Question to the Department for Digital, Culture, Media & Sport:

To ask the Secretary of State for Digital, Culture, Media and Sport, what further steps he will take to ensure that banks and other financial lenders are meeting their obligations when responding to Subject Access Requests, submitted to them by law firms acting on behalf of clients bringing actions under the Consumer Credit Act 1974.

The Information Commissioner is the UK’s independent regulator of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA). Under the data protection legislation, people have the right to access and receive a copy of their personal data from organisations. This is commonly referred to as a subject access request. Individuals have a right to appoint a third party to act on their behalf, if they wish.

A subject access request must be responded to without undue delay and at the latest within one month of receiving the request. An extension of a further two months can be given if the request is complex, or if the individual has submitted a number of requests, for example, other types of requests relating to individuals’ rights.

The DPA provides a number of exemptions from the requirement to comply with a subject access request. For example, organisations can withhold information if that information could identify someone else, and it would not be reasonable to disclose that information to the individual; or if the information relates to legal proceedings and is subject to legal professional privilege. An organisation can also refuse to comply with a subject access request if the request is ‘manifestly unfounded’ or ‘manifestly excessive’.

People have the right to make a complaint to the Information Commissioner’s Office (ICO) if an organisation fails to comply with a subject access request. The ICO can be contacted by telephone on 0303 123 1113 or through its website: https://ico.org.uk/global/contact-us/. The ICO may take action against the organisation in appropriate cases, for example, by issuing the organisation with a warning, reprimand or enforcement notice. The ICO can issue a civil monetary penalty in the most serious cases.

The ICO exercises its enforcement powers in accordance with its Regulatory Action Policy, which can be found at: https://ico.org.uk/media/1853/data-protection-regulatory-action-policy.pdf. The ICO monitors patterns in complaints, and is not aware of any particular pattern of non-compliance by banks or other financial lenders with regards to subject access requests.

A requester may also apply for a court order in the event of non-compliance with a subject access request, requiring the organisation to comply or to seek compensation. It is a matter for the court to decide, in each particular case, what action to take.