Re: banks and sars

I'm sorry, you'll have to run that by me again. I don't understand the question.

Re: banks and sars

say you instructed a claims company to claim back ppi from a finance company for you, 2 years on you search access request the same finance company should any letters sent on your behalf by the claims company at the early date be included in your search access request or at least copies of any correspondence

Re: banks and sars

Good question and one similar to a recent battle I had with the local authority here. In a subject access request they had removed all data which was about me but which a third party had submitted. I knew the data existed as I had seen copies of letters sent by certain third parties (which the third parties provided me in my SAR's to them)

After working with the data controller of the authority and running through the rules they got their legal counsel involved - the general threat was that they were 30 days passed the 40 day response period and had left data out, so i was going to take the matter to the ICO and the local government ombudsman (or whoever they are called, dont recall). It got the data controller on the back foot and they got helpful - helpful enough to even explain the rules that they now knew, apologise for their error and invite me down for an arse kissing meeting with me (how we are going to retrain people, change our policy etc etc .. one line was "you can take this issue further, but we hope you understand this was a genuine failing in our understanding and appreciate the measures we are putting in place to make sure it doesnt happen again and hope this satisfies you" - which i translated as 'yeah we messed up, heres how we fixed it, thanks for edumacating us, please dont tell our dad')

The gist of what came back was that anyone who had provided data on me while acting in a 'professional' manner (eg, local council worker, health worker etc) had to have the data disclosed in the authorities SAR response to me, including the name of the person/organisation providing the data (as it was data in relation to me, not the professional in question).

Any third party who had provided data about me, who were not professional workers (such as a random joe in the street) had to give their consent for their name to appear on data they provided. If that permission was not granted, then only their name, not the data, was redacted in the response to the request. In no circumstances could the authority 'leave out' data about me just because it was provided by any third party. The best they can do is remove the third parties name if disclosure consent from the third party is not given. The controller was also outside of DPA law by using a lack of response from third parties to disclosure requests as a justification for going over the 40 day response period - if no response comes in within 40 days, they must send the response to the SAR with the third parties personal data (name, phone number etc) redacted, but with the data they provided about me intact.

If a company (say company A) was acting on your behalf in a professional capacity and provided data bout you to company B ( and the data was only in relation to you), then it would seem contrary to DPA guidelines for company B to withhold that information when you provide company B with a SAR. At best, the data controller of company B would only be able to redact the names and contact details of the person/organisation (company A) who provided that data - and even then only after approaching said person/company A and not receiving permission to disclose those details (and thats assuming they they even have a right of redaction if company A was working on behalf of you with your authorisation).

Of course, many data controllers probably dont know this (for example, I had to fight my local council data controller for him to actually read the rules and comply) and a fight of words is usually in order. If a response to a SAR is received by you with data missing, then the data controller is outside of the law if the 40 days passes without that missing data being received.