Tweet
Data Protection Act ; Obtaining information from companies
Good Afternoon Folks,
this is a random post; some people may already know this information, I didn't, so I thought it might be useful, in "our battles" to come.
when anyone puts a query to this forum, usually the first thing that our Di advises is to get a SAR off to the company in question. I always thought this was good advice......it's not only good advice, it is absolutely magnificent advice!!!!! So a very big thanks Di. I,ll explain later in the post.
How many of us have either received replies from companies telling us that they have no obligation to provide information after a "six year" period etc etc. it is worded in a variety of ways and you will read it right across all the consumer forums. Well folks, strictly speaking that is not correct!!
Following on from research and a conversation with the ICO, customers, on presentation of a Subject Access Request, are entitled to receive all the information that a particular institution hold on them. It is irrelevant whether this information goes back 5 years or 15 years. The exception to this rule is if that information has been completely and irrevocably destroyed.
Below is an extract from the Subject Access Code of Practice:
"Electronic records
In most cases, information stored in electronic form can easily be found and retrieved. However, as it is very difficult to truly erase
all electronic records, it is arguable that a requester might be entitled to request access to personal data that you do not have ready access to – because you still hold the data and, with time and varying degrees of technical expertise, you could retrieve it.
You are likely to have removed information from your ‘live’ systems in a number of different ways. The information may have been:
• ‘archived’ to storage;
Archived information and back-up records
Electronic records
In most cases, information stored in electronic form can easily be found and retrieved. However, as it is very difficult to truly erase
all electronic records, it is arguable that a requester might be entitled to request access to personal data that you do not have ready access to – because you still hold the data and, with time and varying degrees of technical expertise, you could retrieve it.
You are likely to have removed information from your ‘live’ systems in a number of different ways. The information may have been:
• ‘archived’ to storage;
• copied to back-up files; or • ‘deleted’.
Archived information and back-up records
Generally speaking, information is archived because, although you wish to remove it from your live systems, you decide to retain a copy in case it is needed in the future.
You should have procedures in place to find and retrieve personal data that has been electronically archived or backed up. The process of accessing electronically archived or backed-up data may be more complicated than the process of accessing ‘live’ data. However, as you have decided to retain copies of the data for future reference, you will presumably be able to find the data, possibly with the aid of location information from the requester. So you will be required to provide such information in response to a SAR.
Electronic archive and back-up systems might not use such sophisticated search mechanisms as ‘live’ systems, and you may ask a requester to give you enough context about their request to enable you to make a targeted search. The requester’s ability to provide it may significantly affect whether you can find what they want. Nevertheless, to the extent that your search mechanisms allow you to find archived or backed-up data for your own purposes, you should use the same effort to find information in order to respond to a SAR. "
The above is only a small extract from the "Code of Practice", but I think it gets the point across. Unless the company can give you an assurance, in writing, that your information has been destroyed, then they have to try and get it for you, no matter how difficult that seems to them. (Companies have to keep a "destruction of records " schedule)
There is a sub section which explains that the company may come back to you and try and pin the range of information down and, that seems perfectly reasonable.
So, you can see now why our Di's advice is so good!!!
Finally, don't get palmed off!
hope this helps,
best regards,
:beagle:
this is a random post; some people may already know this information, I didn't, so I thought it might be useful, in "our battles" to come.
when anyone puts a query to this forum, usually the first thing that our Di advises is to get a SAR off to the company in question. I always thought this was good advice......it's not only good advice, it is absolutely magnificent advice!!!!! So a very big thanks Di. I,ll explain later in the post.
How many of us have either received replies from companies telling us that they have no obligation to provide information after a "six year" period etc etc. it is worded in a variety of ways and you will read it right across all the consumer forums. Well folks, strictly speaking that is not correct!!
Following on from research and a conversation with the ICO, customers, on presentation of a Subject Access Request, are entitled to receive all the information that a particular institution hold on them. It is irrelevant whether this information goes back 5 years or 15 years. The exception to this rule is if that information has been completely and irrevocably destroyed.
Below is an extract from the Subject Access Code of Practice:
"Electronic records
In most cases, information stored in electronic form can easily be found and retrieved. However, as it is very difficult to truly erase
all electronic records, it is arguable that a requester might be entitled to request access to personal data that you do not have ready access to – because you still hold the data and, with time and varying degrees of technical expertise, you could retrieve it.
You are likely to have removed information from your ‘live’ systems in a number of different ways. The information may have been:
• ‘archived’ to storage;
Archived information and back-up records
Electronic records
In most cases, information stored in electronic form can easily be found and retrieved. However, as it is very difficult to truly erase
all electronic records, it is arguable that a requester might be entitled to request access to personal data that you do not have ready access to – because you still hold the data and, with time and varying degrees of technical expertise, you could retrieve it.
You are likely to have removed information from your ‘live’ systems in a number of different ways. The information may have been:
• ‘archived’ to storage;
• copied to back-up files; or • ‘deleted’.
Archived information and back-up records
Generally speaking, information is archived because, although you wish to remove it from your live systems, you decide to retain a copy in case it is needed in the future.
You should have procedures in place to find and retrieve personal data that has been electronically archived or backed up. The process of accessing electronically archived or backed-up data may be more complicated than the process of accessing ‘live’ data. However, as you have decided to retain copies of the data for future reference, you will presumably be able to find the data, possibly with the aid of location information from the requester. So you will be required to provide such information in response to a SAR.
Electronic archive and back-up systems might not use such sophisticated search mechanisms as ‘live’ systems, and you may ask a requester to give you enough context about their request to enable you to make a targeted search. The requester’s ability to provide it may significantly affect whether you can find what they want. Nevertheless, to the extent that your search mechanisms allow you to find archived or backed-up data for your own purposes, you should use the same effort to find information in order to respond to a SAR. "
The above is only a small extract from the "Code of Practice", but I think it gets the point across. Unless the company can give you an assurance, in writing, that your information has been destroyed, then they have to try and get it for you, no matter how difficult that seems to them. (Companies have to keep a "destruction of records " schedule)
There is a sub section which explains that the company may come back to you and try and pin the range of information down and, that seems perfectly reasonable.
So, you can see now why our Di's advice is so good!!!
Finally, don't get palmed off!
hope this helps,
best regards,
:beagle:
Comment