Subject Access Request

[Mathieu]

On the 26th of September I submitted a Subject Access Request to ScotRail via customer services.

I have been back and forth with them for months trying to get my personal data but I keep getting told that they'll get back to me on it which they never do.

It's now been 131 days since I made my SAR and by law I should have

 

[ForTheLoveOf]

On the 26th of September I submitted a Subject Access Request to ScotRail via customer services.

I have been back and forth with them for months trying to get my personal data but I keep getting told that they'll get back to me on it which they never do.

It's now been 131 days since I made my SAR and by law I should have

Are you based in England/Wales, or Scotland?

 

[Mathieu]

Are you based in England/Wales, or Scotland?

Oban, Scotland

 

[ForTheLoveOf]

Oban, Scotland

Ah, Scottish law. I'm afraid I don't know what the procedure for making a claim is there.

 

[Mathieu]

Ah, Scottish law. I'm afraid I don't know what the procedure for making a claim is there.

From what I've read it'll fall under the GDPR regulations.

 

[route:oxford]

On the 26th of September I submitted a Subject Access Request to ScotRail via customer services.

That seems to be a silly way to do it, when they make it very clear exactly who to contact:-

The ScotRail DPO is the first point of contact for dealing with Rights Requests issues and complaints.

ScotRail's Data Protection Officer’s (DPO) contact details are:

Email: [email protected]

Data Protection Officer
Abellio ScotRail Ltd
Atrium Court, 50 Waterloo Street
Glasgow
G2 6HQ

The correctly point out the complaints process, but the ICO do generally expect you to follow the published process first.

If you are not satisfied with any response you can complain to the Information Commissioner's Office:

Online: https://ico.org.uk/global/contact-us/email/

https://ico.org.uk/global/contact-us/email/

The ICO is pretty much inundated at the moment with response times taking up to 6 months.

 

[dviner]

Based on the fact that Police Scotland refer to them, I'd say that the Information Commissioner's Office "makes the rules" about Subject Access Requests in Scotland.

As such, ScotRail should have responded to your request within 1 month, and should have provided any information within 3 months (or informed you why they haven't).

Going by this: https://ico.org.uk/your-data-matters/your-right-of-access/ you should log a complaint with ScotRail, and - if that comes to nothing - then complain to ICO.

 

[35B]

I would not go through customer services, but check Scotrail’s site for details of their data protection officer, and write to them with the complaint. It may also be worth setting a deadline for a response before you refer the case to the ICO.

 

[ForTheLoveOf]

That seems to be a silly way to do it, when they make it very clear exactly who to contact:-

The correctly point out the complaints process, but the ICO do generally expect you to follow the published process first.

The ICO is pretty much inundated at the moment with response times taking up to 6 months.

There is nothing silly at all about contacting Customer Relations for a Subject Access Request, and I would suggest that it is ludicrous to suggest that data controllers can try and control the ways in which you submit a request. You can, in fact, express your wish to have a copy of your data to anyone who works for the data controller, and you can express your wish in any form, verbal or written.

The sole advantage to submitting your request in a way that the data controller asks you to do, is that it may result in a slightly faster response as it avoids the delay in the request being internally redirected.

Based on the fact that Police Scotland refer to them, I'd say that the Information Commissioner's Office "makes the rules" about Subject Access Requests in Scotland.

The EU Parliament has made the GDPR, not the Information Commissioner's Office.

 

[35B]

There is nothing silly at all about contacting Customer Relations for a Subject Access Request, and I would suggest that it is ludicrous to suggest that data controllers can try and control the ways in which you submit a request. You can, in fact, express your wish to have a copy of your data to anyone who works for the data controller, and you can express your wish in any form, verbal or written.

The sole advantage to submitting your request in a way that the data controller asks you to do, is that it may result in a slightly faster response as it avoids the delay in the request being internally redirected.

One that is not trivial, and ensures that a subject access request is not confused with other matters. It is always worth going with the grain of a large organisation, whatever regulations may require - especially where that organisation advises a preferred approach.

The EU Parliament has made the GDPR, not the Information Commissioner's Office.

And it has been enacted in UK law as the Data Protection Act 2018. Being pedantic, the ICO are the designated regulator for data protection in the UK, and it is their guidance that helps define the implementation of GDPR in the UK.

 

[David M]

On the 26th of September I submitted a Subject Access Request to ScotRail via customer services.
I have been back and forth with them for months trying to get my personal data.

Surely you know what personal data they have?
For me, they will have my name, address, credit card and expiry date (not the 3 numbers on back), log in username and password, a record of tickets I have bought both ticket and smartcard, my smartcard number and email address. My account will have an alternate delivery address for when I buy tickets for my son so they have his name and address as well. Trans-Pennine Express will have similar information.
How do I know all this? I provided it to them as it makes my life significantly easier.
What do you think they have that wasn't provided by you when you set up a log in or bought tickets etc.?
Why do you want to know?
Genuinely curious.

 

[island]

And it has been enacted in UK law as the Data Protection Act 2018. Being pedantic, the ICO are the designated regulator for data protection in the UK, and it is their guidance that helps define the implementation of GDPR in the UK.

Being pedantic and incorrect is a bad combination. The GDPR has direct effect in the UK as do all EU regulations (but not directives). The DPA 2018 extends it and defines certain terms that are left to member states to define. But the request in the present case is entirely a GDPR matter.

 

[OwlMan]

Surely you know what personal data they have?
For me, they will have my name, address, credit card and expiry date (not the 3 numbers on back), log in username and password, a record of tickets I have bought both ticket and smartcard, my smartcard number and email address. My account will have an alternate delivery address for when I buy tickets for my son so they have his name and address as well. Trans-Pennine Express will have similar information.
How do I know all this? I provided it to them as it makes my life significantly easier.
What do you think they have that wasn't provided by you when you set up a log in or bought tickets etc.?
Why do you want to know?
Genuinely curious.

Scotrail would not have those details. The ticket website is operated by The Trainline.

Scotrail t&cs
Please read the following in relation to www.buytickets.scotrail.co.uk and m.buytickets.scotrail.co.uk pages.
Customers using this website are advised that those pages with a web address prefixed by buytickets.scotrail.co.uk are managed by Trainline.com Limited ("Trainline") and, as such, your use of this part of the website should be in accordance with Trainline's Website Usage Policy.

Customers purchasing a ticket(s) for travel are advised that they are entering into a contract with Trainline in accordance with the Terms and Conditions relating to the Online Purchase of Tickets below and that, in these cases, any queries regarding the purchase of the ticket(s) should be directed to Trainline. The Trainline Privacy Policy shall apply in relation to any personal data collected and cookies used by Trainline in this regard.

 

[Darandio]

Scotrail would not have those details. The ticket website is operated by The Trainline.

So all the back and forth above about laws is utterly pointless because the OP is requesting information that they don't hold anyway?

Unless there is another way to submit your personal data to Scotrail?

 

[35B]

Surely you know what personal data they have?
For me, they will have my name, address, credit card and expiry date (not the 3 numbers on back), log in username and password, a record of tickets I have bought both ticket and smartcard, my smartcard number and email address. My account will have an alternate delivery address for when I buy tickets for my son so they have his name and address as well. Trans-Pennine Express will have similar information.
How do I know all this? I provided it to them as it makes my life significantly easier.
What do you think they have that wasn't provided by you when you set up a log in or bought tickets etc.?
Why do you want to know?
Genuinely curious.

The subject access request is quite a useful vehicle for establishing what data an organisation does actually hold about you, especially if they have embellished the information that you believe you have provided. I can think of (non rail) circumstances where I have seriously considered using a subject access request to try to break through an organisation's internal silos and refusal to engage in meaningful discussion. There is one bank in particular where the thought regularly occurs.

 

[35B]

Being pedantic and incorrect is a bad combination. The GDPR has direct effect in the UK as do all EU regulations (but not directives). The DPA 2018 extends it and defines certain terms that are left to member states to define. But the request in the present case is entirely a GDPR matter.

Thank you for the clarification.

 

[dviner]

So all the back and forth above about laws is utterly pointless because the OP is requesting information that they don't hold anyway?

Unless there is another way to submit your personal data to Scotrail?

I wouldn't say that the back and forth was pointless.

If ScotRail doesn't hold any information about the OP, then that's all they needed to say - although that wouldn't be true, as their Customer Services department has a record of the OP contacting them, which would include the OP's name and contact details...

 

[Muzz]

That seems to be a silly way to do it, when they make it very clear exactly who to contact:-

A Subject Access Request has to be made in writing but doesn't have to be a "hard copy", meaning a valid SAR can be submitted via Twitter, Facebook, etc. Additionally, it doesn't have to be submitted to the person that deals with them or via a form. Which in the case of Scotrail giving a driver a letter would be a perfectly valid way of submitting a SAR, although obviously not the most sensible method.

Scotrail would not have those details. The ticket website is operated by The Trainline.

I believe in this case Scotrail would be the Data Controller and The Trainline would be a data processor on their behalf which meaning it would come under a Scotrail Subject Access Request, especially as the ticket website is also a subdomain of the main Scotrail site.

This is backed up by the "Where we collect your personal information from" section of their privacy policy which states

• Buy a product from us or make a sales enquiry

 

[ForTheLoveOf]

A Subject Access Request has to be made in writing

It doesn't even have to be given in writing any more, since the introduction of GDPR. It can now be made in any form. In theory you could ask a Scotrail guard for all the data they held on you. Of course, the problem with making your request in this way is that it's hard to prove you made it, when (inevitably) they don't provide you with the data.

 

[tony_mac]

He/she didn't even say it was anything to do with buying tickets online - so I think all the talk of Trainline being the correct party etc. is rather premature.

Unless there is another way to submit your personal data to Scotrail?

via customer services, revenue protection, cctv, etc.

 

[Haywain]

via customer services, revenue protection, cctv, etc.

How can a CCTV image be regarded as personal information, unless facial recognition software is in use (which it almost certainly is not)?

 

[island]

Personal information means information a person can be identified from. If the person can be identified from the CCTV, it’s personal information. Facial recognition does not come into it.

 

[Mathew S]

How can a CCTV image be regarded as personal information, unless facial recognition software is in use (which it almost certainly is not)?

An image of a person from which that person can be identified counts as personal data. Certain organisations which have recently decided to keep large archives of CCTV images really should think about that.

 

[Muzz]

It doesn't even have to be given in writing any more, since the introduction of GDPR. It can now be made in any form. In theory you could ask a Scotrail guard for all the data they held on you. Of course, the problem with making your request in this way is that it's hard to prove you made it, when (inevitably) they don't provide you with the data.

The ICO's Subject Access Request code of practice [Link to PDF] says otherwise

You do not need to respond to a request made orally but, depending on the circumstances, it might be reasonable to do so (as long as you are satisfied about the person’s identity), and it is good practice at least to explain to the individual how to make a valid request, rather than ignoring them.

 

[tony_mac]

The ICO's Subject Access Request code of practice [Link to PDF] says otherwise

Page 1...

Please note: The following information has not been updated since the Data Protection Act 2018 became law.

https://ico.org.uk/your-data-matters/your-right-of-access/

You can make a subject access request verbally or in writing.

 

[neilmc]

I'm a Data Protection Officer for a small school, and you should certainly check out the ICO links. Having said that, GDPR (and DSARs) are an absolute pain but it's necessary we have procedures in place even if the chance of receiving a DSAR in our case is remote. It sounds like Scotrail have been quite remiss in this.

WHY you require this information is immaterial, it's your right in law to request it and receive it for free unless the organisation can claim that what you're requesting is excessive, which it surely isn't in this kind of case. I'm sure that some people raise a DSAR on an organisation merely to punish them by causing them hassle in return for hassle or perceived poor service they themselves have received. But they might reasonably claim that they suspect they have been put on a black list which is shared round the industry, for example, and need to verify this.