ico
,

Is the ICO meeting the needs of the individual when it comes to data breaches?

Our managing director Kingsley Hayes has been keeping a close eye on the key data privacy trends that our firm has seen since the General Data Protection Regulation (GDPR) came into force.  And he believes that the Information Commissioner’s Office’s (ICO) approach to data breach enforcement isn’t yet meeting the needs of the individual. But could things be about to change?

What are we seeing?

At Hayes Connor Solicitors, we have received thousands of enquiries from customers who have suffered as a direct result of a high-profile data breach. And, every day we are also helping the victims of smaller data breaches. Breaches that are causing misery and upset to people across the UK.

So, as you can imagine, our expert data protection solicitors pay close attention to how the ICO has responded to data breaches of all types and sizes.

In our opinion, the ICO has taken a proactive stance when it comes to commenting on large-scale breaches. This has no doubt been done to secure the attention of the media and politicians. And to make sure that organisations take appropriate action in the aftermath of any breach.

But, while we understand this approach, we also believe that the still ICO requires education on the lasting and full impact of data breaches. Because to date, the experience of the individual is still being downgraded.

Is emotional distress being taken into account by the ICO?

As it stands, the ICO is not coming down hard on organisations that are reporting data breaches and apologising for the violations. This can leave victims of data breaches wondering whether their suffering has even been taken into account.

For example, at Hayes Connor, we have experience of a particular organisation with a track record of committing data breaches that can only be described as atrocious. Over the last four years over 150 reported incidents of the same type have been made. And despite reported changes to process and internal governance, in the months leading up to the implementation of the GDPR another significant and life-affecting breach occurred.

Unfortunately, for those involved in this case, the ICO’s response was less than satisfactory.

Are things about to change?

We hope that, as time progresses, so too will the ICO’s approach. And there are signs that things are changing.

For example, earlier this year the ICO sent a warning shot to all organisations that – while unlikely to make any headlines – has wide-reaching implications.

In this case, the regulator took legal action against a housing developer. The developer had failed to comply with an Enforcement Notice which had been served by the ICO in relation to a failed subject access request. Under data protection laws, such a request allows an individual to request a copy of all the personal information an organisation holds about them.

The ICO won this case, and the developer was ordered to pay a fine and prosecution costs.

Crucially, by supporting the individual and taking robust action in this matter, the ICO demonstrated that it is intent on pursuing any organisation which is not taking its data protection obligations seriously.

However, the role of the ICO is to uphold information rights in the interest of the public and manage the complaints process. To do this effectively it must understand the various psychosocial effects that data breaches can have on individuals.

Thankfully, over the last few years, people are waking up to the reality of mental health. And there is a greater awareness about the lasting effects of physiological suffering and anguish. But more still needs to be done.

Education is vital

According to renowned clinical psychologist and visiting professor in law and psychology at Birmingham City University School of Law, Professor Hugh C. H. Koch education is crucial to ensure the needs of the individual are met. He said:

“Education within the legal media, both written and digital, concerning the psychological effect of data breaches reinforced at legal educational meetings and conferences will raise the bar of how much lawyers know and understand about data breach effects.”

Until then, while much has been achieved since the introduction of the GDPR, there is still a fair way to go before individuals can expect a standard of data protection we should all aspire too.

You can read more about the latest data breach trends here.

Leading by example

At Hayes Connor, we want to reduce the number of data violations taking place across the UK. To do this, we are helping to raise awareness of this issue and educating people and businesses to prevent similar mistakes from happening.

For more advice on how to keep your data safe, follow us on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call to discuss your case in more depth.

student loan scam
,

Going to Uni? Don’t fall for this student loan scam!

Many students about to start their university and college courses could fall victim to a cyber scam if they are not vigilant. This follows warnings that fraudsters are aware that students will soon receive their first loan instalment of the year, and are using ‘phishing’ to try and steal this money.

Student Loans Scam

According to the Student Loans Company (SCL), students should be suspicious of any requests for personal or financial information from anyone claiming to be from the SLC or Student Finance England (SFE).

The loan provider claims that, in the last two academic years alone, its counter-fraud teams have stopped more than half-a-million pounds from being phished from student loans.

In most cases, students will receive emails, texts, calls etc. claiming to be from a student loan company. These messages will request personal or financial information that could be used to access their accounts and steal their much-needed money.

Attacks increase just as loan instalments are released. Cybercriminals have also been known to target the parents and partners of students to get access to this data.

What can you do to protect yourself from student loan scams?

Here are some quick tips to keep you safe from this type of scam:

  • Never disclose security details such as passwords
  • Don’t assume an email, text or phone call is authentic. Just because someone knows some personal information about you (i.e. your mother’s maiden name), that doesn’t mean they are genuine
  • Know that legitimate financial organisations would never contact you and ask you to confirm your login information
  • Emails that start ‘Dear Student’ are unlikely to be genuine. But, even if your personal details are included, this doesn’t mean that the communication is real
  • Any warnings such as ‘failure to respond in 24 hours will result in your account being closed’ should start alarm bells ringing
  • Be aware who you’re sharing your personal information with. Only give out details to a service you trust and that you’ve contacted directly or are expecting to be contacted by. Even then, do not hand over sensitive information such as PINs or passwords
  • Don’t be rushed into handing over personal or financial information
  • If something doesn’t feel right listen to your instincts. Leave the conversation if it makes you at all uncomfortable
  • Always question who you’re talking to. If in any doubt call them back using trusted contact details to check the request is genuine
  • Don’t be afraid to say you’ll get back to someone using the phone number or email address as listed on their website. A legitimate organisation would never try to panic you out of taking security checks
  • Never automatically click on a link in an unexpected email or text
  • Make sure you look at the address bar when logging into a website. If there is a padlock icon your connection is secure. If a site doesn’t have this lock icon, do not share any sensitive information
  • If you’re worried that you may be at risk, report it to the Police or Action Fraud straight away.

Get digitally aware

At Hayes Connor Solicitors, we want to reduce the number of data violations and successful cyber scams taking place across the UK. To do this, we are raising awareness of this issue and educating people to help stop fraudsters in their tracks.

For more advice on how to keep safe, follow us on Twitter and Facebook.

Alternatively, if you have been the victim of an online scam, contact us find out how we can help you to recover any losses.

GDPR
, ,

Over a year since GDPR financial organisations still aren’t keeping our data secure

It’s been over a year since GDPR came into effect. But despite this, too many companies still aren’t doing enough to protect our personal and financial information.

In fact, according to RiskIQ, when it comes to financial services organisations, of public PII-capturing websites with a login page, 11.5% of these sites are still capturing this data without adequate security measures.

What is a PII capturing website?

A PII capturing website is one which collects information from its users that can identify them. Examples of PII include names, addresses, dates of birth, email addresses and login credentials.

Is GDPR making an impact?

These findings are very worrying, particularly due to the damage that can be caused if our banking and credit card information falls into the wrong hands. We should be able to have confidence in all organisations that look after our sensitive data, but especially the financial sector.

But the good news is that there are signs that organisations are starting to take their data protection obligations more seriously. And so they should as they risk huge fines and compensation claims should a data breach happen.

It’s just that, so far, most of the data breaches investigated by the Information Commissioner’s Office (ICO) happened before GDPR came into force. And, under the old law the maximum fine for a data protection failure was just £500,000 (and even that wasn’t handed out often).

However, the tide is turning. The ICO has recently announced that it plans to fine the Marriott hotel nearly £100m. And British Airways is being fined £183 million for its high-profile data breach.

At Hayes Connor Solicitors we are paying close attention to how the ICO is responding to new data breaches and are monitoring the impact of the GDPR now it is starting to make a difference.

What should organisations do now?

With most organisations continuing to expand their web presence, it’s essential that more is done. This includes taking steps such as:

  • Maintaining a complete inventory of all PII capturing websites and making improvements to these to make sure they are secure
  • Ensuring that any new sites are built with robust security measure
  • Making sure that companies aren’t collecting personal data they don’t need via their websites.

Making a data breach compensation claims can help

In our experience, the response of organisations following data breaches has been woefully lacking. Too many big companies seem to think they can get away with just saying sorry.

However, such an absence of care over the very real impact of a data breach should not be tolerated or accepted. And, one way that organisations can be forced to put adequate security measure in place is by people taking legal action where they have been let down. Or in other words – hitting them where it hurts. Because unless this happens, the security of the individual won’t be made a priority.


Data protection solicitors

At Hayes Connor Solicitors, we are committed to upholding the data protection rights of our clients. For more advice on your rights, and how to keep your data safe, follow us on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, contact us to find out how we can help you to recover any losses.

cybercrime
,

Cybercrime warning to British Gas customers

British Gas is warning customers to look out for scam emails. The cybercrime warning relates to fake emails promising hundreds of pounds in refunds.

A link in the emails takes you to a website that looks exactly like the British Gas site. The site asks people to input their details to have their money “refunded”. However, the website is a clone and any customer who enter their details is giving scammers access to their account. British Gas has warned its customers that falling for the scam could leave them hundreds of pounds out of pocket.

A British Gas spokesperson has said that anyone concerned about a suspicious email can forward it to phishing@centrica.com so that the company can look into it further.

What can you do to protect yourself from cybercrime and scams?

Here are some quick tips to keep you safe from this type of scam:

  • Don’t assume an email, text or phone call is authentic. Just because someone knows some personal information about you (i.e. your mother’s maiden name), that doesn’t mean they are genuine
  • When responding to emails, never give your login or personal details
  • Know that legitimate organisations would never contact you and ask you to confirm your login information
  • Don’t be rushed into handing over personal or financial information. If something doesn’t feel right listen to your instincts
  • Always question who you’re talking to. If in any doubt call them back using trusted contact details to check the request is genuine
  • If you detect a phishing email, mark the message as spam and delete it. This ensures that the message cannot reach your inbox in future
  • Emails that start ‘Dear Customer’ are unlikely to be genuine. But, even if your personal details are included, this doesn’t mean that the communication is real
  • Never automatically click on a link in an unexpected email or text. Even unsubscribe links can be malicious
  • Know that even if an email address appears genuine, this is not a guarantee that it came from the person or organisation that it claims to
  • Any warnings such as ‘failure to respond in 24 hours will result in your account being closed’ should start alarm bells ringing
  • Be aware who you’re sharing your personal information with. Only give out details to a service you trust and that you’ve contacted directly or are expecting to be contacted by. Even then, do not hand over sensitive information such as PINs or passwords
  • Make sure you look at the address bar when logging into a website. If there is a padlock icon your connection is secure. Where a site doesn’t have this lock icon, do not share any sensitive information
  • If you’re worried that you may be at risk, report it to the Police or Action Fraud straight away.

Get digitally aware

At Hayes Connor Solicitors, we want to reduce the number of data violations and successful cyber scams taking place across the UK. To do this, we are raising awareness of this issue and educating people to help stop fraudsters in their tracks.

For more advice on how to keep safe, follow us on Twitter and Facebook.

Alternatively, if you have been the victim of an online scam, contact us find out how we can help you to recover any losses.

 

, , ,

Data breach leads to neighbour harassment

The headlines lead us to believe that data breaches occur as a result of cyber-attacks. The reality is that the vast majority of cases take place as a result of human error. In these instances, the breach itself can lead to a damaging chain of events which could have been prevented.

Our solicitors see every day how clients are affected. Financial loss may not be a factor in all cases, but the damage and suffering following a breach can quickly escalate.

What happened in this case?

Our client lives in a privately managed block of flats and she made a complaint about another leaseholder to the management company.

The management company proceeded to forward her detailed email to all residents in the block, including the leaseholder being complained about.

This data breach, which appeared to have taken place due to an error of judgement rather than by mistake, started a frightening chain of events exposing our client to serious harassment and compromised the safety of her family.

Following the breach, our client, who has two young children, was subjected to having the gas pipe to her property deliberately cut with access to the mains deliberately obstructed.

She suspected that the volatile neighbour she had complained about was behind the vandalism, but he denied any wrongdoing.

Having lived at the property for some years, with generally good relations with the other neighbours, the data breach also led to these relationships becoming strained.

Alongside taking legal action against the management company, our client also reported the data breach to the ICO resulting in the business now being monitored to prevent further incidents.

We secured £3,000 compensation from the management company responsible for breaking data protection laws not least, due to the psychological suffering endured by our client and her young children.

The situation has become so intolerable that our client plans to sell her property and move her family in the near future.

Have you been in a similar situation? Contact us today.

Lessons learned

If you are an employee handling a customer complaint of any kind, consider how the complaint should be handled before sharing any information.

Consideration should be given to a possible solution to the complaint and thought put into the appropriate sharing of the complaint with individuals who may be part of the solution.

For more advice on how to keep your data safe, follow Hayes Connor on Twitter or give us a like on Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.

 

thomas cook scam
,

Don’t fall for this Thomas Cook scam!

Cybercriminals are getting increasingly clever. And, at Hayes Connor, we regularly hear about the latest dangerous scams. Today we have been alerted to a new scam. One that is targeting people already in distress. So what do you need to know about the Thomas Cook scam?

Thomas Cook refund scam

We found out about this scam when one of our team saw the following post on Facebook:

“Just had a phone call from ‘Thomas Cook refund agent’ going to give me a refund on the holiday I have purchased (no I haven’t) just need my card details and 3-digit number on back to refund me …… this is disgusting…people have lost their jobs and livelihoods and people are already scamming.”

 We couldn’t agree more. This is disgusting. But unfortunately, cybercriminals have no such scruples. In fact, taking advantage of people who are already worried about losing money is a standard trick. That’s because, in a panic to make sure they don’t become a victim, people often give criminals access to the very data they need.

Luckily this person spotted the crime. But not everyone is so aware.

What can you do to protect yourself from online scams?

  • Never disclose security details such as your PIN or passwords to anyone (including your bank)
  • Don’t assume an email, text or phone call is authentic. Just because someone knows some personal information about you (i.e. your address, mother’s maiden name etc.), that doesn’t mean they are genuine. Also, criminals can spoof numbers so that calls and messages look like they are from someone you trust
  • Know that banks or other trusted organisations will never contact you and ask you for your PIN, password or security code. They also won’t ask you to transfer money to a secure account
  • Be aware who you’re sharing your personal information with. Only give out details to a service you trust and that you’ve contacted directly or are expecting to be contacted by. Even then, do not hand over sensitive information
  • Always call an organisation back using trusted contact details to check everything is genuine
  • Don’t be rushed into handing over personal or financial information
  • If something doesn’t feel right listen to your instincts. Leave the conversation if it makes you at all uncomfortable. A legitimate organisation would never try to panic you out of taking security checks
  • Never automatically click on a link in an unexpected email or text
  • If you’re worried that you may be at risk, report it to your bank, the Police or Action Fraud straight away.

 What is the official advice?

When it comes to the Thomas Cook collapse, passengers with ATOL protection who are yet to travel are entitled to a full refund on any future bookings. Customers without ATOL protection should speak to their credit card provider or the company they booked their holiday with. They can also speak to their travel insurance provider to see if they are able to claim back any of their costs.

The government warns that people should be “vigilant and on the lookout for scams, particularly if you receive unsolicited contact from companies suggesting you rebook a Thomas Cook holiday through them.”

According to Gov.UK, it might be a scam if:

  • It seems too good to be true – for example, a holiday that’s significantly cheaper than you’d expect it to be
  • Someone you don’t know contacts you unexpectedly
  • You suspect you’re not dealing with a real company – for example if there’s no postal address
  • You’ve been asked to transfer money quickly
  • You’ve been directed away from trusted sites for payment
  • You’ve been asked to pay in an unusual way – for example, by iTunes vouchers or through a transfer service like MoneyGram or Western Union
  • You’ve been asked to give away personal information like passwords or PINs
  • You haven’t had written confirmation of what’s been agreed.

Get digitally aware

At Hayes Connor Solicitors, we want to reduce the number of data violations and successful cyber scams taking place across the UK. To do this, we are raising awareness of this issue and educating people to help stop fraudsters in their tracks.

For more advice on how to keep safe, follow us on Twitter and Facebook.

Alternatively, if you have been the victim of an online scam, contact us find out how we can help you to recover any losses.

yahoo data breach
, ,

Making a Yahoo data breach claim in the UK

Yahoo suffered a series of hacks by organised crime groups between 2012 and 2016. These attacks were possible due to systemic failures in its cybersecurity systems. One of the worst Yahoo data breaches happened in 2014. In this hack, a Russian state-sponsored cyber-attack saw personal data stolen from over 500 million customers worldwide.

Cybercriminals got access to Yahoo users’:

  • Names
  • Email addresses
  • Telephone numbers
  • Passwords
  • Encrypted security questions and answers.

This information has the potential to cause serious damage to victims of the breach. This includes financial fraud, identity theft and emotional distress.

Has Yahoo paid compensation for these data breaches?

Since 2016, Yahoo has been under intense scrutiny and pressure to do things better.

In June 2018, the UK’s Information Commissioner’s Office (ICO) fined Yahoo £250,000 after investigating failures at the company. This investigation found that Yahoo had not taken appropriate measures to protect customer data. The ICO also discovered that these inadequacies in data security had been in place for a long time.

What’s more, in September 2019, Yahoo confirmed that it was nearing a $117.5 million settlement. Ths payout is designed to end a massive class-action lawsuit for the series of data breaches. However, the money will only be given people who live in the US and Israel.

In the UK, the ICO has fined Yahoo for its data privacy failings. But none of that money will go to victims of the Yahoo data breaches. So, if you are a UK customer of Yahoo, what can you do?

Join our Yahoo data breach group action

Hayes Connor Solicitors is launching a group action to help UK victims of the Yahoo data breach to claim the compensation they deserve.

Find out more about group actions.

If you are concerned that your data was treated negligently by Yahoo, contact Hayes Connor Solicitors immediately. Because of the settlement reached in the US, and the result of the ICO’s investigation in the UK,  you could have a very strong case.

What do you need to know about joining our Yahoo data breach group action?

  • If you had a Yahoo account between January 1, 2012 and December 31, 2016, you could be entitled to data breach compensation
  • You do not need to have suffered any financial loss to claim. If you have experienced damage or emotional upset caused by Yahoo’s breach of the Data Protection Act, you have a right to claim compensation
  • Our Yahoo data breach group action is no win, no fee
  • There are no costs to join our group action and there is no obligation to proceed.

The data breaches at Yahoo happened because of a failure to implement reasonable and robust processes. Yahoo has failed to uphold your privacy rights. Furthermore, claiming compensation isn’t just in your best interests. It is often the only way organisations are persuaded to take their responsibilities seriously and make the necessary improvements.

To find out more about joining our group action, and for more information about this case, fill in our quick form. Once done, we will contact you to talk you through the next steps.

REGISTER NOW

 

solicitor data breach
, , ,

How Hayes Connor helps our clients after a solicitor data breach

At Hayes Connor Solicitors, we help our clients get the compensation they deserve. We do this following data protection breaches, cybercrime, and other online offences. We are also committed to upholding the standards of our industry. That’s why it’s particularly upsetting when we are contacted by someone who has been let down by their solicitor.

Here is just one example of a solicitor data breath case we helped a client with recently.

Solicitor lost sensitive information

In this data breach, a former member of the Armed Forces appointed a solicitor to represent her at a Tribunal she was involved in. However, this solicitor lost her sensitive information, including her medical and service records on a train.

Following this shocking data breach, the woman suffered severe psychological effects including stress, anxiety and trauma. As a result, she has been prescribed medication. And her ongoing conditions have been exacerbated.

Turning to Hayes Connor for help, she revealed that her mental health had deteriorated to such an extent that it affected her ability to leave the house. Furthermore, it led to in her being demoted in work, resulting in a substantial pay cut.

Help is needed after a solicitor data breach

Solicitors must understand the importance of data protection. And make sure that strict policies and procedures are in place to ensure the safe processing of information. Both in and out of the office. However, all too often this isn’t happening. And, as you can see, the result of not looking after personal information properly could put people’s mental health, and potentially even their lives at risk.

At Hayes Connor Solicitors, we are 100% committed to seeking the compensation necessary to help people get their lives back on track following a data breach. But we don’t believe that our obligation to our clients stops there. We also provide a wide range of information to help our clients protect themselves once a breach has occurred.

Making a solicitor data breach claim

Our professional, friendly team will advise you on whether you have a valid claim against solicitor. If we believe you have a substantial, complex case, we may be able to act for you on a NO WIN, NO FEE basis.

Our process is fully compliant with ICO guidance, and we never put your details at risk. We will NEVER pass your details onto anyone without your permission.

Contact us today for a free initial assessment.


Data protection solicitors

At Hayes Connor Solicitors, we are committed to upholding the data protection rights of our clients. For more advice on your rights, and how to keep your data safe, follow us on Twitter and Facebook.

gender identity clinic breach
, ,

Gender identity clinic investigating data security incident after patient email leak

The Charing Cross Gender Identity Clinic in London is investigating a ‘data security incident’. The clinic supports adults with issues related to gender. It has patients who are transitioning or considering doing so from across the UK.

Tavistock and Portman NHS Foundation Trust run the clinic. According to a statement on its website, the breach exposed the email addresses of many of its patients.

The statement reads:

“We are currently investigating a data security incident.

 “This incident involved an email from our Patient and Public Involvement team regarding an art project that we are looking forward to launching. Unfortunately, due to an error, the email addresses of some of those we are inviting to participate were not hidden and therefore visible to all.

 “We are hugely apologetic and understand that this is a serious data breach.”

Approximately 2,000 people are exposed

Two separate emails were sent to Charing Cross Gender Identity Clinic patients. In total, the personal details of almost 2,000 trans patients are reported to be exposed.

This is a massive breach of patient confidentiality and people are understandably upset. Speaking to the media, one patient said: “It could out someone, especially as this place treats people who are transgender”.

There are also concerns that, in being outed as trans, “that could be hugely dangerous to their wellbeing and safety.”

The breach was caused by human error

Most security breaches happen because of distractions or mistakes. And that certainly seems to be the case here. In fact, not using the blind carbon copy (bcc) functionality when sending to multiple recipients is a common cause of data breaches.

Often this happens because strict policies and procedures are not in place to ensure the safe processing of information. Or, staff have not received regular data protection training to make sure they understand the potential consequences of breaching data protection laws. In this case, the clinic also appears to be financially stretched and under-resourced.

However, the bottom line is that the Trust should have ensured better compliance to protect potentially vulnerable patients and maintain their privacy.

What happens now?

The Charing Cross Gender Identity Clinic data breach has been reported to the Information Commissioner’s Office (ICO) and is now being investigated. The Trust is also treating the privacy violation as a serious incident.

Anyone distressed by the breach of trust can make a complaint here. We would also urge victims to contact the ICO and let it know about their concerns.

The ICO could fine the Charing Cross Gender Identity Clinic

Where adequate processes and protections are not in place, the ICO does have the power to issue fines.

For example, an independent inquiry into child sexual abuse was fined £200,000 by the ICO after sending a bulk email that identified possible abuse victims. In this case, an officer sent an email to 90 people involved in a review without using bcc. This allowed the recipients to see each other’s email addresses and identified them as possible victims of child sexual abuse. In 2016, the ICO also fined another London clinic £180,000 after it leaked the email details of almost 800 patients diagnosed as HIV positive.

These fines were issued before the introduction of the GDPR in 2018, so, a penalty for Tavistock and Portman could be much higher. However, it’s important to note that, while the ICO does hand out fines, it does not award compensation to victims of data breaches.

Make a claim against the Charing Cross Gender Identity Clinic

Data breaches are not just caused by cybercriminals. Every day we hear how simple human errors are causing misery and upset to people across the UK. And, given the nature of this data breach, the emotional distress to patients should not be underestimated. Furthermore, this breach could potentially put people in serious danger.

Of course, there are concerns that claiming compensation could take money from an already underfunded clinic. However, in 2019, all organisations should have insurance in place to protect against such threats.

What’s more, while you might support the clinic, it must meet its legal obligations when it comes to protecting sensitive data. Where an organisation fails to do this, holding it to account is often the only way to ensure standards are improved.

If you have been the victim of the Charing Cross Gender Identity Clinic data breach, find out how we can help. Complete our online form. Or give us a call to discuss your case in more depth.

For more advice on how to keep your data safe, follow us on Twitter and Facebook.

SAR Requets
, ,

Metropolitan Police failing to respond to subject access requests

You have the right to find out if an organisation is using or storing your personal data. To exercise this right, all you have to do is ask for a copy of this data. This is called making a subject access request (SAR). The ICO (the UK’s data protection regulator) has been working with the Metropolitan Police Service (MPS) to address its large SARs backlog. However, the MPS has more than 1,100 open requests. With nearly 680 over three months old. The ICO believes that this is a cause for concern.

What has happened in this case?

The ICO has issued two enforcement notices ordering the Metropolitan Police Service to respond to all SARs by September 2019. The regulator has also asked the MPS to “make changes to its internal systems, procedures or policies, so that people are kept up to date on any delays that may affect their data protection rights and how the situation is being addressed.”

The ICO added, “Ultimately, the public must be able to trust that police forces are upholding their information rights, and this case is a reminder to other police forces that we will take action against those organisations that do not comply with their SAR obligations”.

What do you need to know about making a subject access request?

Find out how to make a Subject Access Request on the ICO website.

Crucially, when it comes to making a subject access request, the ICO has stated that there is “no requirement for a request to be in writing”.

What can you use a SAR for?

You can use a SAR to find out:

  • What personal data an organisation holds about you
  • Whether an organisation is processing your personal data
  • How the organisation got hold of your data
  • The types of personal data being processed
  • Why your data is being processed
  • Any third parties that your data is being shared with
  • How long your data will be kept for
  • How you can have your data amended or deleted
  • Whether they use any automated decision-making processes
  • Any other supplementary information.

Of course, it could take longer for an organisation to supply everything they have about you. So, if you only need certain data and you want to speed things up, it makes sense to be specific.

The ICO has provided a handy template to help you to do this.

What else do you need to know about making a subject access request?

  • Organisations should provide contact information for making a SAR. Under the GDPR, this information should be available on an organisation’s website (check the privacy policy usually found in the footer)
  • Requests can be responded to electronically (as long as it is secure)
  • You can ask for a paper copy of the data held about you, but a company only has to provide this if it is reasonable to do so
  • SARs need to be replied to within one calendar month. However, they might need extra time to consider your request and, if so, can take an additional two months to do this
  • Organisations must make you aware of any delays which may affect their requests. They should also explain how the situation is being addressed
  • Organisations can ask for further information to establish your identity, particularly where sensitive data is involved. However, such requests must be “reasonable and proportionate”
  • A copy of your personal data should be provided at no cost to you. Although “reasonable” fees can be charged for manifestly unfounded or excessive requests
  • An organisation can refuse a SAR if they believe it to be ‘manifestly unfounded or excessive’. They may also deny a SAR if your data includes information about another individual. However, they can’t just ignore you. They must still write to you and explain why your SAR is being refused
  • You have a legal right to ‘rectification’ of your records. So, if something in your data is wrong, you can ask to have it corrected. Organisations have one month to respond to your request
  • If you are worried about the way an organisation is handling your information, the ICO has provided a handy letter template to help you to raise your concerns.

What can you do if you don’t believe your SAR has been taken seriously?

If you believe any fees to be unfair, you can complain to the organisation in question. However, if the matter is not resolved, you should report your concerns to the ICO.

If more than a month has passed since you made your SAR, and you have not heard anything back, you should write to the organisation reminding them of your request and their obligations under the GDPR. And, if you still don’t hear back, you should complain to them using their complaints process. And, if you are not happy with their response, you can complain to the ICO.

If you think your request has been rejected unjustly, you can raise a complaint with the organisation in question. And if you remain dissatisfied, the ICO.

If the organisation refuses to change their records, you can complain to the ICO. However, there’s a difference between information that is incorrect and information that you disagree with. For example, if you have a dispute with your doctor over a diagnosis, you can’t change your health records. However, you might be able to add a note to this record stating that you disagree with the medical opinion.

If you believe that an organisation is not handling your data properly, you can also complain to the ICO.

Find out more about Subject Access Requests.

Data protection solicitors

At Hayes Connor Solicitors, we are committed to upholding the data protection rights of our clients. For more advice on your rights, and how to keep your data safe, follow us on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, contact us to find out how we can help you to recover any losses.