You have the right to get a copy of the information that an organisation holds about you without being charged.
On 25 May 2018, the General Data Protection Regulation (GDPR) came into force and the previous typical £10 charge has ended.
The Information Commissioner’s Office (ICO), which regulates this area, tells organisations that after 25 May they:
must provide a copy of the information free of charge. However, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
As a debt adviser, I often see people saying “I am not sure what I will get or how much use it will be, and I don’t want to waste £10.” Being able to check for free will be a big improvement for consumers.
The access will also have to be faster. After GDPR, they have to reply within a month.
How to ask for your data – a Subject Access Request (SAR)
Asking for information a firm holds about you is often described as making a Subject Access Request (SAR) – it’s called that because you are the subject and you are requesting access to your data.
The ICO has a detailed page with a template letter: Find out how to request your personal information.
As the ICO says, it’s worth doing a bit of research to get your letter or email to the right place. Because firms are expecting more data access requests after GDPR, they are currently getting ready for them. Some firms that have never had a data access or privacy page on their websites are getting these set up. And some larger firms may be trying to automate some or all of the process. So do look at the firm’s website to see if they explain how to ask for your data and who to send the request to. If there is a form, it will usually be quicker to use that, rather than write a general letter.
Also if you know what you want, ask for it specifically, rather than be sent a lot of information you don’t need. This may make it quicker to deal with your request.
Some practical examples
Here are some situations in which you may want to use a SAR to access your data – and a couple where you shouldn’t!
Get a list of your loans and other information from a lender
If you want to ask a lender for a refund and you don’t know all the credit details, you may want to ask the lender for these. Sometimes it is simpler to just ask for what you need eg “please tell me the dates of all my loans and how much interest I paid on each” or “please tell me the dates and amounts of credit limit increases”. This can get you the useful information without asking for a SAR which can contain mountains of data.
But sometimes a SAR can also be useful as it may provide you with the information you need to show that the lender ignored what it saw on your credit record for example, or to give you copies of phone recordings showing you were asked leading questions to give the “right” answers about your expenditure.
Check if your name is on a fraud database
If you are being turned down for credit and you don’t know why, you may want to check the National Hunter and Cifas databases to see if any fraud is associated with your name. Both firms have SAR forms you can use to ask for a check and this will now be free. See Is your name on a fraud database? for details.
Ask for your credit report
Experian, Equifax and Call Credit, the three credit reference agencies will send you a free statutory credit report.
(There are other free ways to check your credit reports. They often include tips about how to improve your credit score, but these are pretty generic, no human actually thinks about your situation and gets a plan for you. There are also “helpful” suggestions about which loans or credit cards you might like to apply for – i.e. advertising.)
See what Facebook knows about you
If you are curious about the data Facebook holds about you there is already a free, online tool for you to request this, and you get the answer back within an hour.
Get health information for an insurer
If you are making an insurance claim, sometimes you need to provide details of your GP’s medical records. GPs used to be able to charge up to £50 – now it’s free.
Get information before a court case
Whether you are suing someone or being sued, it may sometimes be helpful to send a SAR. A couple I have come across recently:
- a motorist who wants to defend a private parking ticket could send the Parking Company a SAR asking for all the information they about the alleged parking infringement.
- a landlord who wants to sue a letting agent for not conducting proper tenancy checks, could send a SAR to see what records the letting agent kept.
These are often situations where people may have been reluctant to pay any money for something which may not help their case much, so it’s good the fee is being ended.
DON’T use a SAR instead of responding to court papers
If you have received a Claim Form then you have 14 days to enter a defence – which can be extended by another 14 days if you fill in the ‘acknowledgement of service’ form. You do not have time to send a SAR to find out more information first as you may not get a reply for a month.
It may be good to send a SAR as this may help with your case later, but your top priority has to be responding to the Claim within the time limits – talk to National Debtline to find out your options.
DON’T use a SAR to ask for your CCA agreement
If you want to ask a creditor for a copy of the Consumer Credit Act agreement for your loan, credit card, catalogue or hire purchase agreement, then there is a special procedure to do this. See How and when to ask for your CCA agreement. This involves you paying £1. This is not a SAR.
If you follow the special procedure then the debt collector has to try to obtain a copy of the CCA agreement and if they can’t do this within 12 days, the debt is unenforceable in court until they can do this. If you send a SAR instead, you do not have this protection. NB your request for the CCA agreement should be sent to the vurrent creditor, not the original creditor.
What if you don’t get sent the information you want?
The ICO’s page How to make a complaint explains how to contact the ICO if:
- you do not get a reply in time;
- you think there is additional information you should have been sent; or
- the firm tries to charge you.
Open Banking – will it affect you?
Should QuickQuid delete old loans?
Apps that make managing money easier
JG says
You also need to factor in the impact of the Data Protection Officer which larger companies will almost certainly need to have.
That has to be a named individual who can be contacted by the Information Commissioner and data subjects.
This is critical because what a lot of people forget is that data protection is about the accuracy of the data help about the data subject – quite often people in an IVA are negatively impacted by the poor data quality of IVA companies.
Make a point of knowing who the Data Protection Officer is or challenge companies who choose not to appoint one.
Geep says
Hello I contacted 2 former lenders a few days ago and served them with a notice to desist from processing withdrawing my consent, I had a reply back the same day where they stated that I have no right to request this and they are allowed to cotinue because of their ‘legitimate interests’. As the data subject (me) have been denied this right that is afforded me by law, what should my next steps be? I’ve already sent them a very strong reply pointing out that the data subject is the only one who has fundamental rights to this information by law and where consent is withdrawn they must stop processing immediately and remove any information they have recorded,reported and stored.
Sara (Debt Camel) says
So these are lenders you have taken a loan from – a few questions:
when was the loan taken out? has it been repaid?
do you care what they do or are you mainly interested in your credit record?
are you still getting marketing communication and it’s that which you want to stop?
Geep says
The one has been paid off and the other was sold on to a DCA at the end of 2014.
The information they have recorded is damaging to me as it is wrong the second loan was defaulted at month the 2 of arrears marked OK(jul)AA(aug) AA(sept) BB DF DF SF(jan). The defAult was logged at 2/09/2014 and the account was closed 30/12/2014. The information isnt right and from what I have been reading they look to have failed guidelines set by ICO.
Sara (Debt Camel) says
OK, a lender has a legal obligation to keep records of loans for at least 6 years.
If the information is incorrect, this is what you need to challenge, not ask them to delete the information. See https://debtcamel.co.uk/debt-default-date/. If you win an afordability complaint, the negative information will all be deleted.
Jane says
Hi, I have a debt with Barclaycard which defaulted September 2014 and has been sold to Robinson Way. In December 2017 I made a CCA request using the correct format letter, giving the 12 day deadline and enclosing the required £1 fee. They didn’t reply until April 2018 and when they did their letter said
“We have enclosed the following documents: Short form cancellation, Historic terms and conditions and Varied terms and conditions”
They also say “I enclose a reconstituted copy of your credit agreement”
It is headed up “credit agreement” but then the first sentence is “these are the terms and conditions of an agreement” and it looks like a rehashed photocopy. Also nowhere on this document is there a space where a signature on behalf of Barclaycard could appear nor is there any mention or show of my own signature including an electronic X for a signature.
First and foremost these documents were not provided within the 12 day required deadline – it took 4 months!! Am I correct in thinking that because it took them this long to produce any documents at all that this debt is now unenforceable?
Secondly are the documents they sent even valid?
I would really appreciate your thoughts on this please.
Sara (Debt Camel) says
“Am I correct in thinking that because it took them this long to produce any documents at all that this debt is now unenforceable?” No – they couldn’t enforce the debt until they produced the documents. Now they have, they can.
“Secondly are the documents they sent even valid?” you need someone to look at them. One option is to post them up on the Legal Beagles forum here https://legalbeagles.info/forums/.
Jane says
So even though they produced the document way beyond the 12 day requirement period the debt is enforceable? I thought the rule was they had to proved these documents within 12 days.
Thank you for the link to legal beagles. I’ll post the documents there.
Many thanks.
Jane says
Can someone explain the point of the 12 day time limit when requesting a CCA?
Thank you
Sara (Debt Camel) says
If the creditor (or the debt collector if the debt has been sold, as they are now the creditor for the debt) doesn’t send you a copy of the CCA within 12 working days, they can’t take further action against you to enforce the agreement, eg go to court for a CCJ, until they do so. See the link in the article above for more details.
In practice a debt collector will frequently take more than 12 days so you can’t assume they wont be able to obtain the CCA agreement if the 12 day time has passed.
ASM says
Under GDPR is there a time when you can request IVA companies to remove data.
My husband completed and received a completion certificate for an IVA 11 years ago (2006) and is now being hassled by Clear Debt and their nominated PPI claims company (Interestingly not his IVA company at the time but his IVA supervisor is now employed by them)
Sara (Debt Camel) says
In this situation I would expect the firm to be able to argue they had a legitimate business interest in retaining the data.
ASM says
Thank you for the reply Sara I had read that article.
I suppose my question was not just PPI specific but also in general. Really how long can an IVA company claim to have a legitimate business interest in keeping personal information after completion?
I understand there is a legal requirement to hold for 10 years but I also do remember reading that 10 years was also the maximum period for financial information.
JG says
The IP needs to establish what gave them the authority under the Insolvency Act to do this and that then supports the legitimate interest argument.
Data protection legislation is there to ensure that appropriate safeguards are in place once an organisations decides why it believes it can do something and that is nearly always based on other legislation.
Denise Curran says
Hi my husband and I had a business loan with RBS when the recession hit in 2008 and my husband also took ill and needed a kidney transplant the business went under and RBS asked us to roll over all the business debts to a secured loan which we had taken out with them to buy 2 properties. We are trying to sell the properties to pay off the loan as it is a very high interest rate. We have mentioned we would like a DSAR but they told us we cant have one as we are a couple and its in both of our names. Is this correct? Surely it all the same information?
Any information much appreciated thanks.
Sara (Debt Camel) says
That is an extremely bizarre response from RBS. The ICO says :
“An organisation may refuse your subject access request if your data includes information about another individual, except where:
the other individual has agreed to the disclosure”
I suggest you reply to RBS quoting this and say that you both want this information. Make sure you both send them secure messages or emails to confirm this.
If RBS don’t change their mind and send you the information, I suggest you talk to the ICO on 0303 123 1113 and explain what RBS are saying.
I would be interested to know what happens!
Jackie says
Years ago my debt was assigned to a debt collection agency by A bank – the debt collectors then became the legal owner of the debt – this was 2011 and I thought they (A bank )closed the account . Unhappy new year when I applied to A bank for a credit limit increase they declined- so I put in a subject access request.
They have and sent me information as far back as when Dinosaurs ruled and I had a postcode in Pangaea, past the date they were no longer the legal owners of the debt running right up to today …. oh forgot mention that the debt assignment letter seemed to be omitted from the subject access information they sent me – good job I kept a copy!
where do I stand in terms of Data Protection- how long do A bank need to keep my data on file – post assignment of the debt can they use it to make future lending decisions .My credit file are clear they sent me to ask the various CRA’s who referred me back to A bank – who referred my back to the CRA’s . Tired and dizzy just some advice would be appreciated in terms of how A bank stores shares keeps and uses historic information
Thanks
Sara (Debt Camel) says
“how long do A bank need to keep my data on file” they can keep the information on file for as long as they need it for legitimate business purposes. The fact they are no longer the legal owner of the debt isn’t relevant. Some examples – there can be many more: You could say make a complaint about the way bank A handled something and they would need to be able to look at what happened to say. The debt purchaser could ask them for more details about the debt such as a copy of the consumer credit act agreement for the debt. Bank A may also need it for tax reasons.
“post assignment of the debt can they use it to make future lending decisions” definitely! You should avoid applying for credit to banks where you have had problems in the past.
Hugh says
Hello,
I am making a complaint to HSBC about irresponsible lending, to assist my case I’ve made a Subject Access Request about information they used in their decision to approve my loans. They have refused this request saying they aren’t obliged to send this information, as it’s commercially sensitive. Furthermore, they said that they aren’t able to share information they received from 3rd party credit reference agencies, as this isn’t their data to share. Are they within their rights to do this? I was under the impression as it’s information HSBC hold about me, I am entitled to request this?
Thanks a lot for your time.
Sara (Debt Camel) says
I don’t think they are right. Reply to HSBC that they are the data controller for this information and you are entitled to a copy. Point out that you are not a customer of the credit reference agency and the CRA can only supply you with the report it sends to consumers on their current credit report. This may not be the same as the information HSBC received from the CRA and the CRA doesn’t keep a copy of what it supplies to lenders so you cannot get the information from them.
Joanne says
Hello,
I have spent 7 years paying £40 month to a debt collection agency and they refuse to email me a statement of what is still owned on the debt. I’m certain the £3k debt has been paid but I can’t get a statement. I stopped my direct debit payment telling Wescot that until I have a statement I won’t be paying any more. They replied with ‘we want your home address and then we’ll send the info on.’ I haven’t had a fixed address for years due to personal reasons and so I don’t want to give them a friends address-for obvious reason.
Where do I stand and what can I do?
I have just emailed them asking for a subject to access request under GDPR law but I don’t know if this is enough.
Thank you.
Sara (Debt Camel) says
What sort of debt is this?
Joanne says
An overdraft with Lloyds Bank. I did try contacting Lloyds but haven’t heard back and it was a month ago.
Sara (Debt Camel) says
have you looked at your credit record – does the debt show on there, if so what is the balance?
Joanne says
I’ve checked my credit report with 3 different providers and there’s nothing.
Sara (Debt Camel) says
ok, well I suggest you wait until you get a reply from Westcot or Lloyds.
Annie says
My ex business (which I have resigned from over year ago) defaulted on a loan and bank chasing me for amount e ven though business is still registered to ex business partner and he has other businesses. I had a breakdown and advised bank last Nov and they advised they were going to go after Business. I received letter from DCA demanding for outstanding amount. My understanding is debts of vulnerable customers shouldn’t be sold on but bank denies my conversation, although I have a letter sent from their solicitors addressed to Business and not me after my conversation with them. I have requested SAR from them as I wanted transcript and communications they claim to have sent me. Letter came back to say they have no record of my liability, but if debt had been sold on I should contact DCA. I did but they said they don’t have info and referred me to the main creditor. I did and they advised they don’t have info and should go back to the company assigned for the debt. They also said bank should have all my info. Went back again to assigned collectors and they said they would have to request from bank.
My question is who should be holding this info and if it;s the bank then why wouldn’t they let me have my info since I am still a personal customer. Bank has been so unhelpful and sent me round in circles
Sara (Debt Camel) says
I suggest you talk to Business Debtline about this, see https://www.businessdebtline.org/.
Rio says
I would like to SAR original creditor and see what information they shared with 3rd parties, like debt collectors and CRAs. Am I allowed to ask for that information under the GDPR?
Sara (Debt Camel) says
Well you can ask for anything you want. But I am not sure it is going to be very interesting, just a “we report monthly changes to *this* CRA and when an account is not up to date we may send it to a selected debt collector to collect on our behalf”. If you can say why you are concerned, there may be something more specific you can request?
debbie says
Do I have to provide proof of identity when requesting a SAR? I put a complaint for unaffordable lending to the company via email, they have responded to this with some details of their searches and said they disagree with my claim. But they will not comply with my SAR request unless I provide them with two forms of picture identity. They clearly know who I am otherwise why respond to my complaint?
Sara (Debt Camel) says
I suggest you reply that saying that, and that the ICO won’t approve if a firm makes it unreasonably difficult for someone to ask for a SAR.