Hello @Jobbieteeth,

Thanks for getting in touch and I am sincerely sorry for the experience you have had with us.

I will ensure feedback is passed to the right team in regards to the advisor and the information provided.

I really would like to take ownership of this for you and look into this in more detail  and come back to you tomorrow.

Please accept my apologies.

If this post resolved your issue please click the 'This fixed my problem' button

Sammy M - Sheffield Team  Plusnet Help Team

Not an iota of interest to majority here.

Thanks for this, Gel. 

Glad to have had such an insightful comment from an individual who is qualified to speak on behalf of the majority of individuals who use Plusnet forums. 

What should be of interest - I’m not stating that it is of interest but what should be of interest- is that Plusnet have failed to regonise and act upon a regulatory request therefore potentially breaching the Data Rights of an individual customer. 

This may not be of interest to many, however an individuals rights and entitlements should be of primary interest to all. 

I understand you are authorised to speak on behalf of the majority. I mean why would you post a comment like this if you weren’t. 

So who am I to address you? 

Sorry. 

Sammy, Thanks for your response. 

I would appreciate if you could feedback the points I have raised directly with the team involved. It’s a huge risk to Plusnet’s reputation if advisors are delivering responses to clients which breach GDPR regulations. Whether they are doing this deliberately or not. 

I would also appreciate if you can confirm that my DSAR will be actioned, as requested to Yasseem earlier today via online chat? 

Many thanks for coming back to me.

Kind Regards,

Jobbieteeth 

---

@Jobbieteeth wrote:

Thanks for this, Gel. 

Glad to have had such an insightful comment from an individual who is qualified to speak on behalf of the majority of individuals who use Plusnet forums. 

 

What should be of interest - I’m not stating that it is of interest but what should be of interest- is that Plusnet have failed to regonise and act upon a regulatory request therefore potentially breaching the Data Rights of an individual customer. 

This may not be of interest to many, however an individuals rights and entitlements should be of primary interest to all. 

 

 

I understand you are authorised to speak on behalf of the majority. I mean why would you post a comment like this if you weren’t. 

So who am I to address you? 

Sorry. 

---

Moan, moan, moan...

So from your opening post you're upset because you didn't get your way exactly as you wanted it and now you're going to be difficult, stamp your feet and all because you're a manager in another call centre yourself.

You have issues.

Isn't it strange how some people don't understand that Companies are obliged to follow regulations to the letter, but instead put it down to some form of personal failing. No names, no packdrill! 

It seems to me that the OP is either so fed up with Plusnet that they will make as much mischief as they can over any issue or is on a mission to swamp the ICO with trivial complaints. 

I'm impressed that the Agent knew of GDPR and was able to advise at least one way to make a request for the required data. Surely a reasonable person would have pointed out that the advice had errors in the detail and given Plusnet the opportunity to retrain Agents rather than immediately bleating to the ICO?

Baldrick1 - you are quite right.

The ICO cam back to me to advise that I should give PlusNet the opportunity to rectify their mistake.

A complaint was logged today and I have been promised a response by 22nd December.

However if this issue is not resolved by PlusNet, I doubt the ICO would view the matter as trivial as a major communications provider would be in breach of GDPR.

Pretty striking headline, I'd say.

Hello @Jobbieteeth,

I really can not apologise enough, as we do have a clear process on how DSAR request are to be handled, and if a customer prefers we raise it for them then we can do this for that customer.

I am sorry this hasn't been the case for you and I will make sure this is addressed. I have responded via your account here with more detail.

If this post resolved your issue please click the 'This fixed my problem' button

Sammy M - Sheffield Team  Plusnet Help Team

I suggest that the usual very helpful forum members step aside from this case and leave Plusnet to deal with the matter.

The GDPR guidance is somewhat grey and not the black and white claims made here; they are not as straight forward as suggested.  Whilst there is indeed a need to "field" a request by any channel, that does not preclude an organisation directing a request to a formal process.  It is most interesting that the ICO referred this matter back to the OP to progress with Plusnet; this is not the usual response where there is indeed an issue to be examined.

For information, here is the full guidance for organisations...

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual...

How do we recognise a request?

The GDPR does not specify how to make a valid request. Therefore, an individual can make a subject access request to you verbally or in writing. It can also be made to any part of your organisation (including by social media) and does not have to be to a specific person or contact point.

A request does not have to include the phrase 'subject access request' or Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data.

This presents a challenge as any of your employees could receive a valid request. However, you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly. Therefore you may need to consider which of your staff who regularly interact with individuals may need specific training to identify a request.

Additionally, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted the request. We also recommend that you keep a log of verbal requests.

 

Should we provide a specially designed form for individuals to make a subject access request?

Standard forms can make it easier both for you to recognise a subject access request and for the individual to include all the details you might need to locate the information they want.

Recital 59 of the GDPR recommends that organisations ‘provide means for requests to be made electronically, especially where personal data are processed by electronic means’. You should therefore consider designing a subject access form that individuals can complete and submit to you electronically.

 

Can we charge a fee?

In most cases you cannot charge a fee to comply with a subject access request.

However, as noted above, where the request is manifestly unfounded or excessive you may charge a “reasonable fee” for the administrative costs of complying with the request.

You can also charge a reasonable fee if an individual requests further copies of their data following a request. You must base the fee on the administrative costs of providing further copies.

 

Can we refuse to comply with a request?

You can refuse to comply with a subject access request if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.

If you consider that a request is manifestly unfounded or excessive you can:

• request a "reasonable fee" to deal with the request; or
• refuse to deal with the request.

In either case you need to justify your decision.

You should base the reasonable fee on the administrative costs of complying with the request. If you decide to charge a fee you should contact the individual promptly and inform them. You do not need to comply with the request until you have received the fee.

There is plenty of justifiable room here for Plusnet to seek to guide users to a standardised form for this process, if for no other reason than assuring that all of the relevant information required is provided in a full, complete and consistent manner so as to ensure that the reason and scope of the request is clearly understood. Such an approach allows the user to express their reasons and expectations without the intermediary of the business' agent interpreting verbal words.  Some users might find such a formal processes challenging, rather than seeing it as helpful ensuring a consistent and proficient approach.

Hi, Townman.

If you try to log a complaint on the ICO website it asks you if you have logged a complaint with the company first as part of it's proforma.

If you answer 'no' then you are immediately directed to advice whereby you are recommended to allow the company in question the opportunity to rectify any issues in the first instance.

So it does seem to be a usual response as far as I can gather.

I am well aware that companies can better manage DSAR requests by directing customers to a standardised form.

I think this is useful for some people.

What I take issue with, and what I took issue with yesterday was the adamant advice given that I HAD to fill in a form in order to raise a DSAR and that the Advisor would not agree to raising this at all.

A customer may choose to utilise the form, however some may not - the form should be the exception, not the rule.

Just to update you all - PlusNet have now responded to agree that I was mis-advised regarding the process for raising a DSAR.

PlusNet have agreed that a customer can raise this by any means of communication they see fit.

I have requested that the privacy policy is update to make this clear as currently it states:

"You can access and update the information we hold about you using our online form. Once we've looked at your request, we'll let you know when you can expect to hear from us."

I argue that if the privacy statement was clear as to the ability to raise DSAR requests by any means that advisors would have less scope for shirking their responsibilities when asked to log one.