many people would

conclude that this shows the banks attitude towards complying with their statutory duties. Of course I could complain to the ICO, I certainly have enough documentary evidence, but it doesn't serve my purpose at the moment. If my position changes I will of course update.

 

 

What ever you say here the simple fact is there is no specific compulsion/obligation on a creditor to supply an agreement with a SAR.

 

 

So ranting on here will not help, go and do your research, contact the ICO as I did then post some real data here!

[BRIGADIER2JCS]

Post 73 says nothing we don't already know the ICOs " take " is and always has been vague as I have said before.

 

 

If you want to attempt to get the ICO to suggest a change in DPA 1998 to compel supply of the agreement go ahead good luck.

[goodatresearch]

Good heavens, your arguments get more and more convoluted.

 

DPA 1998 is quite clear. ANY document in a relevant filing system where the data subject can be identified should be disclosed. The ICO are only concerned with the provisions of this statute so if the bank says they have the agreement and its in a relevant filing system, it would be difficult to argue that they don't have to disclose it following a SAR.

 

 

I am more than well aware that the ICO can't be asked to change the statutes provisions. For your information, that's not how the law works. However its all about interpretation and this can develop over time. For example, the ICO only relatively recently ruled microfiched docs are in a relevant filing system and should be disclosed.

 

I at no point said I have evidence that they have the CCA and they therefore should disclose it following my SAR. They don't have it. I have deliberately not disclosed all my issues with the bank because it would not be sensible at this time. Eventually I will start a thread, but when the timing is right.

 

 

 

 

 

Post 73 says nothing we don't already know the ICOs " take " is and always has been vague as I have said before.

 

 

If you want to attempt to get the ICO to suggest a change in DPA 1998 to compel supply of the agreement go ahead good luck.

[BRIGADIER2JCS]

Good heavens, your arguments get more and more convoluted.

 

DPA 1998 is quite clear. ANY document in a relevant filing system where the data subject can be identified should be disclosed. The ICO are only concerned with the provisions of this statute so if the bank says they have the agreement and its in a relevant filing system, it would be difficult to argue that they don't have to disclose it following a SAR.

 

 

I am more than well aware that the ICO can't be asked to change the statutes provisions. For your information, that's not how the law works. However its all about interpretation and this can develop over time. For example, the ICO only relatively recently ruled microfiched docs are in a relevant filing system and should be disclosed.

 

I at no point said I have evidence that they have the CCA and they therefore should disclose it following my SAR. They don't have it. I have deliberately not disclosed all my issues with the bank because it would not be sensible at this time. Eventually I will start a thread, but when the timing is right.

 

 

 

I have asked the Information Commissioner to elaborate/explain the anomaly and will post the answer he when received.

 

 

Action - v- Rant !!!

 

 

Unsubscribing! As I see from this post this is all about your own problem not about any form of discussion, the fact now emerges that in your case the agreement is not available

anyway.

So you mislead contributors here and the "bank" you have a problem with.

[citizenB]

Why is it, whenever a serious discussion thread is started, it descends into a mud slinging competition ?

 

And BTW, that was a rhetorical question and does not require anyone to respond with the usual... "it wasn't me guv" !!

[goodatresearch]

I rang the ICO and the person I spoke to said personal data in a relevant filing system should be disclosed, they don't care what the doc is. Of course, it depend on who you speak to I suppose and how you ask the question. I asked whether there was any personal data in a relevant filing system that can be omitted, the answer was no.

 

Why have I misled anyone, it was the bank that told me they haven't got the CCA after I had made my S78 and SAR. I have a legal right to make a SAR and S78 CCA request regardless of my motives.

 

 

 

 

I have asked the Information Commissioner to elaborate/explain the anomaly and will post the answer he when received.

 

 

Action - v- Rant !!!

 

 

Unsubscribing! As I see from this post this is all about your own problem not about any form of discussion, the fact now emerges that in your case the agreement is not available

anyway.

So you mislead contributors here and the "bank" you have a problem with.

[goodatresearch]

I personally think the problem is that although they should disclose the CCA if its in a relevant filing system, they can simply say they don't have it and if they ever take you to court for non payment, provide witness statements saying there would have been one at inception. That's why its a good idea to get all your ducks in line and that can include making a SAR. The results can be very revealing.

[caro]

Thanks for letting us know your personal experiences goodatresearch. For me sharing experiences is one of the strengths of cag as people can often relate to that more easily than the law if inexperienced, which most of us are.

 

I can quite understand there is no requirement for a recon because that suggests the original doesn't exist so can't be supplied, but would be reproduced for a cca request.

[goodatresearch]

And that's the problem with the recons isn't it.

 

For example, their records might say you've had a visa card since

1995, but the records might not show whether you signed a fully compliant agreement in 1995. They just send you a copy of a visa agreement that was in place in 1995. They take you to court and provide witness statements saying that you wouldn't have been given a card without an agreement being signed. But some court cases have shown that these witness statements are far from accurate. There was a case, were a bank argued an agreement was obtained, but the defendant produced a letter from the bank stating that the account was being closed and here's your card for a new account. Their witness statement therefore was not accepted.

 

 

I personally believe that making a SAR before court action is a very good idea. Even if they don't provide a copy of the CCA theres sometimes very good information in the results that you can use to your advantage later.

 

 

Thanks for letting us know your personal experiences goodatresearch. For me sharing experiences is one of the strengths of cag as people can often relate to that more easily than the law if inexperienced, which most of us are.

 

I can quite understand there is no requirement for a recon because that suggests the original doesn't exist so can't be supplied, but would be reproduced for a cca request.

[caro]

If creditors can't provide generic t&c's for specific points in time, it beggars belief that they can accurately reconstitute individual agreements. That's another matter though.

[Guest]

caro

 

it is odd. under one cca request i got a recon. no signed copy application that they said happened and relied on as the agreement (led me to believe that they didnt have it). yet under a subsequent dsar, one was produced (albeit deficient)! seems maybe sometimes they just cldnt be bothered to look for one under the cca request and just send a recon?

but yes, under a dsar, a generic (not identifiable) recon wldnt be forthcoming. unless perhaps individual as mike hawk posted.

[ims21]

And that's the problem with the recons isn't it.

 

For example, their records might say you've had a visa card since

1995, but the records might not show whether you signed a fully compliant agreement in 1995. They just send you a copy of a visa agreement that was in place in 1995. They take you to court and provide witness statements saying that you wouldn't have been given a card without an agreement being signed. But some court cases have shown that these witness statements are far from accurate. There was a case, were a bank argued an agreement was obtained, but the defendant produced a letter from the bank stating that the account was being closed and here's your card for a new account. Their witness statement therefore was not accepted.

 

 

I personally believe that making a SAR before court action is a very good idea. Even if they don't provide a copy of the CCA theres sometimes very good information in the results that you can use to your advantage later.

 

Valid points.

 

I would certainly agree that a SAR is appropriate before court action....it is too late when the claim form drops on your doormat.

 

Your points about recons are also valid but maybe not for this thread. Clearly nothing much can be done about the principles of recons unless someone can get the court ruling overturned or superseded.

 

I have to say that I did get a copy of my agreement when I did my SAR to HFC back in 2011. It was the first document on the top of the huge pile of stuff.

 

There are some interesting arguments being put forward on this thread, some more credible than others but that is always the case with a discussion.

 

Given that the DPA is a distinct piece of legislation and sets out what "data" is then I would suggest that if an agreement exists, conforms to the definition of personal data and is in a relevant filing system, it falls within the scope of data to be disclosed.

 

People should, in my view, be encouraged to challenge the lender if it is not supplied. It costs nothing (well pennies) but puts some pressure on the lenders.

 

It is rather like them only providing data for the last six years thinking they can get away with it. In reality we know that they hold data going back far beyond six years and there are many many cases n CAG where these institutions have been pressed for older data and have coughed it up.

 

It is a real shame that Joe Public has to press these outfits to divulge what they are required to do by legislation.

 

I guess we should not expect open, transparent and honest dealing with banks and other lenders..... that would be too much to ask.

[goodatresearch]

Completely agree with everything you've said.

 

I'm a great believer in continually challenging the lender. Put it this way, if you keep asking for the agreement as part of your SAR and they put in writing on more than one occasion they don't have it in any form and they then produce it in court, I'd be asking where it was stored. If it was stored in a relevant filing system, for example they provide a microfiched copy, their credibility is going to go down the pan rapidly.

 

Valid points.

 

I would certainly agree that a SAR is appropriate before court action....it is too late when the claim form drops on your doormat.

 

Your points about recons are also valid but maybe not for this thread. Clearly nothing much can be done about the principles of recons unless someone can get the court ruling overturned or superseded.

 

I have to say that I did get a copy of my agreement when I did my SAR to HFC back in 2011. It was the first document on the top of the huge pile of stuff.

 

There are some interesting arguments being put forward on this thread, some more credible than others but that is always the case with a discussion.

 

Given that the DPA is a distinct piece of legislation and sets out what "data" is then I would suggest that if an agreement exists, conforms to the definition of personal data and is in a relevant filing system, it falls within the scope of data to be disclosed.

 

People should, in my view, be encouraged to challenge the lender if it is not supplied. It costs nothing (well pennies) but puts some pressure on the lenders.

 

It is rather like them only providing data for the last six years thinking they can get away with it. In reality we know that they hold data going back far beyond six years and there are many many cases n CAG where these institutions have been pressed for older data and have coughed it up.

 

It is a real shame that Joe Public has to press these outfits to divulge what they are required to do by legislation.

 

I guess we should not expect open, transparent and honest dealing with banks and other lenders..... that would be too much to ask.

[goodatresearch]

They wouldn't send a recon following a SAR but the argument here is that if the data subject can be identified in the document and its in a relevant filing system, it should be provided.

 

I truly believe that in some cases they can't be bothered looking for the CCA so they send a recon, which of course they can do (following a CCA request), but in other cases they know the CCA is defective so they don't send it.

 

 

caro

 

it is odd. under one cca request i got a recon. no signed copy application that they said happened and relied on (led me to believe that that they didnt have it). yet under a subsequent dsar, one was produced (albeit deficient)! seems maybe sometimes they just cldnt be bothered to look for one under the cca request and just send a recon?

but yes, under a dsar, a generic (not identifiable) recon wldnt be forthcoming. unless perhaps individual as mike hawk posted.

[Guest]

They wouldn't send a recon following a SAR but the argument here is that if the data subject can be identified in the document and its in a relevant filing system, it should be provided.

 

I truly believe that in some cases they can't be bothered looking for the CCA so they send a recon, which of course they can do (following a CCA request), but in other cases they know the CCA is defective so they don't send it.

 

agree, thats what i posted before.

 

the only way can see the Brigs argument is re pedantics ie a specific named document.

(i asked him yonks ago about his q to the ico on this and what was the ico's full response, he said he was going to post it up but nothing was forthcoming),

but, as has been said on thread, the dpa doesn't mention any specifics as such, just maybe eg's in the guide etc such as statements. as has been said on thread, depends what they are asked.

the ico guide and flow chart for data controllers explains it all. (available on the ico site). imo

[goodatresearch]

Its nice to see there are some posters who want a proper discussion and respond to posts with respect and logic.

 

I've spoken to the ICO helpline and they weren't interested in the provisions of CCA 1974 and said they were only interested in the provisions of the DPA - can the data subject be identified within the doc and is it in a relevant filing system, if yes it should be disclosed.

 

 

 

agree, thats what i posted before.

 

the only way can see the Brigs argument is re pedantics (i asked him yonks ago about his q to the ico on this and what was the ico's full response, he said he was going to post it up but nothing was forthcoming). ie a specific document. but, as has been said on thread, the dpa doesn't mention any specifics, just maybe eg's such as statements. as has been said, depends what they are asked.

the ico guide and flow chart for data controllers explains it all. (available on the ico site). imo

[citizenB]

I am trying to understand what is a "non relevant" filing system ?

[BRIGADIER2JCS]

I am trying to understand what is a "non relevant" filing system ?

It's explained in " Key definitions of the Data Protection Act."

 

 

It's in the usual ICO vague manner.

[goodatresearch]

The ICO consider that relevant filing systems exist where records relating to individuals are held in a sufficiently systematic structured way to allow easy access.

 

Now what you have to understand that any statute is open to interpretation and decisions in this area can develop and alter over time. Following Durant v FCA 2003, the ICO narrowed its interpretation and decided that most manual records didn't fall under the scope of the act I.e not in a relevant filing system.

 

However in 2006, following a complaint against Barclay's who argued microfiche docs were not in a relevant filing system so wouldn't be disclosed (as they are manual records), the ICO reviewed barclaycards systems in operation. The upshot was that they changed there interpretation and concluded that microfiched docs should be disclosed.

 

 

I thing the emphasis is on whether the data subject can easily be identified in their systems and therefore easy to get hold of.

 

 

 

 

 

I am trying to understand what is a "non relevant" filing system ?

[Peterbard]

Its nice to see there are some posters who want a proper discussion and respond to posts with respect and logic.

 

I've spoken to the ICO helpline and they weren't interested in the provisions of CCA 1974 and said they were only interested in the provisions of the DPA - can the data subject be identified within the doc and is it in a relevant filing system, if yes it should be disclosed.

 

Yes this is the response I got some years ago(as said much earlier in this thread) when this was argued, the chap I talked to admitted that he would not know what the requirements of the cca were in any case.

 

Perhaps it was the same bloke

Edited September 10, 2014 by Dodgeball
were