I've been reading the ICO website about DSAR and it's very interesting especially the section for organisations. Under the heading “In brief - what is an individual entitled to?” it very clearly states an individual is entitled to be:
- “given a copy of the information comprising the data; and given details of the source of the data (where this is available).”
- be open and honest about your identity;
- tell people how you intend to use any personal data you collect about them (unless this is obvious);
- usually handle their personal data only in ways they would reasonably expect; and
- above all, not use their information in ways that unjustifiably have a negative effect on them.
In my opinion NOT supplying information does in itself constitute an unjustifiable negative effect! But to make sure I phoned the ICO and I'm happy to say they were completely transparent and very helpful. The lady I spoke to explained that the starting point for firms is “they should release 'all' of your data in order to comply with the data protection act.” So the point above “given a copy of the information comprising the data; and given details of the source of the data (where this is available)” is actually based in legislation and we can rely on it.
As always there are buts. The biggest one being the customer is not entitled to anyone else's data – except where that person is working in a professional capacity with your data. The example I was given is: if you're working in an office and the person sitting at the next desk makes a complaint against you, you won't necessarily be entitled to see data relating to that person. However if your manager, working in his/her professional capacity, makes a complaint about you then you would be able to see their data on this subject. Therefore it is perfectly reasonable for you to be given data or documents relating to you even if they contain comments or information about your account supplied by your RM or anyone working on your account in a professional capacity. Which makes me wonder if you/we are also entitled to information from IPs, lawyers or accountants?
There are various exemptions to firms supplying information but, as far as I can see from the ICO website, these mostly relate to tax issues or crimes. In any event if the bank is going to rely on an exemption they should identify what it is.
The lady at the ICO suggests any member not satisfied with the information received after a DSAR request should:
- Write back to their bank explaining they are not satisfied that the full amount of information available has been supplied and asking why information has been held back?
- If the bank still won't give you your data/information, you can 'Report a concern' to the ICO and they will asses whether or not the bank has legitimately withheld information and, if it's not a legitimate reason under the data protection act, the ICO can ask them to release data. They are a regulator and it sounds as if they actually do what it says on the tin!
Here's a link to the ICO https://ico.org.uk/
If any members do decide to 'report a concern' please mention you are a member of SME Alliance Ltd as I have already told them several members have concerns but, for the time being we're not reporting as an organisation (data protection issues). Also please bear in mind the ICO will only deal with your concerns where you have reached an impasse with the bank and where you contact the ICO within 3 months of that impasse. So I suggest anyone who sent a DSAR a while back and is unhappy with what they received, should write to their bank again with a new DSAR request and using the information above to explain you now understand there are things you are entitled to which you feel you have been denied. If the bank don't reply in the appropriate time scale or if they reply still refusing access – then report a concern to the ICO. They are very helpful people!
Hope this helps!!