I know many of our members have been struggling in the last few weeks with DSAR requests. And even where members have had invaluable help in submitting their requests in the most effective format, there's been no consistency to the replies. While one member managed to get 600 heavily redacted pages and another got 80 pages, one member got a curt letter saying “bugger off” or words to that effect. In any event lack of transparency means no one really knows what they are entitled to! And this is a fundamental issue for SMEs because, in many cases, access to central files would force banks to resolve complaints based on information they hold.
I've been reading the ICO website about DSAR and it's very interesting especially the section for organisations. Under the heading “In brief - what is an individual entitled to?” it very clearly states an individual is entitled to be:
In my opinion NOT supplying information does in itself constitute an unjustifiable negative effect! But to make sure I phoned the ICO and I'm happy to say they were completely transparent and very helpful. The lady I spoke to explained that the starting point for firms is “they should release 'all' of your data in order to comply with the data protection act.” So the point above “given a copy of the information comprising the data; and given details of the source of the data (where this is available)” is actually based in legislation and we can rely on it.
As always there are buts. The biggest one being the customer is not entitled to anyone else's data – except where that person is working in a professional capacity with your data. The example I was given is: if you're working in an office and the person sitting at the next desk makes a complaint against you, you won't necessarily be entitled to see data relating to that person. However if your manager, working in his/her professional capacity, makes a complaint about you then you would be able to see their data on this subject. Therefore it is perfectly reasonable for you to be given data or documents relating to you even if they contain comments or information about your account supplied by your RM or anyone working on your account in a professional capacity. Which makes me wonder if you/we are also entitled to information from IPs, lawyers or accountants?
There are various exemptions to firms supplying information but, as far as I can see from the ICO website, these mostly relate to tax issues or crimes. In any event if the bank is going to rely on an exemption they should identify what it is.
The lady at the ICO suggests any member not satisfied with the information received after a DSAR request should:
Here's a link to the ICO https://ico.org.uk/
If any members do decide to 'report a concern' please mention you are a member of SME Alliance Ltd as I have already told them several members have concerns but, for the time being we're not reporting as an organisation (data protection issues). Also please bear in mind the ICO will only deal with your concerns where you have reached an impasse with the bank and where you contact the ICO within 3 months of that impasse. So I suggest anyone who sent a DSAR a while back and is unhappy with what they received, should write to their bank again with a new DSAR request and using the information above to explain you now understand there are things you are entitled to which you feel you have been denied. If the bank don't reply in the appropriate time scale or if they reply still refusing access – then report a concern to the ICO. They are very helpful people!
Hope this helps!!