Barclaycard SAR Non-compliance defence in full

[noomill060]

Here are my PoCs and Barclaycard's defence in my claim against Barclaycard for non-compliance of my S.A.R - (Subject Access Request) of last October.

 

I have now recieved all the data I requested and all that remains is my claim for damages. Maybe I should quit while I'm ahead? £200 is pushing it a bit! The full hearing is on May 15.

 

Barclaycard have offered to pay my Court fee of £36.

 

I have offered to accept my statements from 1986 in lieu of damages claimed. They have told me that these are not available as they only keep copy statements for a period of 6 years. They have not said that this data has been destroyed.

 

 

 

PARTICULARS OF CLAIM

 

1. The Respondent is a Data Controller within the meaning of the Data Protection Act and is responsible for the processing of data of which the Applicant is a Subject.

 

2. The Applicant had an account number XXXXXXXXXXXXXXXX("the Account") with the Respondent which was opened on or around December 1999

 

3. On 4 October 2006 the Applicant sent a Subject Access Request, pursuant to Section 7 of the Data Protection Act 1998 to the Respondent .

 

4. The Respondent has failed to comply, despite being directly instructed to do so by the Information Commissioner on or around 4 January 2007.

 

5. By virtue of the Respondent's failure to comply with the Subject Access Request the Applicant has suffered damage.

 

6. The damage caused is:

 

Extra costs incurred in addition to Court costs, due to the Respondent’s failure to comply- this includes the cost of additional correspondence and time spent preparing documents and seeking legal advice. I estimate this cost to be £200.

 

7. The Applicant seeks an order that the Respondent do comply with the Applicant’s Subject Access Request

 

8. Under the terms of Section 15(2) of the Data Protection Act 1998, where the Respondent contests that information requested under the Applicant’s Subject Access Request is not included within the scope of Section 7 of the Data Protection Act 1998, the Applicant requests that the Court inspects that information, and where it finds that the Respondent's opinion is unfounded, that it orders such information be included within the information supplied to the Applicant under his Subject Access Request.

9.The Applicant notes that, in the view of the Information Commissioner, it is likely that the respondent has contravened the sixth data protection principle, as this requires data controllers to process personal data in accordance with data subjects right’s.

10. Applicant claims:

(a) £200 extra costs incurred in addition to Court costs due to the Respondent’s failure to comply with the Applicant’s Subject Access Request.

b)£6.56 interest under the 1984 County Court Act rate of 8%, increasing at a daily rate of £0.05 per day until settlement.

11. Settlement to be made in the form of cleared funds drawn on a cheque or banker’s draft, to be received within 7 days of decree.

 

12. Damages and costs within the discretion of the Court.

 

I believe that the contents of these particulars of claim are true

 

Signed:

 

 

Date:

 

 

 

 

 

Barclaycards defence. James, Boston & Sullivan, Solicitors, Belfast.

 

1) Save for any admissions made in this defence, Claimant's Claim is denied and the Claimant put to Strict Proof.

 

2) As regards paragraph 1 of the Claimant's PoC, no admissions are made.

 

3) It is admitted that the Claimant has a Barclaycard account with the Respondent.

 

4) As regards paragraph 3 of the Claimants PoC, it is admitted the claimant made a SAR to the Respondent of copies of statements of his account, some of which were dated prior to May 2004. The Respondent supplied and is willing to to supply copies of statemenst from May 2004 onwards for a fee not exceeding the prescribed maximum under the Data Protection Act 1998 of £10. However for statements dated prior to May2004, the Respondent advised the Claimant that a charge of £3.00 was required for each statement due to such statements not being held in a relevant structured filing system within the meaning of the DPA 1998 (the Act)

 

5) As regards paragraph 4 of the Claimant's PoCs, the respondent denies being directly instructed by the Information Commissioner to comply in or around 4 Jan 2007. Furthermore. in the alternative if the Respondent was instructed by the Information Commissioner to comply in or around 4 han 2007 (which is denied), the Respondent would intend that it has complied.

 

6) As regards paragraph 5 and 6 of the Claimant's PoC, these are denied by the Respondent and the Claimant is put to Strict Proof. It is denied that the Claimant has suffered damage; and that the Respondent would put the Claimant to Strict Proof as to his alleged loss and the steps taken to mitigate the alleged loss. The Respondent will contend that it complied with the Claimant's SAR and is willing to supply copies of the statements prior to May 2004 for payment by the Claimant of the required fee. The Respondent will contend that in the circumstances it is not liable for for extra costs set out by the Claimant as alleged at all and that such costs are unreasonable and the Claimant is not entitled to such alleged costs.

 

7) As regards Paragraph 7 of the Claimants PoC, it is denied that the claimant is entitled to an order. The Respondent will contend inter alia that the Claimant's SAR as regards provision of copy statements prior to May 2004 falls outside the scope of section 7 the Act.

 

8) As regards paragraph 8 of the Claimant's PoC, no admissions are made by the Respondent. The Respondent will contend that the Claimant's SAR as regards provision of copy statements prior to May 2004 falls outside the scope of section 7 the Act.

 

9) As regards the Claimant's particulars in paragraph 9, the Respondent denies that it has contravened the Sixth Data Protection Principle and puts the Claimant to Strict Proof in support of such an allegation.

 

10) As regards paragraph 10 (a) and (b) of the Claimant's PoC, the respondent reapeats paragraph 6 of this defence, namely that the Respondent denies that the Claimant has suffered any loss as alleged or at all and put the Claimant to Strict Proofs of any allegations of loss or damage and also as to what steps have been taken to mitigate any alleged loss or damage.

 

11) As regards paragraph 11 of the Claimant's PoC, the Respondent would contend that such settlement method pleaded by the Claimant is unreasonable and should not be granted by this Honourable Court.

 

12) As regards paragraph 12 of the Claimant's PoC, the Respondent would contend that the discretion of this Court should not be exercised since it is contended that the claimant's claim is groundless and he has suffered no loss or damage.

[GaryH]

See this thread - http://www.consumeractiongroup.co.uk/forum/abbey-cahoot-successes/43925-garyhs-oh-abbey-non.html

 

Also A couple of Glenn's will be useful to you - Glenn v Abbey and Glenn v Coop I think.

[noomill060]

Thanks glenn!

[hephalump]

Thanks for input yesterday have a few interesting titbits on lickthewallfatboy link if you wish to check it out

[noomill060]

Well sent the ICO a copy of Barclaycard's defence and within minutes had an email back from the caseworker to tell me she had been in contact with Barclaycard who have once again promised to provide the statements.

 

Reference RFAXXXXXXX

Dear Noomill060

I am writing in response to the emails you sent to my colleague, Matthew Negus, regarding the subject access request made to Barclaycard.

As a result of your correspondence I have contacted Barclaycard who informed me that they were not aware that you were missing any statements.

However I have provided them with the list of missing statements that you included in your email received earlier on today and they have confirmed that they will request these statements for you again and will ensure that they are sent to you as soon as possible. They have confirmed that they do not expect any fee for this.

I will contact you again once I have received confirmation from Barclaycard that the missing statements have been sent.

Yours sincerely

Laura Hennessy

Casework and Advice Officer

[hephalump]

HI Noomill060

Hephalump here long time no talk. Got 6 years back statements for one account hooray!!! But had asked for ones on another account which became redundant last year and have been told noway can I GET THEM AS THEY HAVE CHANGED THEIR SYSTEM-don't know where to go with this. Any ideas?

[noomill060]

You should complain to the ICO if they are passed the 40 days for compliance.

[Paintball]

Sorry to hijack this thread. I am sending LBA to Barclays for non-compliance of DPA. I will then go to court and issue N1 for non-compliance. However,

I am asking for details of TWO a/cs; an old Barclaycard and a closed student a/c. How will this affect my N1, do I need to file two N1s, one for each a/c?

 

Thanks ...

[noomill060]

Depends what your SAR said.

[Paintball]

My SAR requested details for both closed a/cs. I gave the a/c number for the Barclaycard a/c and as much detail as I had for the old closed student a/c.

 

I sent one cheque for £10 as I understand that this is all I need to provide for disclosure of all information on me held by this organisation.

[noomill060]

In that case, no, you only need to file one Small Claim. Good luck, you wont need it though. They will crumble at the last minute.

 

Just remember to claim an amount for damages as well.

[Paintball]

Noomill, thanks for the quick reply to my question. You're a star.

 

I've been following your other thread avidly as it provides useful info on how to deal with this prob and has helped me loads.

[noomill060]

Glad you've found it useful, paintball!

 

They really haven't got the paintballs to show their face in Court, just keep up the pressure and they will coff up.

 

Ruffhead is full of sh!te.

[noomill060]

But make an official complaint to the ICO as well. They will take action against them.

 

My Woolwich (owned by Barclays) SAR was ignored and Barclays is now facing some serious compliance action from the ICO.

[Paintball]

But make an official complaint to the Information Commissioners Office as well. They will take action against them.

 

My Woolwich (owned by Barclays) S.A.R - (Subject Access Request) was ignored and Barclays is now facing some serious compliance action from the Information Commissioners Office.

 

Noo, yes I have stated in my LBA to Barclays that I will be both going to court and begining a complaint to the ICO.

 

Please can I ask one more Q here? Anticipating my POC and naming the two accounts, how would I list these?:

 

2. The Claimant (has/had) an account number (Insert Account Number) ("the Account") with the Defendant which was opened on or around (Insert date) (and closed on or around (Insert date)).

Would I put a/c XXXXX and then refer to the unknow a/c number for the Student Account?

Hmnnnnn?

[noomill060]

You could simply say that

 

2. The Claimant (has/had) two accounts number (Insert Account Number) ("the Accounts") with the Defendant one of which was opened on or around (Insert date) (and closed on or around (Insert date) The second account was opened on or around (insert date) Applicant is unable to recall the number of the second account).

 

The Data Protection Act refers to all personal data held on you by organisations, the fact you cannot recall the account number isnt really relevant. Your name and date of birth will suffice

[Paintball]

You could simply say that

 

2. The Claimant (has/had) two accounts number (Insert Account Number) ("the Accounts") with the Defendant one of which was opened on or around (Insert date) (and closed on or around (Insert date) The second account was opened on or around (insert date) Applicant is unable to recall the number of the second account).

 

The Data Protection Act refers to all personal data held on you by organisations, the fact you cannot recall the account number isnt really relevant. Your name and date of birth will suffice

 

Thank you very much for this Noo, it will do nicely Had a busy day today, nice win from Cap One from my N1 (blows smoke from her gun) watch out Barclays, here I come ...

[noomill060]

Yay!

 

Have fun making Bcard's life a little less comfortable!

[Guest ChloeJane]

Hi All on this thread - really just wanted to post and clarify things for all that view this -

 

Subject Access Requests

 

The Data Protection Act that you are making your request under is here.

 

Data Protection Act 1998

 

The data controller is entitled to ask for a fee of £10 and two further pieces of information. Firstly, the data controller must satisfy himself that the person making the request is, in fact, the data subject. The use of a subject access request form is advised, since the greatest breach of a data controller's security is for the data controller to satisfy a subject access request made by a person impersonating the data subject. The use of the form goes towards proving that the data controller has adequate identification and verification procedures in place. Secondly, the data controller is entitled to ask the data subject for further information to enable the data controller to locate the information which that person seeks.

 

When the last of these three pieces of information has been obtained, the forty day period starts to run. It is advisable to put procedures in place to ensure that the receipt of the request and the further information is correctly dated so that an organisation knows how long it has to satisfy the subject access request.

 

Requirements

 

 

A data controller is not obliged to supply any information under subsection (1) unless he has received-

 

a) a request in writing, and

 

(b) except in prescribed cases, such fee (not exceeding the prescribed maximum) as he may require MAX £10

 

http://www.consumeractiongroup.co.uk/forum/bank-templates-library/516-1-data-protection-act.html

 

Points to remember

 

(3) A data controller is not obliged to comply with a request under this section unless he is supplied with such information as he may reasonably require in order to satisfy himself as to the identity of the person making the request and to locate the information which that person seeks.

• 10) "the relevant day", in relation to a request under this section, means the day on which the data controller receives the request or, if later, the first day on which the data controller has both the required fee and the information referred to in subsection (3).

Where to send

 

The DATA CONTROLLER is on record with the Information Commissioners Office, usually based at the Head office of the Bank.

 

You need to send the Subject Access Request addressed to

 

DATA CONTROLLER

BANKS HEAD OFFICE ADDRESS

 

(Excluding Clydesdale and Yorkshire Bank) - Send to Leeds Address

 

* Misconception is that you can send it to your branch. This is not where the data controller is registered - so if you do or have done, then allow for the mail to reach the right person - i.e max 7 days.

 

Postage

 

Ensure you keep proof of postage!

 

Can I claim on a closed account?

 

Yes. When claiming on a closed account - try to put in the Branch that the account was opened at - your address at the time of opening the account - the account number if you have it (you do not need to have this!) or any other details so they can locate information about the account.

 

What happens if the 40 days are up

 

If you sent the letter to the data controller - wait 47 days. This gives ample time for the data controller to have identified you.

 

Then send the letter of non compliance as the link below shows and ensure again it is addressed to the DATA CONTROLLER.

 

http://www.consumeractiongroup.co.uk/forum/bank-templates-library/6986-data-protection-act-non.html

 

How long do I allow after the letter of non compliance

 

Allow 10 days, again to ensure that the Data Controller has identified you as the data subject making the request or following up items not received.

 

What if i only get part of what I asked for - ie missing statements or years missing.

 

This is then non compliance and you need to send the letter here.

 

http://www.consumeractiongroup.co.uk/forum/bank-templates-library/6986-data-protection-act-non.html

 

Use template 1.

 

Wait 10 days.

 

I have allowed all the time it is now 57 days, what can I do.

 

You can file against them for non compliance and have allowed ample time for them to comply. They are definately in breach of the act and as your claim cannot begin till the statements arrive, it is important to wait till this time before filing.

 

You are then deemed reasonable to take court action as at 40 days from identification your information by law should have been with you. You have now allowed a reasonable period of time and can either make a complaint to the commissioners office.

 

Data Protection Complaints – Information Commissioner’s Office (ICO)

 

or

 

You can file an N1 in court - for non compliance. Link below

 

http://www.consumeractiongroup.co.uk/forum/bank-templates-library/6971-data-protection-act-non.html

 

Is there a cost?

 

Yes - COST £35

 

Can I claim it back?

 

YES - you can claim this back from the Bank for non compliance.

 

Can I claim costs for my time and inconvenience?

 

YES - for the inconvenience of having to file, looking for information and time taken to complete the form, find your rights, contact the bank to this point and the general cost of expenses of printing etc. £20 -£25 is reasonable as the cost of a litigant in person is £9.25 per hour.

 

What if they defend and say the information was not available?

 

We all know that the information and all data is kept electronically. The Bank may argue this point, however if you received bank statements, then the data is available or if you banked on line.

 

The only time when they are exempt from providing the data is if they don't have it, which may be down to wording - of the SAR so ask for help if they try to defend.

 

Defence such as not available in permanent form is not acceptable in that banks run fully operational computer systems! So ask if in doubt with their avoidance of giving you information if they defend.

 

Hope this helps.

 

CJ

 

To read more about the Information Commisioners Role

 

Complaints

[Bookworm]

Data Protection Act 1998

 

Under the Act it clearly stated that the Data Controller has 40 days in which to comply. This is 40 days from the date that they identify you as the Data Subject.

 

*Misconception is that it is the date they receive the letter

 

 

Sorry, not quite.

 

The data controller is entitled to ask for a fee of £10 and two further pieces of information. Firstly, the data controller must satisfy himself that the person making the request is, in fact, the data subject. The use of a subject access request form is advised, since the greatest breach of a data controller's security is for the data controller to satisfy a subject access request made by a person impersonating the data subject. The use of the form goes towards proving that the data controller has adequate identification and verification procedures in place. Secondly, the data controller is entitled to ask the data subject for further information to enable the data controller to locate the information which that person seeks.

 

When the last of these three pieces of information has been obtained, the forty day period starts to run. It is advisable to put procedures in place to ensure that the receipt of the request and the further information is correctly dated so that an organisation knows how long it has to satisfy the subject access request.

 

(Source: How to satisfy subject access requests | OUT-LAW.COM)

 

In other words, even if they have identified you as the subject, if the fee has not been sent, they can still delay. Hence our insistence that you should include the £10 from the start.

[tetley75]

Interesting thread

[noomill060]

I have, today, recieved an out of Court settlement from Barclays, in the form of a cheque issued from the Director's Office at Barclays to the value of £242.56 in respect of my claim for £200 damages + £36 Court fee and a bit of interest.

 

Yippeee! Microfish have proved rather expensive...

[noomill060]

Im now doing Woolwich in exactly the same way!

 

(Well if theyre happy to give money away it seems churlish to refuse the opportunity to take it!)

[orge]

Did you receive statements from older than 6 years? I notice from your other thread that the account goes back to 1986 (I think that's right?).

 

My account is about 9-10 years old and I'm currently trying to get statements from the first 3-4 years (they've sent me the rest). They're claiming that they don't keep anything older, but I smell bull****... Did they tell you the same thing and then backtrack?

 

My S.A.R was sent at the beginning of this month, so they still have some time to comply. Will follow your route, if I don't get satisfaction.

 

Thanks,

 

J

[noomill060]

Hi- they eventually provided my last 6 years statements.

 

But only after my DPA court action, which cost them over £240 in damages to make me go away!

 

I later sent a SAR for data from 1985-2001. No response.

 

Started small claim for enforcement+ £200 damages. No response.

 

I have applied for judgement by default and the hearing date for assessment is next Thursday 25 October.

 

I had a quick read of your thread orge, I think you're going to have lots of fun with them as well!