Subject Access Request; Employer Delaying tactics?

Discussion in 'Finance, Property, Law' started by Bravo_Bravo, Oct 17, 2010.

Welcome to the Army Rumour Service, ARRSE

The UK's largest and busiest UNofficial military website.

The heart of the site is the forum area, including:

  1. Ten days ag I sent my former employer a SAR as I'm taking legal action against them and suspect there are some "Interesting" emails to be seen.

    It read "I am a former employee of ****, staff number *** and left service in ****.

    Please send me the information which I am entitled to under section 7(1) of the Data Protection Act 1998, in particular copies of any email or other correspondence relating to or discussing me. A fee of £10 is enclosed."

    They are a financial services / insurance institution with whom I've had policies for >ten years, and the same address for about ten years.

    They've come back and asked me to "clarify the additional information you require along with the following detail on your request for emails, ie authors / recipients, the content of the emails and the time period for the search"

    They ask if I'd like a copy of my personnel file, and if so "please submit a copy of your passport etc etc as we require thee documents for identification purposes."

    They then imply that they cannot send me anything without ID, even though they'll have a copy of my signature on file and my address has not changed from that on their records.

    They also say that they understand from HR that they recently sent me a significant amount of info and emails containing my personal data that would fall within the scope of he SAR. ( actually, sent to my Solicitor as a Trial bundle, and not actually that comprehensive. )

    Is this kosher or does it look like stalling tactics? Is the 40 days still running?

    Thanks in advance

  2. BB - as far as I know, once you've put the request in they have to provide everything you ask for - although you may have to send in continual clarifications via your solicitors. I went through a similar ordeal about 10 years ago, the cnuts employed every low-down tactic they possibly could from getting my first solicitor to drop the case the day before I had to submit my papers (their account was bigger than mine); my flat was burgled; I was mugged; my computer was hacked on xmas day; my car was vandalised in my drive - now I know a lot of that sounds like paranoia but there were too many coincidences for that amount of shit to happen. Also, as I was instructing my 2nd solicitor, the phone in their boardroom rang - guess who, yep a partner from my previous employer. The call was diverted to the senior partner who dropped the case instantly. The next 3 solicitors I tried, same story. I finally got one - who was pretty useless but that late in the day I was lucky just to get the papers submitted. It went on for 9 months before I finally got to a tribunal. I gave my evidence and before we had the chance to examine them, they caved and paid up.

    If you've got a case; get a good (impartial) solicitor, stick to your guns and don't blink.
  3. Write back and tell them that you require copies of all personal data that fall within the scope of the Data Protection Act. Advise them to contact the Information Commissioner if they don't know what their legal obligations are.

    They can't require you to guess the name of the author in order to get copies of email. They need to dig through their archived email and find anything that refers to you. This is a helluva job if they archive emails on to tape which might be why they're reluctant to comply. Alternatively, they might have dug up an email that is libellous/racist/defamatory etc and they don't want to give it to you.

    If they record phone calls, ask for a copy of all of your calls that have been recorded. That should have them bussing in temps to the IT department.

    If their response isn't on your doormat within 40 days, refer them to the Information Commissioner. Refusal to comply with a Subject Access Request is an offence and they could be prosecuted.
  4. In the Trial bundle was a single line in an email they *really* did not want be to see, it looked like it was included in error but I read the whole bundle - nearly lost them the case; I was found against despite the email "troubling" the Bench. Thats exactly why I'm asking, I'm sure there is more stuff they don't want me to see.
  5. Bravo_Bravo,

    As A_M has said, inform them you want copies of everything that falls under the scope of the Data Protection Act and that this request is separate from that which was given as part of the trial bundle.


    They've come back to me admitting that they don't need to ID me BUT quoting Section 7(3) of the DPA;

    "a) where a Data Controller requires further information... to locate the information which that person seeks, and b) Has informed him of that requirement the Data Controller is not obliged to comply with request unless he is supplied with that further information."

    They've said that they are unable to process the specific part of my request - namely, emails discussing or mentioning me - unless "you assist us in "locating the information" by identifying the email accounts, correspondence and time periods which (my) request relates to".

    As they are "keen to assist me" they've ID'd some six accounts that may hold my personal data, and propose to review these six accounts over a two year period prior to my leaving service. I'm certain that at least one other senior manager has emailed about me as I had a formal interview with him and he has emailed me. There are no facilities to record conversations with staff, so no recordings held.

    They've also declined to send me correspondence sent as part of legal proceedings as they believe I've already received this info from my solicitor - I have received some printss of email correspondence.

    SO.. is this just a bluff? Can they ask me to be specific in naming email accounts that *may* have discussed me?

    Its getting fascinating...


  7. ViroBono

    ViroBono LE Moderator

    I'd suggest you give them a list of names such as the manager you mention above. They can't refuse to send data that you might already have from your solicitor. Remind them that the 40 days statutory period for compliance started when they received your request.

    If they exceed the 40 days, report them to the Information Commissioner. What you can also do is sue them for non-compliance. After the 40 days, send a Letter Before Action giving them a further 14 days to comply fully and properly with your SAR; if there are specific things they've failed to supply, say what they are, and if they still don't come up with the goods, issue against them for an order to comply and damages at the Court's discretion. Cheap and easy to do.
  8. They can't use that as an excuse to withhold information like emails unless you can guess who wrote the email. The information commissioner will wipe the floor with them. Sounds like their lawyer is even more of a legal walt than I am.

    Don't tell them this. If they fail to disclose the email, use that fact to prove that they haven't carried a proper search.

    Tell them that you haven't received the requested correspondence and that you look forward to them producing documentary evidence that you have. They need to give the documents to you, not to your solicitor.

    It sounds like they're trying to avoid the work and cost involved in carrying out a proper search of their records. They could well be lining themselves up for a major kicking from the Information Commissioner.
  9. Given that I'm aiming for another Emloyment Appeal Trbunal Hearing I'd much rather detail the "missing" email account; I strongly suspect that there is info / correspondence that would help my case.

    The replies are very much appreciated, by the way.
  10. The 40 days - if its work days - finishes next friday.

    If its simply CALENDER days, I think they're late as my letter was sent 7 october...
  11. ViroBono

    ViroBono LE Moderator

    40 calendar days for a SAR.

    I accompanied a friend to court when he sued a former employer over their failure to comply with a SAR. Very clear cut - the judge asked the defendants whether or not they'd supplied all the data they held on the claimant. He wasn't interested in any of their excuses, and gave judgement for the claimant - an order for them to comply fully within 7 days, damages and costs.
  12. SITREP

    SAR replied to, looks rather thinner than I'd expected. Actually spoke to the bloke dicked to deal with it - he phoned to check I'd received the package. I asked if he could confirm that he'd checked all the accounts I'd specified, and he said he had.

    Said something that may be VERY interesting, if I understood what he said, in that if an item had been deleted, they could not trace it. I'm due to see my Solicitor tomorrow and will get the SP from him BUT this would seem to me to be a pretty easy way of avoiding anything "awkward".

    They've also not sent anything they think I'll have had at Tribunal.

    La luta continua...
  13. May be very true - depends on the backup cycle and (assuming they're using M$ Exchange, the retention period for deleted emails.) There are also ways to 'avoid' even a well constructed retention system based on Exchange / Outlook ...

    Just be careful using a SAR as a cheap method of legal disclosure. s7(4), Schedule 7(7) and (10), as well as the Durrant ruling, restrict what you are entitled to on a SAR but you may still be entitled to under civil disclosure rules - the scopes are quite distinct (albeit often overlapping.)