Dealing with Data – who makes the rules?Posted on 08/11/13
The “Subject Access Request” (SAR) set out in Section 7 of the Data Protection Act 1998 (the “DPA”) requires a creditor to inform a customer what personal data it holds about him/her. Given the amount of data processed by businesses this is often a significant obligation. This article appeared in the October 2013 edition of 'Credit Collections and Risk.
The responsibility for protecting an individual’s statutory right to access data rests with the Information Commissioner who has recently published his revised Code on SARs. The new Code confirms the determination of the Information Commissioner’s Office (ICO) to protect the individual in the electronic age.
The Code states the following - “although the DPA sets out the legal requirements, it provides no guidance on the practical measures that could be taken to comply with them. This Code helps to plug the gap.” The concern is that the Code seeks to impose on businesses obligations which are not contained in the Act (or what the courts say is in the Act). As the ICO is empowered to enforce compliance with the DPA, it can enforce its own interpretation of the law.
Since the introduction of SARs the amount of data processed by all organisations has increased dramatically. The distribution of data by businesses, both internally and externally, continues to evolve. Retrieving data relevant to a particular individual from different systems can be a technical challenge. Once obtained the data has to be reviewed in order to establish whether it can be released.
Acknowledging this problem the High Court ruled the requirement was only to take “reasonable and proportionate” efforts to identify and supply the data. However, the ICO has resisted any suggestion from the courts that the obligation to respond to a SAR request should be diluted.
In the Code’s view a beneficial side effect of SAR compliance was the ability to “retain your customers through better customer care”. In the past, SAR requests to creditors were often accompanied by a Section 78 request for a copy of a credit agreement. Evidence suggests both frequently formed a strategy of debt avoidance by the customer rather than a desire to develop an existing relationship.
In 2004 a High Court Judge explained "the primary purpose of the Act is to make it possible for a data subject to learn what personal data are being processed by others”. However, many SARs addressed to creditors can be fairly categorised as “fishing” expeditions for information, often made to assist with actual or contemplated litigation. Long established court rules determine what should be provided both before and during litigation. The SAR request offers a relatively quick (the response has to be provided within 40 days) and certainly cheap (the fee required is £10) alternative method of “fact finding”.
Some comfort was provided in a ruling last year that an SAR request could potentially be refused if it was clear the only motive behind the request was to obtain information which could assist with unrelated litigation. The Judge also endorsed the principle that only a reasonable and proportionate search for data was required.
However, the ICO has a higher expectation and the new Code warns “it will never be reasonable to deny access to the requested information merely because responding to the request may be labour-intensive or inconvenient”.
This inconsistency between the ICO and the courts (to the extent that one High Court Judge had to state the ICO guidance does not have the force of law) is unsatisfactory. Relationship building with any regulator is vital and most businesses will prefer to avoid the risk of enforcement action from the ICO even if they feel a more robust approach to SARs is legally correct.
The multitude of different IT systems means neither a template response nor an exhaustive check list can be provided to assist with SAR responses. However that does not prevent resolution of the long running disagreement between the ICO and the judiciary. It is a straightforward question – does the search for data have to be unlimited or need it be only reasonable? Creditors deserve clarity on this important point.