HSBC Going to Court to obtain my data!??

[craigten]

Hi, please can anyone give me the address that i need to send my s.a.r to hsbc please?

[yourbank]

Hi, please can anyone give me the address that i need to send my s.a.r to hsbc please?

HSBC BANK PLC

Address:

8 CANADA SQUARE

LONDON

E14 5HQ

[johnnymitch]

Or you could send it direct to where it will end up :

 

UK Data Protection Compliance

HSBC Bank plc

Griffin House

4-01, 41 Silver Street Head

Sheffield

S1 3GG

[yourbank]

excellent. Gotta say I took the address from the register of data controllers from the ICO but i haven't done a sar to HSBC so the OP should use the address you have given.

[craigten]

Hello.

Many of us suspect that banks hold information on us that go back beyond the 6 year statutory limit but when you send a SAR, that’s usually all they send you. I was wondering - has anyone complained to the ICO about this and have the ICO checked it?

[BankFodder]

I have no idea where you come up with this idea of a six-year statutory limit.

 

There is no such limit. If you supply a subject access request then the institution that you are dealing with is required to supply all data which they hold on you – regardless of the age of it.

 

Of course some of the banks have been up to dirty tricks. In the past, Santander, Barclays, Lloyds have tried to withhold data that is older than six years. Some of them have said that they no longer hold it. In fact all of these institutions hold data going back at least two the year 2000 and in fact about 10 years ago I interviewed a woman who had previously worked for the archive centre of the Abbey National – subsequently Abbey – subsequently Santander and she told me that they kept all their data going back to 1933 at an archive centre in Leighton Buzzard.

 

I have no idea whether this still exists or has been destroyed. NatWest and RBS have an archive centre somewhere – but I can't remember where. Lloyds have an archive centre in Andover and if you search this form for Lloyds and Andover, you will find the address because I posted it up 2 or 3 times now.

 

Quite recently I spoke to some Lloyds staff at their PPI centre and one of them told me that she herself didn't realise that they kept data older than six years. She was under the impression that it was no longer available because it had been destroyed. These are the kind of dirty tricks that Lloyds plays on its customers and they manipulate their own staff in order to achieve their ends.

[craigten]

Brilliant, thank you. The bank concerned is HSBC and the loan was, unfortunately, back in 1998. I have once, many years ago, sent a SAR and they said something like they only keep it for six years. So, if I do it again and get the same answer, what then, please? Also, do Experian, etc keep records going back that far?

[BankFodder]

Do you have a copy of the letter in which they said that they only keep data for six years?

[craigten]

Oooh.....let me take a look....

[craigten]

Apologies for this, I cannot find them.

However, could someone point me towards the appropriate SAR to send HSBC for my data on this wonderful site. I am unable to find it, but then my navigation skills are not good....they're awful!!!

[dx100uk]

just click sar in your post

[craigten]

Do you have a copy of the letter in which they said that they only keep data for six years?

 

Although I am sending an SAR by post,

I rang HSBC up earlier and it took 30 minutes for the person to tell me that they can see that I have had 5 loans and one 'Flexiloan' account,

he could only see the dates of 5 May 2004 and 7 December 2015 and said that he will "pass on the request for more details,

including whether or not I had PPI to the 'Specialist Team' to double check"

and noted that HSBC had sent me a letter in 2013 declaring that they could see that I had loans

, due to the Data Protection Act,

they do not hold data for more than six years'.

 

I have asked for a copy of this letter to be sent again to me.

 

Thoughts?

[dx100uk]

you are talking here about HFC or beneficial finance you

 

dx

[craigten]

hsbc.

[craigten]

Do you have a copy of the letter in which they said that they only keep data for six years?

 

Finally got this for you....and then some:

 

Don't hate me for this but before I get around to sending a SAR, I just thought, out of curiosity, I would try them direct.

 

This is what I received - they include the quotes 'ensure records are identified and securely retained for the appropriate period of time, and destroyed / deleted in a controlled manner on expiry of the retention period' and

 

'Please note that we only hold paperwork for the last 6 years in accordance with The Data Protection Act'.

 

Your thoughts, please?

 

Links to letters here:

https://drive.google.com/open?id=1-inVQ2twccx-eXP-aGMGSRWCr59mT1p1

 

https://drive.google.com/open?id=1qwIWqa_0MtIoGxQj06W857oZ8sBISGZo

[dx100uk]

those the exact words used to IMS21 and myself from HFC back in the day. [which is why I mentioned them]

 

we actually found out that they had not destroyed the data outside of 6yrs at all.it was a lie!.

 

if remember correctly we both sent a request in for a signed certificate of destruction from the data controller guaranteeing that the data has been securely destroyed, they then suddenly found it all.

[craigten]

That is just wonderful!!!

SAR it is then. However, I think I'll send that letter to the Data Controller....just got to find out who it is!!

 

However, now due to GDRP, won't Banks be jumping to attention and actually deleting all this data (for their own benefits)?

[craigten]

Sorry for the delay here, is this what I should now do?

 

I have sent an SAR by Recorded Delivery last week but I'd like to address this letter, if I can.

 

Is there a specific template to ask for proof that they have destroyed / no longer have the data?

 

As soon as you let me know, I'll get on it!!

[dx100uk]

Exhaust Sat 1st

[craigten]

Exhaust Sat 1st

 

???

[dx100uk]

autocorrect strikes again

exhaust the SAR process 1st

[craigten]

Update here:

On 7th January I sent the following SAR to HSBC by 'signed for' post:

HSBC Bank Plc

8 Canada Square,

London,

E14 5HQ

 

 

7th January 2019

 

 

Dear Sir/Madam

 

 

GENERAL DATA PROTECTION REGULATIONS - SUBJECT ACCESS REQUEST

ACCOUNT /REF NUMBER xxx

 

[template removed - please read its top line! - dx]

 

Up to this point, all I have received are two letters both addressing a loan each but both stating that they no longer have records of them. This is not what I asked for.

The latest letter, received this week, is below:

 

(I tried to upload it as a PDF after I had converted it but I received a message saying that 'you do not have permission to upload that file or format'??)

jpg2pdf.pdf

Edited February 9, 2019 by dx100uk
merge/template removal

[BankFodder]

There is no provision in the data protection act that says that data must be destroyed after six years. It simply requires that data is not held longer than is necessary.

 

Is the account you are referring to closed or not closed? Are you currently a customer of this bank?

[craigten]

Thank you.

I am still a customer. I have more than one account with them. Of the six different 'loan accounts', I still have one, I think.

I'm quite cheesed off that they seem to be viewing the SAR as simply a token request for details of the loans. Am I being too sceptical here....or do they know exactly what they are doing here?

[BankFodder]

You can try something like this:

 

Dear Sir,

 

Thank you for your letter of the XXX date.

 

You claim that you no longer have the data I require because you are required by the data protection act to destroy it after six years.

You should understand that I'm fully aware that the data protection act contains no such provision – but if you insist that it does then please let me know the particular section of the Data Protection Act which contains the obligation.

 

Accordingly I reject your position that you do not have the data and I believe that you are withholding the data from me because you feel that it would be disadvantageous to you to provide it to me. It maybe that the data is within some archive service and of which you are fully aware.

 

If it is your position that the data has been destroyed then please will you provide a certificate of destruction from your data controller.

 

I should warn you that I am sending your letter of the XXX date containing your misleading information about the Data Protection Act to the information Commissioner as part of the complaint.

If you do not provide me with a certificate of destruction signed by your data controller then I will add that to the information Commissioner's complaint as well.

 

I would also remind you that you have a duty to treat your customers fairly and in particular to communicate with them fairly. This is a statutory duty created by the Financial Conduct Authority.

 

By attempting to mislead me as to your Data Protection obligations, you are already in breach of your statutory duty. It would now be helpful if you would begin to treat your responsibilities according to law in order to avoid further complaints.

 

Yours faithfully

 

 

 

copy to the data controller