Home

What to do if the bank ignores the Data Protection Act!

Unfortunately, the banks are now starting to regularly ignore Subject Access Requests for charge details or statements, made under the Data Protection Act!

As mentioned in Step 1 - Requesting your Bank Charges - Data Protection Act, the bank have 40 days to send you the data you are asking for. If they go over the 40 days, then they are in breach of the terms of the act. However, many people are now finding that the 40 days have come and gone, and they have still not received their data, or had a response from the bank.

I was in this situation myself with one of my claims recently (which was resolved by sending the letter below!), and I have received a sudden surge of people recently asking me what to do as this has also happened to them, so it's definately becoming more common!

In some cases, because the bank are getting so many requests now as hundreds of thousands of people are going through the process of claiming their bank charges back, it may be a genuine oversight and they don't have time to respond in the 40 days allowed. However, it works both ways, they won't allow you extra time to pay money into your account before they hit you with a penalty charge, so there's no reason for you to allow them extra time!

In other cases, its a case of the bank deliberately being obstructive, hoping that you will give up on your claim to get your bank charges refunded.

Either way, it's not allowed and there are two courses of action that you can take:

  • 1. Make a complaint to the Information Commissioner. This is the body set up to ensure that the Data Protection Act is complied with, and they can force the bank to comply, and possibly impose penalties on the bank for non compliance. If enough people complain, they will have to take the breaches more seriously, and really clamp down on the banks!
  • 2. Make a claim in Court, forcing the bank to comply, and possible compensating you as well. This is more difficult than a normal bank charge claim, and means that you will have to pay another set of court fees and it can drag your overall claim out by months, so it should only be used as last resort!

What to do before you Make an Official Complaint

Before you make an official complaint to the Information Commissioner, or file a claim in court, you need to show that you have done your best to help the bank to comply and resolve the problem.

To do this, send the bank the letter below, which gives the bank one more chance to comply with the Data Protection Act, and extends their deadline by 7 days. If the bank still ignores your request it shows that you have done your best, and it's the bank that is in the wrong, meaning your complaint will be taken more seriously.

Template letter to give the bank a final deadline to comply with your request under the Data Protection Act

Template letter to give the bank a final deadline to comply with your request under the Data Protection Act

If you don't have Microsoft Word, you can cut and paste the letter below into another application.


[YOUR NAME]
[YOUR ADDRESS]

FAO Data Protection Controller
[BANK NAME]
[BANK ADDRESS]

[DATE]

RE: Compliance Failure - Data Protection Act 1998 Subject Access Request

Dear Sir/Madam

SORT CODE: [YOUR SORT CODE]
ACCOUNT NUMBER: [YOUR ACCOUNT NUMBER]

On the [PREVIOUS LETTER DATE] I wrote to you requesting a complete list of transactions and charges relating to my banking history with your organisation for the past 6 years, or alternatively a complete set of statements, and I enclosed the statutory maximum fee of £10. The letter was delivered to yourselves and signed for on the [DATE LETTER RECEIVED]. I have enclosed a copy of the original letter, and proof of delivery.

Under the terms of the Data Protection Act, you had a maximum of 40 days in which to comply, as stated in the letter. This means that I should have received the requested information, on or by, the [DATE 40 DAY DEADLINE ENDED].

I realise that you are extremely busy at the moment, and that failure to comply with my request is likely down to a simple oversight. As such, I request that you send me the information that I require within 7 days of receipt of this letter.

If you fail to comply, I will be forced to lodge an official complaint with the Information Commissioner, and proceed with court action for non disclosure together with damages at the discretion of the Court and without any further notice.

Further more, as it is my intention to claim back any disproportionate penalties that you have levied against me, it would save both parties time and money if you enclose payment reimbursing these penalties to save further court action against yourselves.

Yours faithfully,

[YOUR NAME]

As always, send the letter by Recorded Delivery so that you have proof the bank received it, and more importantly when it was received , so that you can start counting down the 7 day deadline. You can track the progress of your letter at the Royal Mail web site. Also, make sure that you keep a copy of the letter!

Hopefully, this will spur the bank into action as they know you are serious and not likely to back down. If it doesn't though, and after 7 days of the bank receiving your letter, then the next step is to complain to the Information Commissioner, which is the easiest out of the two options you have available to you.

Making an Official Complaint to the Information Commissioner

The Information Commissioner's Office is the UK's independent authority set up to promote access to official information and to protect personal information, and oversees compliance with the Data Protection Act.

They are well aware of the problem, and state the following on their web site:

The unprecedented demand for access to statements is ongoing and many financial institutions are struggling to keep up and supply them within the 40 days allowed by the Data Protection Act.

We are monitoring this closely and are in regular contact with them to make sure that they are taking action to improve the situation.

Their conditions that you must meet before you can make a complaint are:

  • You have asked your credit card provider for copies of your statements (in writing)
  • Paid the fee (if required)
  • Waited for more than 40 days
  • And you have not received any response from them, we recommend that you contact them again to find out why.

As you have sent the letter to above, and waited 7 days for a response, it fulfills the last condition that you have contacted them again before starting your complaint.

Information you need to make your Complaint

When you make your complaint to the Information Commissioner, you will need to send them the following:

  • A Copy of your Request for Statements
  • Copies of any other related letters you have sent to your bank
  • Confirmation of when your cheque or postal order was cashed

With the last piece of required information, as the banks are not usually cashing cheques or postal orders, you can't usually do this. You could send your proof of posting instead however.

What the Information Commissioner will do once you have submitted your complaint

First of all, they will write to the bank finding out why they have breached the terms of the Data Protection Act, and will instruct them to provide you with the information that you are entitled to.

Where the bank is persistantly failing to comply with the Data Protection Act, the matter will be considered for regulatory action.

In such cases, the Commissioner will attempt to resolve the matter by informal regulatory methods but he may use his formal enforcement powers in cases where such informal methods prove unsuccessful.

How to make your Complaint with the Information Commissioner

To start your complaint, you need to go to the Data Protection Complaints section of the site.

There are two ways of making a complaint:

  • By Post - Download the PDF file containing the Complaint Form to print off.
  • Online - Download the Word document containg the Complaint Form for Electronic Submission.

You can download either version, but I would recommend the Word Document as you can submit it electronically, so your complaint will be dealt with faster.

Filling out the Complaint Form

Filling out the form is quite easy, all the information required is quite straight forward. The sections you will need to fill in are:

Step 1 - Your Details

Enter your contact details ie Name, Address, Phone Number and Email Address.

Step 2 - Previous Contact with the ICO

As this is a new complaint, tick the box labeled "I do not have a reference number. This is the first time I have contacted you."

Step 3 - Have you given anyone else permission to speak to us about your complaint?

You can leave this section blank, as in this case it doesn't apply.

Step 4 - Who do you want to complain about? (This will usually be an organisation.)

This is where you insert the Banks Details. Enter as many details as you can, making sure that you fill in the address of the Banks Head Office, and not the address of your local branch. You can find the Banks Head Office Address from our list of addresses for the major Banks, or from the Banks own website.

Step 5 - Your relationship with the organisation

For the relationship with the bank enter "Account Holder"

For the reference, enter the Account Number you held with the bank.

Step 6 - Details of the Problem

In this section you need to enter your complaint. You can use the version below, or use your own wording if you wish.

I made a "Subject Access Request" to [INSERT BANK NAME] asking for copies of my charges, or alternatively statements, for the last 6 years, which was received by the bank on [INSERT DATE THE BANK RECEIVED LETTER], and giving the standard 40 days to comply. Also enclosed was a cheque for £10, the maximum fee applicable for this information. After 40 days, I had received no response from [INSERT BANK NAME].

I then sent [INSERT BANK NAME] a second letter, again requesting the information above and giving them a further 7 days to comply. This letter was received by the bank on [INSERT DATE THE BANK RECEIVED SECOND LETTER]. Again I received no response from the bank, and have received none of the requested information, and no reason from the bank for not disclosing this information.

Copies of both of the above letters are attached.

Step 7 - When did you first become aware of the problem?

Enter the date for the day after the 40 day deadline the bank had to send you your requested information.

Step 8 - Supporting documents

You will need to attach the letter making your original "Subject Access Request", to get copies of your charges or statements for the last 6 years.

You also need to attach the second letter (from above) you sent to the bank, giving the bank a further 7 days to comply with your request.

With each letter, you should attach the details of the date the letter was posted, and the date the letter was received by the bank, along with the date that consituted the deadline for the letter.

Step 9 - Important information about your supporting documents

If you are sending the form through the post, and want the documents supporting your complaint back, then you need to tick the box. However, this shouldn't be relevant, as you should only send copies of the documents with your complaint, keeping the originals.

Step 10 - Please list the supporting documents you are sending to support your complaint.

Here you need to list the documents you are attaching, ie the letter making the original "Subject Access Request", and the letter giving the Bank a further 7 days to comply.

Step 11 - Declaration

Read through the conditions, and then sign and date the complaint form to state that the details on the form are the truth.

Submitting your Form Electronically

Once you have filled in the Word Document with details of your complaint, you can upload it as an attachement along with other supporting evidence (including your letter asking for your charges or statements for the last 6 years, and the letter giving the bank one last chance to send your information), through the Online Enquiry Form.

Submitting your Form by Post

If you downloaded the PDF version of the form to fill in, you will need to post it to:

The Information Commissioner’s Office,
Casework and Advice Division,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire,
SK9 5AF.

You should attach a covering letter explaining that you are making a complaint, along with all your supporting evidence as covered in the section above for submitting your form electronically.

What happens after your Complaint is received by the Information Commissioner

Once you have submitted your complaint, the Information Commissioner will look into it and will perform an assessment as to whether or not the bank are complying with the Terms of the Data Protection Act.

This extra pressure should ensure that the Bank will now send you all the requested information.