There’s a paucity of guidance on what mechanisms organisations must offer when charging the £10.00 SAR fee. It bugs me when an organisation accepts payments for other services via card payments and/or bank transfer, but insist on cheques for subject access requests.
The only related guidance I can find is the ICO’s DPA LTT on payment mechanisms for SAR fees, which says that an organisation must act as if the fee has been paid if it’s been sent in a commonly acceptable form, so for example if the organisation tries to insist on payment by card but the requester posts a cheque, they must still process the SAR even if they don’t cash the cheque. The difference is that receiving the cheque doesn’t require any co-operation from the organisation, it’s essentially passive. To pay the fee by card the organisation would have to operate their card machine etc.
So I’ve sent the ICO the following email, but if anybody happens to know of other guidance please do let me know!
Please can you tell me what payment methods an organisation should offer for payment of the £10 SAR fee?
Please can you provide any guidance on this subject? I can only find this DPA LTT which addresses a subtly different question.
In specific, can an organisation insist on SAR fees being paid by cheque, even if they accept payment by card and bank transfer for other elements of their business? I hate cheques; they can go missing in the post, they take time to clear, it’s a pain for me to get to the pillar box in my wheelchair, and they’re very out of date. Is there best practice or statutory or other guidance that says that a company must accept payment by other mechanisms where these are already in use in other areas of their business?
Could I just transfer £10.00 into their account via bank transfer and present them with a printout proving I’ve done this as a fait accompli?
ADDENDUM 11th September
Correspondence with the ICO has provided some elucidation. It has taken a little while, though…
ICO to me: 28th August 2015:
An organisation is able to specify a preference with how they receive the fee. Ultimately as long as they allow the individual a method of payment, then this is likely to be acceptable.
For example, there may be reasons why an organisation are unable to accept payment for SARs via card. This may be because card payments have to show that you are paying for goods etc, and that their systems may put constraints in place that would not allow them to take SAR payments.
I therefore suggest that you contact the organisation and ask them the reasons why they cannot accept payment via card and if there is any other alternative to paying by cheque.
However, there are unlikely to be issues as long as they allow you to make a request and provide some way for you to make a payment.
Me to ICO: 28th August 2015:
Your DPA LTT says that an organisation must act as if they have successfully received payment when proffered, even if it isn’t done so using their preferred payment mechanism. The difference is, I guess, that when paying by card the organisation has to actively participate in the transaction, instead of passively receiving a cheque or cash. Is that the difference between your reply and the LTT?
In my specific case, my SAR was to (X company). They give bank details for (X purpose). I transferred £10.00 into that account and emailed them the transfer details, explaining that it was the SAR fee. Could you please confirm if based on your LTT I have paid them the fee and they are now under obligation to supply the info?
ICO to Me: 2nd September 2015:
As previously mentioned an organisation can specify how they would like to receive a payment for a SAR. As long as they offer you a method that allows you to pay then they are unlikely to be doing anything wrong.
As you have paid the fee via bank transfer, in to an account for (X purpose), and you wish to know whether they are obliged to accept this payment.
Essentially, if they do not accept payment for subject access via this account, and have offered you an alternative way of paying, then there are not going to be obliged to accept the payment. This is because they may not have the facilities to transfer the payment in to the correct place. These constraints may mean that they are unable to process your fee.
We would therefore advise that you contact (X company) and ask them if the payment has been received. If they are unable to process the fee this way then we would consider that you would need to pay the fee via the methods that they offer and it would not be a valid SAR until this happens.
Me to ICO: 2nd September 2015:
Thanks for your opinion on this. As I understand it your response is that (X company) don’t have to consider my bank transfer into an account that they probably don’t use for SAR fees as valid. “As long as they offer you a method that allows you to pay then they are unlikely to be doing anything wrong.”
The reason I am querying is that the Information Commissioner’s Office’s DPA “Line To Take” document “SAR fee – acceptable payment types” says this:
If a data subject provides the correct fee in a format which is legally recognised in the UK to denote payment eg cash, cheque or postal order etc. and assuming that they have correctly provided all the other elements of a subject access request eg adequate identification etc, the moment the data controller has received the request (section 7(2)), its obligations under section 7 begin.
- Line to take
A data controller does not have to accept the payment, but the obligation begins nonetheless – acceptance is not a condition of receiving. A data controller is well within its rights to state a preference for a particular format of payment, but it cannot demand it.
So your guidance says that if I turn up in person at their offices with a £10 note to pay my SAR fee, then (X company) are judged to have been offered payment and must process my SAR, even though they say they only accept cheques for such payment.
I guess I’m asking where the line is drawn between when a payment of a SAR fee is deemed as having been properly offered, thus putting them under the obligation to respond. What’s the difference between me turning up at their office with a £10 note, and me electronically transferring £10 into their bank account? They’re both mechanisms that they don’t offer or want people to use, but certainly in the latter case (physically bringing £10 cash) your guidance says they have to act as if they’d been paid the fee.
I guess I’m asking for a line. Turning up at the office with a tenner = fee considered paid (even though they want people to pay by cheque). Offering to pay by credit or debit card, given that this is “a format which is legally recognised in the UK to denote payment” = fee not considered paid? Direct transfer into bank account = fee not considered paid?
Where’s the line?
ICO to me: 11 September 2015:
I have sought further advice on this and our view would be as follows –
If a payment is made via a non-preferred method, in this instance by bank transfer, then as long as you have provided or offered the payment in legal tender, they would need to comply with your request.
The only difference to this would be if you were trying to pay via a method that they have no means of accessing. For example, if you wished to pay via PayPal and they didn’t actually have a PayPal account, they would not be expected to create one.
Therefore, if you have made the bank transfer in to one of (X company’s) bank accounts, even though this would not be their preferred method of payment, they would need to deal with your request as you have provided them with a valid fee.
I hope this clarifies the matter and I must apologise that the advice may have been contradictory.
Me to ICO: 11 September 2015:
Thank you, this is interesting and useful.
I wonder if I could ask the ICO to define the line even more clearly. You’ve established that transferring £10 into their bank account means they have to comply with my SAR; but that is essentially a passive act on their behalf. I am wondering if they should have to co-operate in other mechanisms.
They accept payment (for X purpose, unrelated to SARs) by debit and credit cards. As they use this mechanism, would they have to accept payment of the £10 SAR fee by debit or credit card if I told them that’s how I would like to pay it?