The Information Commissioner’s Office is jumping on the “subject access request” bandwagon – set in motion by Nigel Farage’s bust-up with Coutts and NatWest – by flagging up how easy it should be for consumers to get hold of information held on them.
While SARs are a key tenet of GDPR – and are still included in the UK’s data reforms under the Data Protection & Digital Information Bill (No 2) although with new conditions – they have been one of the best kept secrets until now.
Although SARs had been available under the previous Data Protection Act 1998, firms could charge consumers; under GDPR they were free and there ad been were fears that when the legislation came into force in May 2018 there would be a “tsunami” of data requests. However, this never really materialised.
But now the ICO is doing its best to ensure consumers do enact their rights, flagging up a section which has been on the website for years, under the heading: “Subject access requests – your right to get copies of your data”.
The post goes on to offer advice and even letter templates for people who want to make a request and noting that organisations normally have to respond to requests within one month but should let consumers know within one month if they need more time and why.
“Farage-gate” is likely to keep the data controllers of NatWest busy for some time, after it has emerged that a Facebook group of 10,000 people, claiming to have had their NatWest accounts shut, has been filled with customers sharing templates and instructions on how to get hold of data held about them.
Last week, the ICO also rifled off a warning letter to the banking trade body over the affair, calling on UK Finance to remind its members of their responsibilities in keeping data confidential.
Related stories
ICO warns banks over data duties as ‘Farage-gate’ rages
Decision Marketing Data Clinic: Data reforms explained
Govt urged to beef up data bill to fight ‘horrific’ adtech
Data deletion tsunami claims blown out of the water
Fears grow as ‘millions plan to delete data under GDPR’
Firms face bombardment of data requests under GDPR