Announcement

Collapse
No announcement yet.

SAR & GDPR 2018

Collapse
This is a sticky topic.
X
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • SAR & GDPR 2018

    Now that we're ready for the GDPR, did you know that you no longer need to pay for requesting a Subject Access Request (now known as a Right of Access)? Similarly, you no longer need to actually write in anymore - you can use any formal means of contact such as requesting your information via phone, Facebook (and other social media outlets) or via email, if the firm can adequately identify you of course.

    So with that in mind this page is to help deal with any Right of Access queries that may come up, and to highlight firms who are not accepting requests and trying it on!

    The official line from the ICO is as follows:
    • Individuals have the right to access their personal data.
    • This is commonly referred to as subject access.
    • Individuals can make a subject access request verbally or in writing.
    • Firms have one month to respond to a request.
    • Firms cannot charge a fee to deal with a request in most circumstances.
    You can read the ICO guide here - The ICO - Right of Access

    What is the right of access?
    The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.

    What is an individual entitled to?
    Individuals have the right to obtain the following from firms:
    • confirmation that their personal information is being processed;
    • a copy of any personal data; and
    • other supplementary information this largely corresponds to the information that should be provided in a privacy notice.
    Other information
    In addition to a copy of their personal data, firms must also provide individuals with the following information:
    • the purposes of their processing;
    • the categories of personal data concerned;
    • the recipients or categories of recipient they disclose the personal data to;
    • their retention period for storing the personal data or, where this is not possible, the criteria for determining how long they will store it;
    • the existence of your right to request rectification, erasure or restriction or to object to such processing;
    • the right to lodge a complaint with the ICO or another supervisory authority;
    • information about the source of the data, where it was not obtained directly from the individual;
    • the existence of automated decision-making (including profiling); and
    • the safeguards provided if they transfer personal data to a third country or international organisation.
    Most firms, including us here at AAD, are already providing much of this information already in our privacy notice. Ours can be accessed here - AAD Privacy Policy

    How does the ICO recognise a request?
    The GDPR does not specify how to make a valid request. Therefore, an individual can make a subject access request to a firm verbally or in writing. It can also be made to any part of the organisation (including by social media) and does not have to be to a specific person or contact point.

    A request does not have to include the phrase 'subject access request' or Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data.However, even if the firm has a form, you should note that a subject access request is valid if it is submitted by any means, so they will still need to comply with any requests received in a letter, a standard email or verbally.

    Therefore, although a firm may invite individuals to use a form, they must also make it clear that it is not compulsory and must not try to use this as a way of extending the one month time limit for responding.

    Right of Access Template
    If you'd like to stick to the norm and send a written request for information in, which we still recommend (as you have a paper copy / evidence of the request), then you could consider using the template below which should be ample for the firm to comply with your request:

    Dear Sirs,

    Ref: {enter your account details}

    In line with article 15 of the General Data Protection Regulation 2018 (GDPR) I hereby formally request that you provide me a copy of all information held about me on your systems, in paper format or other means.

    This is a data subject request so please send me everything that you hold about me to my home address as detailed below:

    {enter your address}

    I look forward to receiving the requested information within the next 30 days, as per the GDPR.

    Yours faithfully
    Yes, it really is that basic - that is all you need to send for the firm to adequately respond to your request.

    If you have any queries or questions please post them below...
    I'm the forum administrator and I look after the theme & features, our volunteers & users and also look after any complaints or Data Protection queries that pass through the forum or main website. I am extremely busy so if you do contact me or need a reply to a forum post then use the email or PM features offered because I do miss things and get tied up for days at a time!

    If you spot any spammers, AE's, abusive or libellous posts or anything else that just doesn't feel right then please report them to me as soon as you spot them at: webmaster@all-about-debt.co.uk

  • #2
    A s.78 (CCA Request) is NOT included. Under s.77/78 you have separate rights which is where the CCA requests originate.

    Therefore you still need to continue to pay the statutory 1 fee for all s.77 / s.78 requests.
    I'm the forum administrator and I look after the theme & features, our volunteers & users and also look after any complaints or Data Protection queries that pass through the forum or main website. I am extremely busy so if you do contact me or need a reply to a forum post then use the email or PM features offered because I do miss things and get tied up for days at a time!

    If you spot any spammers, AE's, abusive or libellous posts or anything else that just doesn't feel right then please report them to me as soon as you spot them at: webmaster@all-about-debt.co.uk

    Comment


    • #3
      A Credit Agency statutory report IS included. As the CRA (Experian / Equifax / Call Credit) processes your personal information (data), they must also be GDPR compliant which means you can send a Data Request in for free.

      At the present time the template above above will suffice as it's still relevant by requesting copies of all your data. However add a part stating you'd like your most recent credit file too.

      Something like "please also provide my most recent statutory credit report within my request" will be fine.

      This won't mean you get online access to daily credit scores / reports; it's specific to your statutory report which used to cost 2 - It'll now be free as well.
      I'm the forum administrator and I look after the theme & features, our volunteers & users and also look after any complaints or Data Protection queries that pass through the forum or main website. I am extremely busy so if you do contact me or need a reply to a forum post then use the email or PM features offered because I do miss things and get tied up for days at a time!

      If you spot any spammers, AE's, abusive or libellous posts or anything else that just doesn't feel right then please report them to me as soon as you spot them at: webmaster@all-about-debt.co.uk

      Comment


      • #4
        Originally posted by Never-In-Doubt View Post
        A Credit Agency statutory report IS included. As the CRA (Experian / Equifax / Call Credit) processes your personal information (data), they must also be GDPR compliant which means you can send a Data Request in for free.

        At the present time the template above above will suffice as it's still relevant by requesting copies of all your data. However add a part stating you'd like your most recent credit file too.

        Something like "please also provide my most recent statutory credit report within my request" will be fine.

        This won't mean you get online access to daily credit scores / reports; it's specific to your statutory report which used to cost 2 - It'll now be free as well.
        Hi Niddy,
        It says on the template to input account details for SAR,
        Do you enter all accounts?
        Also, does this not implicate you in any way?
        Do you need to provide previous addresses?

        Kind regards
        Saint X

        Comment


        • #5
          Originally posted by Saint X View Post

          Hi Niddy,
          It says on the template to input account details for SAR,
          Do you enter all accounts?
          Also, does this not implicate you in any way?
          Do you need to provide previous addresses?

          Kind regards
          Saint X
          Well I don't see that you actually need a Reference Number other than a Name with proof of ID.
          Even if you are a non customer a Company may be holding information on you might they?

          Comment


          • #6
            Originally posted by Roger View Post

            Well I don't see that you actually need a Reference Number other than a Name with proof of ID.
            Even if you are a non customer a Company may be holding information on you might they?
            What ID would I need Roger?
            Saint X

            Comment


            • #7
              Niddy does explain in that really useful Blog with The tech Clerk
              https://www.all-about-debt.co.uk/for...-and-responses


              The Normally 2 items
              1/ Passport or Driving licence
              2/ Plus a Utility Bill (Gas, Elec etc.. as long as it has your name and address)

              Send copies obviously.

              Comment


              • #8
                Originally posted by Roger View Post
                Niddy does explain in that really useful Blog with The tech Clerk
                https://www.all-about-debt.co.uk/for...-and-responses


                The Normally 2 items
                1/ Passport or Driving licence
                2/ Plus a Utility Bill (Gas, Elec etc.. as long as it has your name and address)

                Send copies obviously.
                Thanks Roger
                Much appreciated

                Saint X

                Comment


                • #9
                  I posted this on Tech Clerk's thread, perhaps here is better

                  Just wondered whether the likes of Restons, Shoosmiths, Optima, Mortimer Clarke and others dealing with the courts on behalf of DCAs and other financial interests can be required to provide what they hold via GDPR. Secrets of client confidentiality using other people's data for a purpose not authorised etc.

                  If they purport to be working on behalf of creditors, they must hold data to pursue any court case or other interference.
                  1 Are they allowed to keep it? Data can only be used for the purpose which was agreed.
                  2 Can they amalgamate it if more than one account? even if for different creditors? Chinese walls between customer accounts and clients
                  3 Can they refuse? Based on being a conduit or tool of the creditor, using the data for a specific purpose and entity.

                  Comment


                  • #10
                    Originally posted by julian View Post
                    I posted this on Tech Clerk's thread, perhaps here is better

                    Just wondered whether the likes of Restons, Shoosmiths, Optima, Mortimer Clarke and others dealing with the courts on behalf of DCAs and other financial interests can be required to provide what they hold via GDPR. Secrets of client confidentiality using other people's data for a purpose not authorised etc.

                    If they purport to be working on behalf of creditors, they must hold data to pursue any court case or other interference.
                    1 Are they allowed to keep it? Data can only be used for the purpose which was agreed.
                    2 Can they amalgamate it if more than one account? even if for different creditors? Chinese walls between customer accounts and clients
                    3 Can they refuse? Based on being a conduit or tool of the creditor, using the data for a specific purpose and entity.
                    Client Confidentility

                    Comment


                    • #11
                      What is good for the goose is good for the gander. DCAs described their debtors as clients. Solicitors describe their employers as clients.

                      Just pondering on the likes of Cabot enterprises who are recorded as taking over debts but leaving them with Optima and Restons, who managed them on behalf of the original creditor, rather than transferring them in-house to their Mortimer Clarke employees.

                      Surprisingly (not), some of these solicitors are not solicitors registered with SRA, but the DCAs (il)legal department. If they are merely an internal part of the creditor's firm, then the data they hold and any client-specific instructions for processing should, I opine, be included in the pack. It is held on company computers and in company records accessed by the company employees.

                      Alternatively where an external solicitor is engaged, who is used to collect payments in place of the DCA creditor, that solicitor, and staff, is not acting on legal matters which attract client confidentiality, but as a debt collector.

                      Credit card agreements allow creditors to use data held on their clients and pass it to whomsoever they want. The producers of credit reports, Hunter, DVLA etc provide personal names, addresses, phone numbers and email addresses deliver personal information to anybody who has "a valid reason". It appears there is no reciprocity if certain sectors are closed to inspection for reasons only relating to money and underhand tactics for pursuing their business model. DCAs being investors or rather gamblers who purchase debts for low costs and exploit the original creditors rights to full repayment.

                      Comment


                      • #12
                        Originally posted by julian View Post
                        What is good for the goose is good for the gander. DCAs described their debtors as clients. Solicitors describe their employers as clients.

                        Just pondering on the likes of Cabot enterprises who are recorded as taking over debts but leaving them with Optima and Restons, who managed them on behalf of the original creditor, rather than transferring them in-house to their Mortimer Clarke employees.

                        Surprisingly (not), some of these solicitors are not solicitors registered with SRA, but the DCAs (il)legal department. If they are merely an internal part of the creditor's firm, then the data they hold and any client-specific instructions for processing should, I opine, be included in the pack. It is held on company computers and in company records accessed by the company employees.

                        Alternatively where an external solicitor is engaged, who is used to collect payments in place of the DCA creditor, that solicitor, and staff, is not acting on legal matters which attract client confidentiality, but as a debt collector.

                        Credit card agreements allow creditors to use data held on their clients and pass it to whomsoever they want. The producers of credit reports, Hunter, DVLA etc provide personal names, addresses, phone numbers and email addresses deliver personal information to anybody who has "a valid reason". It appears there is no reciprocity if certain sectors are closed to inspection for reasons only relating to money and underhand tactics for pursuing their business model. DCAs being investors or rather gamblers who purchase debts for low costs and exploit the original creditors rights to full repayment.
                        But why would you want to alert the Current Creditor to go digging for Information across their Companies?
                        Its just another way of encouraging ping pong letters and perhaps indirectly admitting a Debt!
                        I mean why else would you contact them? They are Debt Collectors aren't they? So isn't contacting them admitting to Debt?

                        Let sleeping Dogs lie!! silence with DCA's and their wolf hounds!

                        Comment


                        • #13
                          Originally posted by Saint X View Post

                          Hi Niddy,
                          It says on the template to input account details for SAR,
                          Do you enter all accounts?
                          Also, does this not implicate you in any way?
                          Do you need to provide previous addresses?

                          Kind regards
                          Saint X
                          You would provide enough info for them to identify you, so if you were at a previous address then yes, provide it. You should account for the previous 6 years - so if you had 5 addresses in this time then provide them all in chronological order. If you have multiple accounts with a lender then provide the info, if not then provide the details for one account but explain the SAR needs to include all data held, albeit you've only provided one account number to allow them to trace you on their systems.

                          How can it implicate you? You wouldn't SAR a lender you are fighting UE with - that is kinda silly so we wouldn't suggest you ever do that unless you're defending a legal claim / threat.
                          I'm the forum administrator and I look after the theme & features, our volunteers & users and also look after any complaints or Data Protection queries that pass through the forum or main website. I am extremely busy so if you do contact me or need a reply to a forum post then use the email or PM features offered because I do miss things and get tied up for days at a time!

                          If you spot any spammers, AE's, abusive or libellous posts or anything else that just doesn't feel right then please report them to me as soon as you spot them at: webmaster@all-about-debt.co.uk

                          Comment


                          • #14
                            Originally posted by julian View Post
                            I posted this on Tech Clerk's thread, perhaps here is better

                            Just wondered whether the likes of Restons, Shoosmiths, Optima, Mortimer Clarke and others dealing with the courts on behalf of DCAs and other financial interests can be required to provide what they hold via GDPR. Secrets of client confidentiality using other people's data for a purpose not authorised etc.

                            If they purport to be working on behalf of creditors, they must hold data to pursue any court case or other interference.
                            1 Are they allowed to keep it? Data can only be used for the purpose which was agreed.
                            2 Can they amalgamate it if more than one account? even if for different creditors? Chinese walls between customer accounts and clients
                            3 Can they refuse? Based on being a conduit or tool of the creditor, using the data for a specific purpose and entity.
                            I replied there - see link -> https://www.all-about-debt.co.uk/for...-and-responses

                            quoted as

                            Originally posted by Never-In-Doubt View Post

                            No they (lawyers) will be exempt due to client confidentiality - officially talking they should only have data that the lender actually provided to them so there should be nothing else about you held by a solicitor. Likewise for a DCA, however if a DCA is fully assigned they would have the majority of recent data so you can SAR a DCA if you really wanted to.
                            I'm the forum administrator and I look after the theme & features, our volunteers & users and also look after any complaints or Data Protection queries that pass through the forum or main website. I am extremely busy so if you do contact me or need a reply to a forum post then use the email or PM features offered because I do miss things and get tied up for days at a time!

                            If you spot any spammers, AE's, abusive or libellous posts or anything else that just doesn't feel right then please report them to me as soon as you spot them at: webmaster@all-about-debt.co.uk

                            Comment


                            • #15
                              Roger - Correct. Don't poke a lion in the eye with a stick with an 'orses 'ead 'andle the finest that Woolworth's used to sell, if you are in danger of being attacked. However, if you are far enough the other side of SB and bitter and twisted from years of torment, why not make them comply?

                              Niddy
                              Thought as much, but the legality of how they use the data, in their set ups is slightly skewed.
                              Those hiding behind a solicitor's brass plate should only have the data supplied by the assignment transfer or the creditor's instructions. Unfortunately you read on their Web sites how the little devils of legal assistants are empowered using technology to improve their tracing and coercing skills, even using psychological profiling over the phone. Well, I never and all on 15K a year plus a 3k bonus.

                              The aim of the question was to see if there is any point in wasting a stamp to waste their time responding with any more than "We are exempt, bog off. Don't call us but we will call you day and night for the next 20 years even though we shouldn't."

                              Comment

                              Who's Viewing Thread: 1 (0 members and 1 guests)
                              Working...
                              X