Data Protection Act: Non-Compliance

From Consumer Wiki
Revision as of 21:35, 10 July 2007 by Mbrowne (talk | contribs)
(diff) ←Older revision | view current revision (diff) | Newer revision→ (diff)

Data Protection Act - Non-Compliance - Template Letters and Particulars of Claim

It is becoming clear that the office of the Information Commissioner is becoming snowed under with complaints. This means that delays caused by the bank in not complying, are being compounded by delays in follow-up action from the Information Commissioners Office.

Feedback also suggests that the Information Commissioners Office are choosing to write to the bank requesting they comply, rather than taking proper enforcement action to get rid of the problem once and for all.

By all means you can take the Information Commissioner route if you wish, however if you want to adopt a much more aggressive approach, then read on.

I would add that should you be in a position to send an estimate Request for Refund, then there is no reason why you cannot start that process at the same time. If you find later that you should have claimed more - then simply commence a second action against the bank when the first one is settled.


Data Protection Act Non-Compliance - Suggested Procedure:

Assuming that the Data Protection Act information request was lodged correctly (template letter, confirmed delivery, fee paid if necessary, identification verified if necessary), and the bank have either failed to respond, or only sent partial information, the following process should be adopted:


Scenario 1)

If your information arrives with parts missing - and no indication that further information will follow:

BEFORE THE 40 DAYS HAS ENDED: Send TEMPLATE 1 Below.

ON OR AFTER THE 40 DAYS: Send Template 2 Below.

If you have sent Template 1 letter, and the missing information does not arrive within the 40 day deadline: Send Template 2 Below.


Scenario 2)

If the 40 days has expired and no information has arrived:

Send Template 3 Below.


If after following scenarios 1 or 2, the matter is not resolved:

Commence a county court claim in the same way as you would for money - however, in the particulars of claim you need to specify that you require the bank to provide the information as outlined in the original Data Protection Act request.

You will find a suggested text for the Particulars of Claim below


It would seem likely that they will defend the action, but as with the claims for refunds it will probably not be worth their while going to court, and it should open the way for a dialogue.

Should they try to defend, or allow judgement to be entered by default, it could have far reaching consequences - since it would put them in danger of having to reveal information that they have hitherto wanted to keep well concealed. It would also make it very difficult for the various regulatory authorities to allow the banks to keep stonewalling claims.

I would add that a District Judge tends to be very hard on a party to an action, when they have been deliberately obstructive.


Non-Compliance Letters

TEMPLATE 1

Send this template if the 40 days has not yet expired. After you have sent it, if the 40 days then expires without the extra information appearing, send TEMPLATE 2 giving them a final 7 days to comply.



LETTER BEFORE ACTION

Section 7 – Data Protection Act 1998

Dear Sir/Madam

Account: xxxxxxxx

I am in receipt of the documents that you have supplied in response to my Data Protection Act information request dated (Insert Date). The disclosure of personal data is incomplete in that at least the following documents are missing.

(Adapt this next section to your situation)

1) You have failed to provide a complete list of transactions and charges. (Add details of missing period - or a transaction that you know about which is not included)

2) You have provided no notes, or documents relating to any legal action between you and myself.

3) You have provided no notes, or documents relating to instances of manual intervention.

This is not an exhaustive list by any means, it is just an example of some of the information I am missing.

Accordingly, I have to tell you that you have not yet complied with your obligations under the Data Protection Act 1998.

You have a further (Insert number of days remaining) days to comply.

Yours faithfully,


[name]


TEMPLATE 2

Send if the 40 days has expired.



LETTER BEFORE ACTION

Section 7 – Data Protection Act 1998

Dear Sir/Madam

Account: xxxxxxxx

I am in receipt of the documents that you have supplied in response to my Data Protection Act information request dated (Insert Date). The disclosure of personal data is incomplete in that at least the following documents are missing.

(Adapt this next section to your situation)

1) You have failed to provide a complete list of transactions and charges.(Add details of missing period - or a transaction that you know about which is not included) 2) You have provided no notes, or documents relating to any legal action between you and myself. 3) You have provided no notes, or documents relating to instances of manual intervention.

This is not an exhaustive list by any means, it is just an example of some of the information I am missing.

Accordingly, I have to tell you that you have not yet complied with your obligations under the Data Protection Act 1998.

The time for compliance with my request has now expired. If you do not comply fully with my Subject Access Request within 7 days, I shall apply to the County Court for an order to enforce compliance, together with damages at the discretion of the court.

Yours faithfully,


[name]


TEMPLATE LETTER 3



LETTER BEFORE ACTION

Section 7 – Data Protection Act 1998

Dear Sir/Madam

Account: xxxxxxxx

You have failed to comply with my Data Protection Act Subject Access Request dated (Insert Date).

If you do not comply within the next 7 days I shall seek a Court order obliging you to do so together with damages at the discretion of the Court and without any further notice.


Yours faithfully



Pariculars of Claim (Non-Compliance)

Text in red should be amended/deleted as appropriate.

NB: Please note that some County Court staff may not be aware of the procedure for these claims. It is important that you insist that the N1 is accepted - and that your claim is NOT a "pre-action disclosure", or a claim under "part 8".

The Information Commissioner has indicated that these claims should be dealt with in the Small Claims track.



BRIEF DETAILS OF CLAIM

(On Front of N1)

Order under Section 7 and Section 15(2) of the Data Protection Act 1998

Damages


NB: It is absolutely vital that you do not use the word "injunction" as this may cause problems. You will also find that the fee varies from £30 to £150, depending on the court involved. Of course, this fee should be recoverable, and if you qualify for relief from paying fees you will not have to pay, or it may be reduced.


PARTICULARS OF CLAIM

1. The Defendant is a Data Controller within the meaning of the Data Protection Act and is responsible for the processing of data of which the Claimant is a Subject.

2. The Claimant (has/had) an account number (Insert Account Number) ("the Account") with the Defendant which was opened on or around (Insert date) (and closed on or around (Insert date)).

3. On (Insert Date) the Claimant sent a Subject Access Request, pursuant to Section 7 of the Data Protection Act 1998 to the Defendant.

4. The Defendant has failed to comply.

5. By virtue of the Defendant's failure to comply with the Subject Access Request the Claimant has suffered damage (and distress).

6. The damage (and distress) caused is:

Extra costs incurred in addition to court costs, due to the Defendants failure to comply - this includes the cost of additional correspondence and time spent preparing documents and seeking legal advice, I estimate this cost to be £...........

Add any further things that can be clearly quantifiable, and to which you can provide proof.

Please be aware that claims for distress are only available where the distress is caused by the quantifiable damage. You would usually need professional evidence in support. If you are intending to go down this route it is vital you contact us before proceeding.

7. The Claimant seeks an order that the Defendant do comply with the Claimant's Subject Access Request

8. Under the terms of Section 15(2) of the Data Protection Act 1998, where the Defendant contests that information requested under the Claimant's Subject Access Request is not included within the scope of Section 7 of the Data Protection Act 1998, the Claimant requests that the Court inspects that information, and where it finds that the Defendant's opinion is unfounded, that it orders such information be included within the information supplied to the Claimant under the Subject Access Request.

9. Damages and costs within the discretion of the Court.


I believe that the contents of these particulars of claim are true


Signed:


Date:


[name]