Did the guy get access to the data he requested?
Because, if not, I'm sure you could just keep suing them and/or sending them SARs and repeating such court action.
A Buckinghamshire housing developer has been forced to pay up £1,500 after ignoring a person's request for information the company held on them. Using subject access requests (SAR), people can ask organisations to provide all the personal data held on them. Under data protection laws, companies have 40 calendar days to …
(Oh, and the reason I ask is because I bet the reason for the SAR in the first place was to prove that they hadn't met some other legal obligation, and he was basically "subpoena'ing" them for their own evidence against themselves. It's very common for companies to get all shirty when you do so and refuse to comply because it will only ever hurt them. And, there, even £1500 probably is worth it to just not-comply).
If it contains his name, it could be classed as personal information.
Even "what was the response to my email dated X that you claimed not to receive"? And then escalating to "I'd like you to tell me all the emails that you received from me" (which would be personal data).
Not to mention that they may have passed that information on (to who, when, where?).
I know that I've had any number of run-ins with landlords (most not even my own!) where they tried to disclaim everything, not follow the law, even inform people/organisations that they shouldn't have (e.g. try to delay external servicemen coming out to the property because I'm the grouchy person who complained), gain information about me that they did not need (i.e. I represented a tenant in a dispute once, with their permission, and the agency tried to look into who I was... it ended badly for them, as they had gone way beyond "Well, who is this guy" to using their industry contacts and private databases to try to dig up anything on me that they could), process information poorly (e.g. hand off your personal phone number to a third-party agency of some kind - even a plumber - without your explicit consent).
The old adage "If they have nothing to hide..." applies here. They would just comply, as the LAW requires to them. I could quite easily see that they have gone out of their way to ignore the guys concerns, or try to sabotage his purchase/tenancy to get rid of him, or just deleted emails, or wrote snotty emails about him, and under the law he's entitled to get those from the company if there's a SAR issued. That they didn't comply tells me that there's something in there that they don't want him to read about himself.
P.S. Since - and actually for many years before if you ever read legal case histories - GDPR, if you're discussing something even internally about something, that discussion should come up on the results of a Subject Access Request. It's personal information. Maybe censored, maybe deemed "not to contain personal information", etc. but you have to justify every one or else you could be found liable of not complying with the request.
Guess how I know this, having worked IT management in a school for my entire adult life? Yes, that snotty email where some teacher says "Fred's too thick to be entered for GCSE, we're just wasting our time here, but let's fob the parents off" can end up needing to appear on an SAR response.
The presumption of "well, what could be on there for them not to want to comply" is that they are actually purely professional at all times and have never put something inappropriate, or condemning themselves, in an email, ever. The fact that they REFUSE to comply, even when the ICO threaten, warn and prosecute means that they know that SOMETHING will come up on that SAR that they'll be required to provide that they don't want to.
Maybe even evidence of their own law-breaking in some respect in handling his house/tenancy/complaints/data.
Actually not true, simply containing the name doesn=t make it personal data, the Durant ruling makes it quite clear that the information has to be biographical about the individual and the as snagging is about the house not the person, wouldn't make it the person's PD. The person's name would be PD but the stuff about the house wouldn't.
Your example of 'Fred' would be PD - its about him but just mention of a person in an email/document etc. doesn't make that their PD and to say it does is frankly nonsense but since you're playing on the experience and 'I know better than you card' here I guess my 15+ years as a DP Officer in the public sector doing SARs on a daily basis and with DP and FOI qualifications mean less than your experience doing IT in schools.
Mines the one with well thumbed and annotated copies of the DPA98, FOI, DPA2018 and GDPR in the pockets
"We have no record of your complaint and the product is now out of guarantee. We are unable to discuss it with the person you wrote to as they have now left/been fired for being diligent."
The diligent employee forward the complaint to various people that has a lengthy "oh shit" internal discussion probably also copying in third parties as it's a health and safety as opposed to guarantee issue...deleting data to avoid an SAR is a dangerous game.
I should imagine that £1,500 was the applicable penalty according to the DPA, in force at the time the offence was committed? If the subject did send a new data access request now, it would be under the GDPR, which imposes *much* more hurtful punishments.
Btw, while dealing with some contractual matters I sent personal data to a couple of airlines not long ago. Very happy to report that as soon as the matters were closed I received an email informing me that my data was being deleted (presumably in the same batch job that sent the email).
I had a recruitment agent e-mail me out of the blue without an unsubscribe option that refused my SAR on multiple occasions. Had to prompt the ICO about it endlessly and they finally got the recruiter to cough up that they didn't have anything on me as they'd decided to action the "right to be forgotten" part of my request before the SAR. ICO just told me tough - yet another agency that's the usual waste of time, space and money (see OFGEM, FCA etc.).
Let me guess:
(for non-UK readers, the "victim surcharge" the court imposed does not ever go to the "victim". I goes into the pockets of HMG).
Which is why I've not really made an effort to chase up the total failure of ATOS when I submitted a SAR 5 years ago.
I think you chaps underestimate how much time and effort it takes to deal with a SAR request. Just on my own systems this would encompass our crm and invoicing system. No problem there.
The phone call recording system, kinda no problem but what happens if they called one time off a different number? And email, again no problem for emails to and from a given email address but internal emails referencing said person could potentially be unreferenced.
It's a bloody nightmare for smaller companies. The big boys are more than happy for it, they have the time and money to easily comply.
My current experience is that SAR requests have only been used as a time wasting and delaying measure by people I have taken court action against for none payment if what they owe.
It's all of a piece really. Tinpot dictator boss will waste endless time rather than do what he sees as giving in.
Last year our car was rear-ended by a traffic lorry. It was parked in a private car park at the end of a private road and the driver was lost (and appeared to be under the influence of drugs). The driver tried to tell me he didn't have to provide insurance details. I had rather a lot of photos showing the damage, the location, the private road sign.
My own insurance company were delighted with this portfolio. They located the company, and its insurers, told me to get everything fixed.
Six months later I get a letter saying the other side were disputing the liability, solicitors would be in touch.
Then the solicitors call to tell me that the other side is still disputing, would I be prepared to support the case in court? Oh yes.
With a few days to go before the hearing the other side suddenly caves. Of course the claim against them now includes not only accident damage, hire car and the like, but also solicitor's costs for both sides. They've had to spend their own time on it. Presumably tinpot boss ranted around the office and threw a few things before realising that he was also then going to have to pay court costs, witness expenses, legal costs....
I am sure it is ego alone that drives a company to £1500 in fines and court costs rather than an hour looking for stuff. Equally, the £1500 is far less important than the salutary effect of the boss having his nose rubbed in it - and the staff knowing.
OK here's the story. In late December I spotted a new direct debit on my bank account from a gas & electricity company I stopped using a couple of years ago. I blocked the transaction as I'd had no communication from them to say there was any payment outstanding. I had received a "urgent action required" letter from a third party "meter reading company" a couple of weeks earlier and suspected this was linked. I contacted my current power supplier who confirmed my understanding that they don't use the third party, they have their own meter readers and they held current readings.
So I sent a SAR to the power company and another to the meter readers. 6 weeks later no response from the meter readers, the power company sent a couple of kilos of printouts. It took me some time to work through those, mostly reprints of letters they'd sent me when I was a customer plus a few notes from online communications (hard to understand as they make extensive use of three letter abbreviations - I guess I should request explanations of the TLAs). They failed to respond to most of the questions, for example, significant in this case "The recipients or categories of recipient you disclose my personal data to" to which the answer should have been "to a meter reading service provider".
Still thinking about what to do next, maybe a recorded delivery repeat request to the meter readers (so they can't try a "lost in the post" excuse). As they'd sent me the letter in early December they must have some information about me so "Information about the source of the data" is the bit I'm interested in.
If you send a recorded delivery letter then also video yourself inserting letter into envelope at the Post Office, sealing it, countersigning the flap, and handing it over.
HMRC for example have been known to acknowledge receipt of the envelope but claiming it had nothing inside.
Biting the hand that feeds IT © 1998–2019