The following response from the Pension Scams Industry Group (PSIG), responsible for the Code of Practice on Combating Pension Scams (http://www.combatingpensionscams.org.uk/), expands on a growing concern within the pensions industry and wider financial services sector around the abuse of SARs by claims management companies. This is something that our Chair, Margaret Snowdon, has already spoken to the ICO about and, in our response, we reiterate our calls for guidance to explicitly cover the issue of SARs being used for an improper purpose, and what the rights of data controllers in these circumstances.
In more detail, the highlighted part of the GDPR recitals*, at the end of this response, is instructive; i.e. the right of access is for individuals to be aware of, and verify, the lawfulness of the processing.
We have, however, experienced and have been made aware of the rapidly growing practice of SARs being used in a manner contrary to the substantive policy intention; i.e. for, often highly speculative, claims purposes rather than awareness and verification of lawfulness of processing.
We would highlight the relevant section in Page 11 of our Code that comments on the matter
“Another tactic is to get members to make General Data Protection Regulation (GDPR) Data Subject Access Requests (DSARs). Those subject to a DSAR will need to ensure they comply and take advice as deemed necessary. However, consideration can be given as to whether every document request properly falls within the scope of a DSAR. In some cases, a claims management company might attempt to obtain disclosure to which it is not entitled. For example, due diligence undertaken in looking into the prospective receiving scheme, which might prove extensive, need not be disclosed under a DSAR if the member concerned is not specifically identifiable from it and if that due diligence could just as easily relate to a transfer request made by another member. By contrast, any conclusions reached from that due diligence and relayed to the specific member might well fall to be provided. It is possible to redact information that has been gathered in the prevention of financial crime. This could apply to due diligence that highlights any suspicions, in order to avoid possible tipping off.”
and ask that specific guidance in respect of the non-disclosure of due diligence undertaken in terms of the receiving scheme (or other entities involved in the transfer) be included in Guidance on
According to page 3 of the draft SAR guidance:
“The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data from you, as well as other supplementary information. It is a fundamental right for individuals. It helps them understand how and why you are using their data, and check you are doing it lawfully.”
If this is the core purpose, then we know of one independent trustee firm, heavily involved in the fight against pension scams, that has stated 95% of the SARs they receive run contradictory to this principle. The same firm provided a real life example of the potential for SARs being mis-used as mentioned above.
“A member of a pension scheme who had been a victim of a pension scam contacted us by phone. We were appointed independent trustees to the 'scam-scheme' to try and recover funds for the members.
She was cold called recently by a known claims company. Whilst it was unclear whether she misunderstood what they actually said, she told us that they asked for her benefits ‘to be transferred to them’.
The claims company were looking to take 25%, and stated that they would ‘get her money back’. She got confused as she understood that she cannot access her funds from the scheme. The trustee explained why it is more likely that the claims company would be making a claim for compensation, using SARs, as opposed to recovery.
The member was then very concerned with the nature of the cold call and how they got a hold of her data. The claims company also already knew how much she had transferred. The independent trustee explained its various concerns, and explained her rights under GDPR.” In this case, the called concluded with the member asking that the trustee make a note on file not to share her data with anyone without her consent.
At the moment, the purpose of SARs for 'claims purposes' is not once directly spoken about in the entire draft guidance and yet the risks are very real. The scope and jeopardy of such requests is, we feel, vastly underestimated.
In consequence, we would like to ask for the sections in the draft guidance on “How do we recognised a subject access request (SAR)?”; “What should we consider when responding to a request?”; and “When can we refuse to comply with a request?” to be expanded to address the ‘mischief’ identified in this response.
For completeness, we would also point out that, under DPA 2018, there is a regulation making power under the provisions on “Restrictions on data subject's rights” (sections 15 and 16) that would allow further exemptions to be introduced on DSARs.
*Recital 63 - Right of Access
1A. data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.
2. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided.
3. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing.
4. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.
5. hat right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software.
6. However, the result of those considerations should not be a refusal to provide all information to the data subject.
7. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.
Art. 15 GDPR - Right of access by the data subject
1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
the right to lodge a complaint with a supervisory authority;
where the personal data are not collected from the data subject, any available information as to their source;
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. 2For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. 3Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.