DSAR Subject Access Request – how to be tough?

[Lady London]

I have finally lost patience with a financial industry provider – No, it’s not Creation 🙂

As a prelude to telling them I’ve finally had enough and raising a formal complaint, I want to follow posters’ advice on here and make a Subject Access Request requiring them to share every piece of data they have on me.

This is so they can’t remove bits, or dream up things to add or alter in their records when my main complaint hits them.

It’s a complaint they will fight, because they will want to avoid having to redo the same incorrectly done work for other customers who are likely to also ave been affected. In 2 years that I know about and possibly more. It would require remedying and possible compensation for them too if my complaint is proved to be correct so they will fight it.

Other than the main complaint there are 2 supporting complaints

– they are simply not communicating or resolving things (impact on the main complaint)
– they have made no attempt to remedy a previous serious error I made them admit. It’s probably got the same root cause as my main complaint.

Can anyone advise, when emailing them my DSAR :
– What is the *exact* name of the legislation /Act I should quote?
– Is there a time limit within which they are required to provide all my data gor a DSAR?
Is it 30 days? If so I’d like to state a deadline. Because they always miss even their own deadlines, and they constantly state things have been sent on x date. Then things are sent days or longer, after they said, by the timestamp on them.

I’m looking for data held in any way, phone calls landing at (possibly various outsourced) call centre(s) which I am certain they record, and a Teams conversation which for sure they record.

I feel like sending it by post recorded delivery. But as I’d rather collect the data before formally complaining : is it just as effective in terms of them looking bad if they fail to provide within time required or any reasonable time, if I’ve sent the DSAR by email? They give the impression no email is even looked at for three weeks or so, even transactional, and I believe they have some sort of standard which queues emails for 9 or 10 days before anyone looks at them.

I don’t want them to fail to provide me any data and then produce it later in any proceedings (esp if regulator [preferred] or FOS ) to try to get themselves off the hook. Are there any words I can put into the DSAR so it will look bad for them later if they don’t provide full data in response to the DSAR?

Grateful for any advice.

[Rui N.]

The law in question is the DPA 2018.
They have one calendar month to reply: https://ico.org.uk/your-data-matters/time-limits-for-responding-to-data-protection-rights-requests/ (see this ICO website in general for more help)
They can only withdraw certain data according to what is allowed in the DPA. And they have to tell that they’ve withheld some data and the reason for that. They certainly cannnot not provide you all information, not tell you about that and then come up with new data in any proceedings – that’s a complaint to ICO right there, and if the proceedings where in a court of law, any such data would surely be disregarded by the judge.

[Lady London]

Thank you Rui.

Would you mention the ‘calendar month’ in the DSAR to make sure they have no excuse for not providing it within that period? Because I cannot imagine they will meet that deadline and if they do, it would stun me if the data they provide would be complete.

Better *not* to mention the calendar month it’s due in, and thereby give them enough rope to hang themselves?

• This reply was modified 54 years, 4 months ago by .

[Rui N.]

I wouldn’t mention it.
It’s the most basic stuff about DPA/GDPR that you need to comply with any data requests quickly. They need to have the systems in place to be able to do so.

[Aston100]

‘London Life’ hey?

[Clem Fandango]

Lady London wrote:

Thank you Rui.

Would you mention the ‘calendar month’ in the DSAR to make sure they have no excuse for not providing it within that period? Because I cannot imagine they will meet that deadline and if they do, it would stun me if the data they provide would be complete.

Better not to mention the calendar month it’s due in and give them enough rope to hang themselves?

Most organisations haven’t a clue how to respond properly to DSARs. Keep your request as broad as possible – ask for all data about you, whether stored by X or one of their subsidiaries or subcontractors. Don’t narrow it down if asked (they can ask, you don’t have to agree).

Keep making references to “the statutory requirements of the act” rather than helping them out by saying a calendar month.

Then when their piss poor reply arrives late the fun (for you) starts. Don’t remind them until they’re at least a week late, and start mentioning the ICO.

When you get the data and they are (of course) incomplete say they’ve not followed the law and you’re demanding they hand over a, b and c – where a, b and c is a non exhaustive list of the things you know they have but haven’t handed over.

Then around 2 months after the request date, file a complaint with the ICO. It’ll take them about 8 weeks to do anything but they will rattle the company’s cage.

I have quite a bit of experience in this area so let me know if you’d like a chat over email at some point.

It’d be an honour to help out as your legal posts are just so damn good!

[OpaWoody]

You should look at these

What you should do
https://ico.org.uk/your-data-matters/your-right-to-get-copies-of-your-data/preparing-and-submitting-your-subject-access-request/

And what they must do

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/

If you look at their data privacy policy there should be contact details for their data protection team. If you can send an email you have your record when it was sent, and they may send an automated holding reply

They are likely to respond quickly as the requirement is 1 month from receiving the request, not when they first look at it.

I ask for all data including but not limited to voice call recordings, instant messaging, “live chat” records, email, online forms, written correspondence and any third party communications. I also advise them that as it is not a complex request, compliance is expected within 1 month.

[Lady London]

Thanks Clem. The approach you and Rui suggest to go out with a request phrased for all data, looks like it will either cause an attack of efficiency on their part (40% chance if it quickly reaches the right dept), or play to their inability to organise themselves and get things done timely. As well as nicely expose how much communication over how long a period is needed to still not get correct performance from them. So I like that a lot as it reflects my supporting complaint.

Opawoody thank you for the list and the excellent language in your last paragraph, I will blend it into the followup chain Clem suggests if they miss the deadline or provide data that appears incomplete.

S*d’s law if sent to any data controller that’s awake (as compared to the operational side I have been dealing with) the one thing this firm has ever seemed to respond to is meeting any requirement where a box can be ticked. Such as meeting a 48-hour deadline for an urgent answer by having someone on the team who knew nothing as far as I could tell and couldn’t answer anything, return my call.

I need to send the DSAR urgently on Thursday after one last call tomorrow in which they will fail to answer anything. If the data controller’s contact email isn’t prominent on their website I might unfortunately have to send it to the regular operational email.

[EwanG]

@LL the contact details should be within their privacy policy, which should easily be found on their website.
I suggest you also title the email along the lines of “Subject Access Request – copy of personal data” and restate that within the email, that way they will be clear in terms of next steps they need to take, no matter which email address you end up sending it to.

Potentially the firm might ask for more time (this is permitted under GDPR/DPA2018) but only in certain circumstances (links above will cover such) but they will need to advise before the first calendar month deadline.

[Mouse]

My experience with this was that a financial services company I was in dispute with claimed to be a data processor and not a data controller, and would not engage with my request at all, despite a lot of back and forth. After a letter from me to the ICO, and then from the ICO to them, they suddenly became very helpful and resolved my underlying problem (they had erroneously blacklisted me) within days. So my advice on the basis of that one experience is to get the ICO involved as early as possible.

[Cranzle]

I would address the request to the appropriate department (and not as a complaint or to the complaints department). I don’t recall the exact terminology, but I believe most oraganisations have publish the name of the ‘data controller’. You should address the request to him/it/her

• This reply was modified 54 years, 4 months ago by .

[Lady London]

Thanks EwanG, Mouse, Cranzle.

[Jacob]

Cranzle wrote:

I would address the request to the appropriate department (and not as a complaint or to the complaints department). I don’t recall the exact terminology, but I believe most oraganisations have publish the name of the ‘data controller’. You should address the request to him/it/her

100% and it’s either Compliance Officer or Data Protection Officer (or similar) – they’re ultimately legally responsible for these matters. When I worked in financial services, everyone had to know the person’s name (still remember it 8 years later). They usually have own channels to get these requests/complaints so it doesn’t get queued with other non-urgent emails/requests.

[Andrew.]

Be prepared for a lot…

Mine was delivered on a pallet when I was on holiday and was left on the drive. There was a heavy rainstorm which didn’t mix well with 40,000+ sheets of A4.

So they had to redo.

(If a firm really wants to obfuscate a DSAR enquiry, tonnes of printed Metadata is the answer.)

[Cranzle]

Keep us update please LL

[Clem Fandango]

OpaWoody wrote:

You should look at these

What you should do
https://ico.org.uk/your-data-matters/your-right-to-get-copies-of-your-data/preparing-and-submitting-your-subject-access-request/

And what they must do

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/

If you look at their data privacy policy there should be contact details for their data protection team. If you can send an email you have your record when it was sent, and they may send an automated holding reply

They are likely to respond quickly as the requirement is 1 month from receiving the request, not when they first look at it.

I ask for all data including but not limited to voice call recordings, instant messaging, “live chat” records, email, online forms, written correspondence and any third party communications. I also advise them that as it is not a complex request, compliance is expected within 1 month.

Great advice here. The only point I’d quibble a bit with is the last line.

Don’t use the word “complex”. Most companies don’t know they have a get out of jail free card in the act which gives them 3 months to reply if they say it’s “complex”. Nobody (not even the ICO) can properly define “complex” so the company usually gets away with delaying your response.

Crucially they have to say it’s complex up front – they can’t wait a month and then ask for more time.

[Lady London]

Update on DSAR – can anyone advise next step? Being messed around by 2 providers. I did DSARs on both to find out who caused a mess on a product.

Provider 1 requested my ID 2 weeks after DSAR was sent. I sent ID immediately. On the 2-month calendar date after the DSAR “we’ve been actively working on your request but our business is complex and we have many requests” and “we don’t have your data because under our own data retention policy we destroyed it many years ago”.
It was indeed a long time ago but they introduced to a very long life product and may have some responsibility. I am prepared to let this go since I think Player 2 did the mess. If provider 1 says they don’t have my data any more, how do I make sure they don’t suddenly decide to de-archive some old backups if they receive a court order in the future, or want to save their own a$$? Should I respond asking them to confirm that they will provide no data concerning me to anyone in any circumstances in the future, not even if they get, for example, a court order? Do I also report this lazy response to the ICO, or can I ask the ICO for any help here.

Provider 2 completely ignored my DSAR till 2months+17 days when I phoned to say why has my DSAR been completely ignored and when will I receive my data. I distinctly “heard” the “Oh, sh!t” and distinctly “heard” her scrolling an email inbox and finding my DSAR. 10 days after my chaser call they’ve emailed saying they can’t find my DSAR (I “know” they’re lying)and they will respond 1 calendar month+1 day from my telephone chase.
They always ask me for very extensive ID verification on any contact, which they haven’t in this response and didn’t in the phone call, and they also haven’t asked me what data I want. My ID and the wide scope of my request, following @Clem Fandango’s advice, is in my original DSAR. Which I’m certain they found but are denying they found. They either overlooked it (60% likely) or were dealing with it inefficiently (30%) or they’ve been busy for over 2 months redacting it (10%). I find this unacceptable. Prepared to be gloves off with them as there are many issues with them.

How to I respond to Provider 1 who is being lazy and denying the existence of the data (which may or may not be true?
How do I respond to Provider 2? (lying and inefficient)

Should I involve the ICO now, or threaten to involve the ICO now, and in what way?

Advice appreciated. Want to challenge both these lame responses.

[Blair Waldorf Salad]

Provider 1 – it is what it is. You can ask them to verify that they also checked archives/backups designed for system restores. But if they say they still don’t hold your data, you have to take it as fact. The ICO won’t be going in to crawl all over their systems. If your data ever did get produced during legal discovery, then yes they’d have failed to execute the previous DSAR request. But the ICO can only fine them, not provide you with redress. You’d have to consult a lawyer as to whether non-disclosure under a DSAR but disclosing as part of legal discovery would make the information inadmissable. I doubt it.

Provider 2 – you can involve the ICO now and you don’t need to make Provider 2 aware beforehand. You’ve been clear in your request and they’ve mucked you around. As the ICO will still consider this as a situation where resolution can potentially be reached, they may just send a letter to Provider 2 to nudge them into action. If you continue to be stonewalled, the ICO would take a dim view as subject access rights are a foundational keystone of the entire rights regime. Again you won’t enjoy any redress as the ICO can’t award comoensation or damages.

[Tariq]

And when you finally get the date, put another DSAR in for any new information since the last DSAR. So that you can see any internal written dialogue pertaining to your original request.

[Lady London]

Tariq wrote:

And when you finally get the date, put another DSAR in for any new information since the last DSAR. So that you can see any internal written dialogue pertaining to your original request.

Thanks @Blair WS I will make it harder for Provider 1 to change their tune about not having retained my data in future, by asking them to confirm as you suggest.

Thanks @Tariq but in protecting their a$$ Provider 2 is smart. They are finance industry so the fact that they did receive it on the date sent and they found the original request will only have been discussed verbally between themselves. They will not commit anything to record, other than their lie to me claiming they haven’t found it.

I am for sure going to write to Provider 2 that I want all their internal records to reflect that I made this request as per the copy enclosed, 3 months ago and trying to pass off my request as only made 10 days ago is unacceptable and a continuing the inefficiency and the impossibility of getting needed information out of them timely which has been the pattern of my experience with them. For Provider 2 I just wish I knew better weasel words to say for “you’re lying” 🙂