The Information Commissioner’s Office (ICO) has served an enforcement notice on a Wirral-based finance firm that failed to respond to a Subject Access Request (SAR). There is no evidence that the firm has failed to comply with more than one customer SAR but for just one transgression the ICO has served the firm with the notice. The firm will now be liable for prosecution if it does not respond to the SAR.
On May 18 2018 the customer made a complaint to the firm and made an SAR for a copy of her personal data at the same time. The complaint was made via recorded delivery and the firm signed for this on May 21.
All firms are expected to respond to an SAR within 30 days of receipt and cannot charge the customer for providing this information. However, four months later the customer complained to the ICO saying she had not received a copy of her personal data from the firm.
The ICO wrote to the firm on December 11 to ask the firm to respond to the SAR. This letter was ‘returned to sender’ so the ICO wrote to the firm again on January 17 2019.
On three occasions in March 2019 an ICO staff member telephoned the firm to discuss the matter. The data protection watchdog has not disclosed what happened on the first two calls but has confirmed that on the third occasion the firm’s staff member hung up.
The ICO sent more letters to the firm in March and made a number of calls in June. The firm did not answer some of these calls and did not return the other calls as requested.
The ICO’s next step was to send a preliminary enforcement notice on June 26, which instructed the firm to respond to the SAR by July 26. The firm again failed to comply with this instruction.
On August 9 the ICO issued a further enforcement notice, again giving the firm 30 days to respond. However, on this occasion it will be a criminal offence if the firm fails to comply with the request. There is no indication of whether the firm replied to the latest ICO notice within the 30-day period.
The ICO believes that the firm’s actions constitute a breach of the sixth data principle of the Data Protection Act.
The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article