cancel
Showing results for 
Search instead for 
Did you mean: 

DSAR Complaint - ICO Notified

Jobbieteeth
Hooked
Posts: 6
Thanks: 9
Registered: Thursday

DSAR Complaint - ICO Notified

I’ve been having huge issues with Plusnet since I joined in October. The issues aren’t relevant to this post, however upon communicating with them today (with an agent called Yasseen) on online chat I requested to raise a DSAR (Data Subject Access Request). These types of requests have been around for a long time, basically allowing an individual the right to access all of the personal data (including call recordings) that a company holds. This data is then pulled from a companies records and provided to the customer. 

 

Historically, these type of requests were sometimes chargeable and companies could dictate to their customers how the request should be made (by letter, by email etc). Recently (25th May 2018 ) The GDPR was introduced, vastly changing data laws to enable individuals enhanced rights concerning their personal data.

Ive attached to this post some quick screen grabs of ICO rules related to DSARs and how they can be requested.

The issue being, Plusnet, today, advised me that a  an online form MUST be completed to allow a DSAR to be logged and actioned. This is a clear breach of ICO rules (as seen in the screen grabs). 

 

The ICO advise that companies can ustilise a standardised form as a way of better enabling recognition of a DSAR request, however a customer can notify a company in whichever way they see fit that they would like access to their personal data. This then must be provided within 30 calander days by the company in question and must be free of charge.

 

I have now raised a complaint to the ICO again Plusnet to state that Plusnet are in breach of The GDPR due to the misadvice provided to me today that my DSAR request is invalid if I do not fill in a form. 

I work in customer service contact centre management and to be blatantly rejected the opportunity to raise a DSAR due to misadvice is appalling. I have agreed to these types of requests within my line of work and train out how to recognise DSAR requests as part of my profession. 

It is regrettable that Plusnet have misadvised me as I have not only ensured that this breach is reported to the ICO but that this matter is well publicised to customers and potential customers alike.

 

I urge everyone who may be having issues with Plusnet to attempt to raise a DSAR if they feel it is necessary. If Plusnet  reject your request in favour of filling in a form you have the right to complain to the ICO. You may want to excersize that right. 

 

Many thanks. 

Moderator's note by Dick (Strat): Post released from Spam Filter.

13 REPLIES
Moderator
Moderator
Posts: 19,247
Thanks: 2,151
Fixes: 343
Registered: ‎11-01-2008

Re: DSAR Complaint - ICO Notified


Moderators Note


This topic has been moved from Chat  to Plusnet Feedback

 


 

Customer / Moderator / If it helped click the thumb / If it fixed it click 'This fixed my problem'

Plusnet Help Team
Plusnet Help Team
Posts: 561
Thanks: 115
Fixes: 19
Registered: ‎22-01-2018

Re: DSAR Complaint - ICO Notified

Hello @Jobbieteeth,

 

Thanks for getting in touch and I am sincerely sorry for the experience you have had with us.

I will ensure feedback is passed to the right team in regards to the advisor and the information provided.

 

I really would like to take ownership of this for you and look into this in more detail  and come back to you tomorrow.

 

 

Please accept my apologies.

If this post resolved your issue please click the 'This fixed my problem' button
 SammyM
 Plusnet Help Team
Highlighted
Gel
Seasoned Pro
Posts: 1,663
Thanks: 168
Fixes: 14
Registered: ‎02-08-2007

Re: DSAR Complaint - ICO Notified

Jobbieteeth
Hooked
Posts: 6
Thanks: 9
Registered: Thursday

Re: DSAR Complaint - ICO Notified

Thanks for this, Gel. 

Glad to have had such an insightful comment from an individual who is qualified to speak on behalf of the majority of individuals who use Plusnet forums. 

 

What should be of interest - I’m not stating that it is of interest but what should be of interest- is that Plusnet have failed to regonise and act upon a regulatory request therefore potentially breaching the Data Rights of an individual customer. 

This may not be of interest to many, however an individuals rights and entitlements should be of primary interest to all. 

 

 

I understand you are authorised to speak on behalf of the majority. I mean why would you post a comment like this if you weren’t. 

So who am I to address you? 

Sorry. 

Jobbieteeth
Hooked
Posts: 6
Thanks: 9
Registered: Thursday

Re: DSAR Complaint - ICO Notified

Sammy, Thanks for your response. 

I would appreciate if you could feedback the points I have raised directly with the team involved. It’s a huge risk to Plusnet’s reputation if advisors are delivering responses to clients which breach GDPR regulations. Whether they are doing this deliberately or not. 

I would also appreciate if you can confirm that my DSAR will be actioned, as requested to Yasseem earlier today via online chat? 

 

Many thanks for coming back to me.

 

Kind Regards,

Jobbieteeth 

Community Veteran
Posts: 14,439
Thanks: 728
Fixes: 12
Registered: ‎01-08-2007

Re: DSAR Complaint - ICO Notified


@Jobbieteeth wrote:

Thanks for this, Gel. 

Glad to have had such an insightful comment from an individual who is qualified to speak on behalf of the majority of individuals who use Plusnet forums. 

 

What should be of interest - I’m not stating that it is of interest but what should be of interest- is that Plusnet have failed to regonise and act upon a regulatory request therefore potentially breaching the Data Rights of an individual customer. 

This may not be of interest to many, however an individuals rights and entitlements should be of primary interest to all. 

 

 

I understand you are authorised to speak on behalf of the majority. I mean why would you post a comment like this if you weren’t. 

So who am I to address you? 

Sorry. 


Moan, moan, moan...

So from your opening post you're upset because you didn't get your way exactly as you wanted it and now you're going to be difficult, stamp your feet and all because you're a manager in another call centre yourself.

 

You have issues.

I need a new signature... i'm bored of the old one!
Jobbieteeth
Hooked
Posts: 6
Thanks: 9
Registered: Thursday

Re: DSAR Complaint - ICO Notified

No not at all. It’s not about getting my way.
Plusnet are are not permitted to dictate to people how they request a DSAR.
No company can dictate this it is in breach of current data protection laws.

It’s not ‘my way’, mate. It’s THE way. What if someone doesn’t have access to the internet? Then Plusnet are refusing them the right to access their personal data information? It’s wrong. And I’ll make sure they change tact on this.

Come back in 2/3 months time and see if they are making people fill out a form as the sole way of requesting a DSAR.
I suspect they won’t be.
Community Veteran
Posts: 2,544
Thanks: 312
Fixes: 3
Registered: ‎04-08-2009

Re: DSAR Complaint - ICO Notified

Isn't it strange how some people don't understand that Companies are obliged to follow regulations to the letter, but instead put it down to some form of personal failing. No names, no packdrill! Cheesy

Baldrick1
Aspiring Hero
Posts: 2,001
Thanks: 848
Fixes: 67
Registered: ‎30-06-2016

Re: DSAR Complaint - ICO Notified

It seems to me that the OP is either so fed up with Plusnet that they will make as much mischief as they can over any issue or is on a mission to swamp the ICO with trivial complaints. 

I'm impressed that the Agent knew of GDPR and was able to advise at least one way to make a request for the required data. Surely a reasonable person would have pointed out that the advice had errors in the detail and given Plusnet the opportunity to retrain Agents rather than immediately bleating to the ICO?

Jobbieteeth
Hooked
Posts: 6
Thanks: 9
Registered: Thursday

Re: DSAR Complaint - ICO Notified

Baldrick1 - you are quite right.

 

The ICO cam back to me to advise that I should give PlusNet the opportunity to rectify their mistake.

 

A complaint was logged today and I have been promised a response by 22nd December.

However if this issue is not resolved by PlusNet, I doubt the ICO would view the matter as trivial as a major communications provider would be in breach of GDPR.

 

Pretty striking headline, I'd say.

Plusnet Help Team
Plusnet Help Team
Posts: 561
Thanks: 115
Fixes: 19
Registered: ‎22-01-2018

Re: DSAR Complaint - ICO Notified

Hello @Jobbieteeth,

 

 

I really can not apologise enough, as we do have a clear process on how DSAR request are to be handled, and if a customer prefers we raise it for them then we can do this for that customer.

 

I am sorry this hasn't been the case for you and I will make sure this is addressed. I have responded via your account here with more detail.

 

 

 

If this post resolved your issue please click the 'This fixed my problem' button
 SammyM
 Plusnet Help Team
Superuser
Superuser
Posts: 13,039
Thanks: 4,332
Fixes: 26
Registered: ‎22-08-2007

Re: DSAR Complaint - ICO Notified

I suggest that the usual very helpful forum members step aside from this case and leave Plusnet to deal with the matter.

 

The GDPR guidance is somewhat grey and not the black and white claims made here; they are not as straight forward as suggested.  Whilst there is indeed a need to "field" a request by any channel, that does not preclude an organisation directing a request to a formal process.  It is most interesting that the ICO referred this matter back to the OP to progress with Plusnet; this is not the usual response where there is indeed an issue to be examined.

 

For information, here is the full guidance for organisations...

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual...

How do we recognise a request?

The GDPR does not specify how to make a valid request. Therefore, an individual can make a subject access request to you verbally or in writing. It can also be made to any part of your organisation (including by social media) and does not have to be to a specific person or contact point.

A request does not have to include the phrase 'subject access request' or Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data.

This presents a challenge as any of your employees could receive a valid request. However, you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly. Therefore you may need to consider which of your staff who regularly interact with individuals may need specific training to identify a request.

Additionally, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted the request. We also recommend that you keep a log of verbal requests.

 

Should we provide a specially designed form for individuals to make a subject access request?

Standard forms can make it easier both for you to recognise a subject access request and for the individual to include all the details you might need to locate the information they want.

Recital 59 of the GDPR recommends that organisations ‘provide means for requests to be made electronically, especially where personal data are processed by electronic means’. You should therefore consider designing a subject access form that individuals can complete and submit to you electronically.

 

Can we charge a fee?

In most cases you cannot charge a fee to comply with a subject access request.

However, as noted above, where the request is manifestly unfounded or excessive you may charge a “reasonable fee” for the administrative costs of complying with the request.

You can also charge a reasonable fee if an individual requests further copies of their data following a request. You must base the fee on the administrative costs of providing further copies.

 

Can we refuse to comply with a request?

You can refuse to comply with a subject access request if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.

If you consider that a request is manifestly unfounded or excessive you can:

  • request a "reasonable fee" to deal with the request; or
  • refuse to deal with the request.

In either case you need to justify your decision.

You should base the reasonable fee on the administrative costs of complying with the request. If you decide to charge a fee you should contact the individual promptly and inform them. You do not need to comply with the request until you have received the fee.

 

There is plenty of justifiable room here for Plusnet to seek to guide users to a standardised form for this process, if for no other reason than assuring that all of the relevant information required is provided in a full, complete and consistent manner so as to ensure that the reason and scope of the request is clearly understood. Such an approach allows the user to express their reasons and expectations without the intermediary of the business' agent interpreting verbal words.  Some users might find such a formal processes challenging, rather than seeing it as helpful ensuring a consistent and proficient approach.

Jobbieteeth
Hooked
Posts: 6
Thanks: 9
Registered: Thursday

Re: DSAR Complaint - ICO Notified

Hi, Townman.

 

If you try to log a complaint on the ICO website it asks you if you have logged a complaint with the company first as part of it's proforma.

If you answer 'no' then you are immediately directed to advice whereby you are recommended to allow the company in question the opportunity to rectify any issues in the first instance.

So it does seem to be a usual response as far as I can gather.

 

I am well aware that companies can better manage DSAR requests by directing customers to a standardised form.

I think this is useful for some people.

What I take issue with, and what I took issue with yesterday was the adamant advice given that I HAD to fill in a form in order to raise a DSAR and that the Advisor would not agree to raising this at all.

 

A customer may choose to utilise the form, however some may not - the form should be the exception, not the rule.

 

Just to update you all - PlusNet have now responded to agree that I was mis-advised regarding the process for raising a DSAR.

PlusNet have agreed that a customer can raise this by any means of communication they see fit.

 

I have requested that the privacy policy is update to make this clear as currently it states:

 

"You can access and update the information we hold about you using our online form. Once we've looked at your request, we'll let you know when you can expect to hear from us."

 

I argue that if the privacy statement was clear as to the ability to raise DSAR requests by any means that advisors would have less scope for shirking their responsibilities when asked to log one.