back to article Housing biz made to pay £1.5k for sticking fingers in its ears when served a subject access request

A Buckinghamshire housing developer has been forced to pay up £1,500 after ignoring a person's request for information the company held on them. Using subject access requests (SAR), people can ask organisations to provide all the personal data held on them. Under data protection laws, companies have 40 calendar days to …

  1. Lee D Silver badge

    Question:

    Did the guy get access to the data he requested?

    Because, if not, I'm sure you could just keep suing them and/or sending them SARs and repeating such court action.

    1. Lee D Silver badge

      (Oh, and the reason I ask is because I bet the reason for the SAR in the first place was to prove that they hadn't met some other legal obligation, and he was basically "subpoena'ing" them for their own evidence against themselves. It's very common for companies to get all shirty when you do so and refuse to comply because it will only ever hurt them. And, there, even £1500 probably is worth it to just not-comply).

      1. Prst. V.Jeltz Silver badge

        Can you give an example of an obligation a housing developer might not have met that could be proved by gaining an individuals personal information held by them?

        1. 's water music Silver badge

          example?

          correspondence about dealing with snagging on a new build property? Results of investigations by the developer into the background of a home owner who is in dispute with them over snagging?

          1. Cynical Pie

            Re: example?

            Snagging wouldn't be personal data so wouldn't be captured by a subject access request.

        2. Lee D Silver badge

          If it contains his name, it could be classed as personal information.

          Even "what was the response to my email dated X that you claimed not to receive"? And then escalating to "I'd like you to tell me all the emails that you received from me" (which would be personal data).

          Not to mention that they may have passed that information on (to who, when, where?).

          I know that I've had any number of run-ins with landlords (most not even my own!) where they tried to disclaim everything, not follow the law, even inform people/organisations that they shouldn't have (e.g. try to delay external servicemen coming out to the property because I'm the grouchy person who complained), gain information about me that they did not need (i.e. I represented a tenant in a dispute once, with their permission, and the agency tried to look into who I was... it ended badly for them, as they had gone way beyond "Well, who is this guy" to using their industry contacts and private databases to try to dig up anything on me that they could), process information poorly (e.g. hand off your personal phone number to a third-party agency of some kind - even a plumber - without your explicit consent).

          The old adage "If they have nothing to hide..." applies here. They would just comply, as the LAW requires to them. I could quite easily see that they have gone out of their way to ignore the guys concerns, or try to sabotage his purchase/tenancy to get rid of him, or just deleted emails, or wrote snotty emails about him, and under the law he's entitled to get those from the company if there's a SAR issued. That they didn't comply tells me that there's something in there that they don't want him to read about himself.

          P.S. Since - and actually for many years before if you ever read legal case histories - GDPR, if you're discussing something even internally about something, that discussion should come up on the results of a Subject Access Request. It's personal information. Maybe censored, maybe deemed "not to contain personal information", etc. but you have to justify every one or else you could be found liable of not complying with the request.

          Guess how I know this, having worked IT management in a school for my entire adult life? Yes, that snotty email where some teacher says "Fred's too thick to be entered for GCSE, we're just wasting our time here, but let's fob the parents off" can end up needing to appear on an SAR response.

          The presumption of "well, what could be on there for them not to want to comply" is that they are actually purely professional at all times and have never put something inappropriate, or condemning themselves, in an email, ever. The fact that they REFUSE to comply, even when the ICO threaten, warn and prosecute means that they know that SOMETHING will come up on that SAR that they'll be required to provide that they don't want to.

          Maybe even evidence of their own law-breaking in some respect in handling his house/tenancy/complaints/data.

          1. Cynical Pie
            Coat

            Actually not true, simply containing the name doesn=t make it personal data, the Durant ruling makes it quite clear that the information has to be biographical about the individual and the as snagging is about the house not the person, wouldn't make it the person's PD. The person's name would be PD but the stuff about the house wouldn't.

            Your example of 'Fred' would be PD - its about him but just mention of a person in an email/document etc. doesn't make that their PD and to say it does is frankly nonsense but since you're playing on the experience and 'I know better than you card' here I guess my 15+ years as a DP Officer in the public sector doing SARs on a daily basis and with DP and FOI qualifications mean less than your experience doing IT in schools.

            Mines the one with well thumbed and annotated copies of the DPA98, FOI, DPA2018 and GDPR in the pockets

        3. robidy

          "We have no record of your complaint and the product is now out of guarantee. We are unable to discuss it with the person you wrote to as they have now left/been fired for being diligent."

          The diligent employee forward the complaint to various people that has a lengthy "oh shit" internal discussion probably also copying in third parties as it's a health and safety as opposed to guarantee issue...deleting data to avoid an SAR is a dangerous game.

      2. Anonymous Coward
        Anonymous Coward

        I should imagine that £1,500 was the applicable penalty according to the DPA, in force at the time the offence was committed? If the subject did send a new data access request now, it would be under the GDPR, which imposes *much* more hurtful punishments.

        Btw, while dealing with some contractual matters I sent personal data to a couple of airlines not long ago. Very happy to report that as soon as the matters were closed I received an email informing me that my data was being deleted (presumably in the same batch job that sent the email).

  2. ShortLegs

    1 down, about 19 million more to go.

    1. phuzz Silver badge

      You'll notice that all the cases that get reported are still from 2017. Imagine what'll happen when they get through the backlog of older cases, to the ones that fall under GDPR...

  3. Anonymous Coward Silver badge
    Unhappy

    Fine

    So for failing to abide by the law and ignoring the authority's enforcement notices on 4 occasions (3 written, 1 verbal), they got a £300 fine (+costs)

    Doesn't sound proportional to me. I would've expected it to warrant a fine around 100× that amount.

    1. StewartWhite

      Re: Fine

      I had a recruitment agent e-mail me out of the blue without an unsubscribe option that refused my SAR on multiple occasions. Had to prompt the ICO about it endlessly and they finally got the recruiter to cough up that they didn't have anything on me as they'd decided to action the "right to be forgotten" part of my request before the SAR. ICO just told me tough - yet another agency that's the usual waste of time, space and money (see OFGEM, FCA etc.).

      1. Anonymous Coward Silver badge
        Paris Hilton

        Re: Fine

        Personally, I'd never admit to honouring a "right to be forgotten". I'd phrase it more like "we've either never had any dealings with this person, or have erased their details as per procedure"

        If you can tell that you've forgotten someone's details, you actually haven't.

        1. Martin Summers Silver badge

          Re: Fine

          "If you can tell that you've forgotten someone's details, you actually haven't."

          You're entitled to keep details of the SAR and right to erasure request to fulfil the obligation.

    2. Korev Silver badge

      Re: Fine

      The article suggests that this is now covered by the GDPR which has much higher fines.

  4. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: Wait, wait, wait!

      "So, ignoring the ICO's fine and going to court and losing is cheaper than just paying the £1500 fine?"

      No. The "£1,500" mentioned is the total sum of fines and costs imposed by the court, rounded to the nearest £50. The actual "fine" was £300.

      1. Tigra 07 Silver badge
        Pint

        Re: Wait, wait, wait!

        Thanks for the clarification. Have a pint!

  5. Archtech Silver badge

    Oooooh, a whole £1,500!

    That would just about pay for the big boss's lunch.

    When he eats alone.

  6. Peter Galbavy

    Whoever the data subject was, they must have been friends with someone. The ICO is a complete waste of time for normal members of the public seeking help and asking for the regulator to regulate.

    1. Cynical Pie

      RTFA, the ICO didn't set the fines, the courts do in this instance.

      In many ways the ICO isn't fit for purpose but blaming it for the failings of someone else is a bit much

      1. katrinab Silver badge

        No, the fact that the ICO actually prosecuted someone for this.

  7. Anonymous Coward
    Anonymous Coward

    So how much for the vicitm ?

    Let me guess:

    £0

    (for non-UK readers, the "victim surcharge" the court imposed does not ever go to the "victim". I goes into the pockets of HMG).

    Which is why I've not really made an effort to chase up the total failure of ATOS when I submitted a SAR 5 years ago.

    1. Anonymous Coward
      Anonymous Coward

      Re: So how much for the vicitm ?

      (for non-UK readers, HMG = Her Majesty's Government)

      1. Bonzo_red

        Re: So how much for the vicitm ?

        "Her Majesty" in this case being the monarch of the United Kingdom of Great Britain and Northern Ireland, not to be confused with any other majesty, such as the Queen of Canada with whom she shares some similarities.

      2. robidy

        Re: So how much for the vicitm ?

        For non-UK readers when the reigning monarch is male, it's His Majesty's Government....not that this has happened since the birth of the internet...or likely to for a while.

    2. katrinab Silver badge

      Re: So how much for the vicitm ?

      It funds the criminal injuries compensation board. You can in some circumstances claim money from them.

  8. NonSSL-Login

    I'm sure many companies would be happy to fork out £1500 rather than give out SAR information that may embarrass them or cost them business opportunities.

    If people can choose to weigh the pro's and cons of addressing a SAR, then maybe it's not quite where it needs to be yet.

  9. Anonymous Coward
    Anonymous Coward

    I think you chaps underestimate how much time and effort it takes to deal with a SAR request. Just on my own systems this would encompass our crm and invoicing system. No problem there.

    The phone call recording system, kinda no problem but what happens if they called one time off a different number? And email, again no problem for emails to and from a given email address but internal emails referencing said person could potentially be unreferenced.

    It's a bloody nightmare for smaller companies. The big boys are more than happy for it, they have the time and money to easily comply.

    My current experience is that SAR requests have only been used as a time wasting and delaying measure by people I have taken court action against for none payment if what they owe.

  10. Anonymous Coward
    Anonymous Coward

    Shitty behaviour by businesses

    It's all of a piece really. Tinpot dictator boss will waste endless time rather than do what he sees as giving in.

    Last year our car was rear-ended by a traffic lorry. It was parked in a private car park at the end of a private road and the driver was lost (and appeared to be under the influence of drugs). The driver tried to tell me he didn't have to provide insurance details. I had rather a lot of photos showing the damage, the location, the private road sign.

    My own insurance company were delighted with this portfolio. They located the company, and its insurers, told me to get everything fixed.

    Six months later I get a letter saying the other side were disputing the liability, solicitors would be in touch.

    Then the solicitors call to tell me that the other side is still disputing, would I be prepared to support the case in court? Oh yes.

    With a few days to go before the hearing the other side suddenly caves. Of course the claim against them now includes not only accident damage, hire car and the like, but also solicitor's costs for both sides. They've had to spend their own time on it. Presumably tinpot boss ranted around the office and threw a few things before realising that he was also then going to have to pay court costs, witness expenses, legal costs....

    I am sure it is ego alone that drives a company to £1500 in fines and court costs rather than an hour looking for stuff. Equally, the £1500 is far less important than the salutary effect of the boss having his nose rubbed in it - and the staff knowing.

  11. Anonymous Coward
    Anonymous Coward

    SAR no or inadequate response - what next?

    OK here's the story. In late December I spotted a new direct debit on my bank account from a gas & electricity company I stopped using a couple of years ago. I blocked the transaction as I'd had no communication from them to say there was any payment outstanding. I had received a "urgent action required" letter from a third party "meter reading company" a couple of weeks earlier and suspected this was linked. I contacted my current power supplier who confirmed my understanding that they don't use the third party, they have their own meter readers and they held current readings.

    So I sent a SAR to the power company and another to the meter readers. 6 weeks later no response from the meter readers, the power company sent a couple of kilos of printouts. It took me some time to work through those, mostly reprints of letters they'd sent me when I was a customer plus a few notes from online communications (hard to understand as they make extensive use of three letter abbreviations - I guess I should request explanations of the TLAs). They failed to respond to most of the questions, for example, significant in this case "The recipients or categories of recipient you disclose my personal data to" to which the answer should have been "to a meter reading service provider".

    Still thinking about what to do next, maybe a recorded delivery repeat request to the meter readers (so they can't try a "lost in the post" excuse). As they'd sent me the letter in early December they must have some information about me so "Information about the source of the data" is the bit I'm interested in.

    1. adam 40

      Re: SAR no or inadequate response - what next?

      If you send a recorded delivery letter then also video yourself inserting letter into envelope at the Post Office, sealing it, countersigning the flap, and handing it over.

      HMRC for example have been known to acknowledge receipt of the envelope but claiming it had nothing inside.

  12. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019