Tony Bowden wrote:
Data Protection compliance, for the most part, seems to be a complete joke.
Trouble is that we don't always know what information organisations hold
about us so wouldn't always know that a SAR response was deficient.
I used to have a magazine subscription with a major publisher. It had run
for several years and I always paid by cheque rather than direct debit.
Because of delivery problems last year I cancelled the subscription and
requested a refund (as per the terms of the agreement). I received a letter
saying the appropriate amount had been refunded by the method I used to
make my payments.
As I hadn't received a cheque I queried this - but before being given a
response, I received a bank statement showing a direct debit payment from
the company to me. The company had obviously taken my bank account details
from one of my cheques without telling me they were going to do so.
The company's excuse is that they had to record the details in case the
cheque bounced - but why should they then retain them for months rather
than days?
Had I submitted a SAR and the fact that these details were recorded was not
disclosed, I could not have gone back for more because I would not have
expected the information to be stored.
Needless to say I wrote to the IC spelling out what appear to me to be
breaches of several of the DP principles. I've received an acknowledgement
but no substantive response so far. We shall see what we shall see.
regards,
Graham
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|