Last month I sent a rather well-known international internet provider a subject access request (SAR) - since that post (which you can recap on here) I've had some rather less entertaining communiques with them.
I'm not going to name the ISP just yet for security reasons but suffice to say that the following are true:
I'm not going to name the ISP just yet for security reasons but suffice to say that the following are true:
- They ask that a cheque is sent in the post to them for £10 as part of the SAR process; yet do not accept cheques as a form of payment for any of their services
- They do not advertise the email details for any legal department inbox, nor do they extend their current online issue registration capabilities to include SAR or similar filings
- This is a company who sell themselves on high technological value (and do so on multiple continents) yet fail to provide a simple means for lodging a SAR - which is an individuals right under the law here in the UK [and EU]
After the last post I had received an assurance from the member of staff that she would contact the original member of staff to find out why it was [erroneously] passed to her department, and that she would call me back within 2 hours.
I've heard nothing since the 19th and 20th of January.
I've sent two follow-up emails to the ISP to which they have failed to reply within 48 hours - which is their SLA for business customers. I sent another further update request from an email address embedded within a tracking system.
This email got a response within 3 hours saying that the update request was "...not sent from the email address you used in your initial enquiry", and that "...for security reasons, we cannot provide an update unless you use the same email address that you originally used to contact us".
Actually I'm happy with that response as it's a verification of identity - the tracking system uses a completely separate domain and I'd be asking for the same verification from any of my customers too. So I sent back a message from the original email address used to the effect that yes - it was me, and that they should enact this second email address with the appropriate authorisation to deal with this issue.
That was the 2nd of February and there's been no further communication since.
So I repeated the latter part of the exercise and got the same response today - also read and responded to within 3 hours of being sent.
So what is clear is that the ISP are receiving the requests for update and essentially refusing to provide an update. As I've had adequate responses directly from the ISP staff they have received and acknowledged the request, and I've asked specifically how I can pay the £10 SAR fee without a cheque book.
As they're refusing to respond does that mean they're waiving it? Forgetting the fact that the fee was designed in the 1980's to cover the cost of postage of the potentially large printed documents to answer the SAR, I'm not sure how relevant that price is versus the cost of doing business - which the all businesses must acknowledge if they conform to the Data Protection Act.
I can show that each of the requests for information have been received, opened and read (all in India), yet have little to show in terms of meaningful response. I found another part of the same ISP - well it's a law firm that says it's part of this ISP and I'm going to send them a copy of these posts as well as the original request.
I can show that each of the requests for information have been received, opened and read (all in India), yet have little to show in terms of meaningful response. I found another part of the same ISP - well it's a law firm that says it's part of this ISP and I'm going to send them a copy of these posts as well as the original request.
Expect another post in coming weeks as the time limit on the SAR (40 days) means the statutory limit expires on the 28th of February. At that point the ISP will be in breach of the DPA.
