• Welcome to the LegalBeagles Consumer and Legal Forum.
    Please Register to get the most out of the forum. Registration is free and only needs a username and email address.
    REGISTER
    Please do not post your full name, reference numbers or any identifiable details on the forum.

Data Protection Act ; Obtaining information from companies

Collapse
Loading...
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Data Protection Act ; Obtaining information from companies

    Good Afternoon Folks,

    this is a random post; some people may already know this information, I didn't, so I thought it might be useful, in "our battles" to come.

    when anyone puts a query to this forum, usually the first thing that our Di advises is to get a SAR off to the company in question. I always thought this was good advice......it's not only good advice, it is absolutely magnificent advice!!!!! So a very big thanks Di. I,ll explain later in the post.

    How many of us have either received replies from companies telling us that they have no obligation to provide information after a "six year" period etc etc. it is worded in a variety of ways and you will read it right across all the consumer forums. Well folks, strictly speaking that is not correct!!

    Following on from research and a conversation with the ICO, customers, on presentation of a Subject Access Request, are entitled to receive all the information that a particular institution hold on them. It is irrelevant whether this information goes back 5 years or 15 years. The exception to this rule is if that information has been completely and irrevocably destroyed.


    Below is an extract from the Subject Access Code of Practice:

    "Electronic records

    In most cases, information stored in electronic form can easily be found and retrieved. However, as it is very difficult to truly erase

    all electronic records, it is arguable that a requester might be entitled to request access to personal data that you do not have ready access to – because you still hold the data and, with time and varying degrees of technical expertise, you could retrieve it.

    You are likely to have removed information from your ‘live’ systems in a number of different ways. The information may have been:

    • ‘archived’ to storage;



    Archived information and back-up records

    Electronic records

    In most cases, information stored in electronic form can easily be found and retrieved. However, as it is very difficult to truly erase

    all electronic records, it is arguable that a requester might be entitled to request access to personal data that you do not have ready access to – because you still hold the data and, with time and varying degrees of technical expertise, you could retrieve it.

    You are likely to have removed information from your ‘live’ systems in a number of different ways. The information may have been:

    • ‘archived’ to storage;

    • copied to back-up files; or • ‘deleted’.


    Archived information and back-up records

    Generally speaking, information is archived because, although you wish to remove it from your live systems, you decide to retain a copy in case it is needed in the future.

    You should have procedures in place to find and retrieve personal data that has been electronically archived or backed up. The process of accessing electronically archived or backed-up data may be more complicated than the process of accessing ‘live’ data. However, as you have decided to retain copies of the data for future reference, you will presumably be able to find the data, possibly with the aid of location information from the requester. So you will be required to provide such information in response to a SAR.

    Electronic archive and back-up systems might not use such sophisticated search mechanisms as ‘live’ systems, and you may ask a requester to give you enough context about their request to enable you to make a targeted search. The requester’s ability to provide it may significantly affect whether you can find what they want. Nevertheless, to the extent that your search mechanisms allow you to find archived or backed-up data for your own purposes, you should use the same effort to find information in order to respond to a SAR. "

    The above is only a small extract from the "Code of Practice", but I think it gets the point across. Unless the company can give you an assurance, in writing, that your information has been destroyed, then they have to try and get it for you, no matter how difficult that seems to them. (Companies have to keep a "destruction of records " schedule)

    There is a sub section which explains that the company may come back to you and try and pin the range of information down and, that seems perfectly reasonable.

    So, you can see now why our Di's advice is so good!!!

    Finally, don't get palmed off!

    hope this helps,

    best regards,

    :beagle:
    Tags: None

  • #2
    Re: Data Protection Act ; Obtaining information from companies

    Aww thank you sweetie!

    I must give you and our Victoria credit too, the fantastic info and advice you provided - which gives great encouragement to all to keep going, so thank you both too x x x

    Comment


    • #3
      Re: Data Protection Act ; Obtaining information from companies

      Originally posted by L'pool64 View Post
      Good Afternoon Folks,

      this is a random post; some people may already know this information, I didn't, so I thought it might be useful, in "our battles" to come.

      when anyone puts a query to this forum, usually the first thing that our Di advises is to get a SAR off to the company in question. I always thought this was good advice......it's not only good advice, it is absolutely magnificent advice!!!!! So a very big thanks Di. I,ll explain later in the post.

      How many of us have either received replies from companies telling us that they have no obligation to provide information after a "six year" period etc etc. it is worded in a variety of ways and you will read it right across all the consumer forums. Well folks, strictly speaking that is not correct!!

      Following on from research and a conversation with the ICO, customers, on presentation of a Subject Access Request, are entitled to receive all the information that a particular institution hold on them. It is irrelevant whether this information goes back 5 years or 15 years. The exception to this rule is if that information has been completely and irrevocably destroyed.


      Below is an extract from the Subject Access Code of Practice:

      "Electronic records

      In most cases, information stored in electronic form can easily be found and retrieved. However, as it is very difficult to truly erase

      all electronic records, it is arguable that a requester might be entitled to request access to personal data that you do not have ready access to – because you still hold the data and, with time and varying degrees of technical expertise, you could retrieve it.

      You are likely to have removed information from your ‘live’ systems in a number of different ways. The information may have been:

      • ‘archived’ to storage;



      Archived information and back-up records

      Electronic records

      In most cases, information stored in electronic form can easily be found and retrieved. However, as it is very difficult to truly erase

      all electronic records, it is arguable that a requester might be entitled to request access to personal data that you do not have ready access to – because you still hold the data and, with time and varying degrees of technical expertise, you could retrieve it.

      You are likely to have removed information from your ‘live’ systems in a number of different ways. The information may have been:

      • ‘archived’ to storage;

      • copied to back-up files; or • ‘deleted’.


      Archived information and back-up records

      Generally speaking, information is archived because, although you wish to remove it from your live systems, you decide to retain a copy in case it is needed in the future.

      You should have procedures in place to find and retrieve personal data that has been electronically archived or backed up. The process of accessing electronically archived or backed-up data may be more complicated than the process of accessing ‘live’ data. However, as you have decided to retain copies of the data for future reference, you will presumably be able to find the data, possibly with the aid of location information from the requester. So you will be required to provide such information in response to a SAR.

      Electronic archive and back-up systems might not use such sophisticated search mechanisms as ‘live’ systems, and you may ask a requester to give you enough context about their request to enable you to make a targeted search. The requester’s ability to provide it may significantly affect whether you can find what they want. Nevertheless, to the extent that your search mechanisms allow you to find archived or backed-up data for your own purposes, you should use the same effort to find information in order to respond to a SAR. "

      The above is only a small extract from the "Code of Practice", but I think it gets the point across. Unless the company can give you an assurance, in writing, that your information has been destroyed, then they have to try and get it for you, no matter how difficult that seems to them. (Companies have to keep a "destruction of records " schedule)

      There is a sub section which explains that the company may come back to you and try and pin the range of information down and, that seems perfectly reasonable.

      So, you can see now why our Di's advice is so good!!!

      Finally, don't get palmed off!

      hope this helps,

      best regards,

      :beagle:
      Hi L'pool 64,

      Thanks for the post.

      I recently received SAR details from RBS stating that they had no record or statements from 1998 - 2001 and only had details thereafter.

      On what you mentioned, should I therefore use the above as a response do you think ?

      Comment


      • #4
        Re: Data Protection Act ; Obtaining information from companies

        Problem? If they have no records they have no records? Could anyone prove a company still has records?
        Difficult one methinks

        Comment


        • #5
          Re: Data Protection Act ; Obtaining information from companies

          Hi Bazza,

          it it is worth going back to RBS and asking them "as per the ICO subject access guidelines, can they confirm that the information that you have asked for (and cannot be given), has been completely and irrevocably destroyed". If they are unable to confirm that you are happy to escalate the issue to the ICO".

          You could also ask them to provide a destruction date, although they are unlikely to give you that.

          it will only cost you a stamp, or an e mail and it lets them know that you know, what you are talking about and, that you are not to be messed about!

          Let us us know how you get on.

          hope this helps,

          All the best

          :beagle:

          Comment


          • #6
            Re: Data Protection Act ; Obtaining information from companies

            Originally posted by L'pool64 View Post
            Hi Bazza,

            it it is worth going back to RBS and asking them "as per the ICO subject access guidelines, can they confirm that the information that you have asked for (and cannot be given), has been completely and irrevocably destroyed". If they are unable to confirm that you are happy to escalate the issue to the ICO".

            You could also ask them to provide a destruction date, although they are unlikely to give you that.

            it will only cost you a stamp, or an e mail and it lets them know that you know, what you are talking about and, that you are not to be messed about!

            Let us us know how you get on.

            hope this helps,

            All the best

            :beagle:
            Thanks for your comments L'pool64.

            I will do and once a response is received, I will post up :tinysmile_twink_t2:

            Cheers

            Bazza

            Comment

            View our Terms and Conditions

            LegalBeagles Group uses cookies to enhance your browsing experience and to create a secure and effective website. By using this website, you are consenting to such use.To find out more and learn how to manage cookies please read our Cookie and Privacy Policy.

            If you would like to opt in, or out, of receiving news and marketing from LegalBeagles Group Ltd you can amend your settings at any time here.


            If you would like to cancel your registration please Contact Us. We will delete your user details on request, however, any previously posted user content will remain on the site with your username removed and 'Guest' inserted.
            Working...
            X