Payment methods for £10 DPA SAR fee #2

A few weeks ago, I raised the question of what payment mechanisms a data controller must accept for the payment of the £10 fee for a Subject Access Request. I have had a somewhat protracted discussion with the ICO since – see the addendum to my original post. The Information Commissioner’s Office have finally come up with their fully-formed opinion on this, as below:

We have received some further guidance from our policy team who have clarified the situation with regards to SARs and when a fee should be accepted.

As I have previously stated if an organisation do not have the facilities to accept a fee by a certain method then they would not need to create one, as per my previous example regarding PayPal.

In general there is no legal obligation on a data controller to accept a particular method of payment. A data controller can express a preference as to the payment method it would accept, and the data subject should normally comply with this preference where it is reasonable to do so. As we have advised before though, the data controller may on occasion have to have regard to compliance with disability discrimination requirements.

It is also possible for a data subject to express a preference, but, as a payment is to be made to the data controller, agreement would have to be reached with the data controller that this is an acceptable method of payment. The data subject is not able to insist that any recognised legal method of payment should be acceptable to the data controller. Consequently, there is no requirement for the data controller to accept any form of payment just because that is the preference expressed by the data subject.

However, the right of subject access is a basic, fundamental right. This means that it must be sufficiently easy for a data subject to make payment to a data controller in order to exercise that right. Although there may be some cash-only businesses that do not have the facility to process card payments, we believe that the vast majority of organisations do have this facility. Where this is the case, the controller should accept card payments for subject access in order to facilitate the applicant’s request. We would consider it obstructive for the controller to refuse card payments for subject access where it makes and receives card payments for other purposes. The same is true of bank transfers and other payment systems.

My basic tl;dr of the above is that organisations can dictate which mechanism they want applicants to use to pay the SAR fee and the requester can’t override this, though the organisation might have to make a reasonable adjustment for a disabled person and in any case if they have the ability to take payments for other things by alternative mechanisms the ICO would consider them to be obstructive if they don’t accept SAR fees by them. What consequences for the organisation would be had by the ICO thinking them being obstructive isn’t listed, but I suspect naff all, frankly.

The above seems to be at odds with the ICO’s DPA Lines To Take document on SAR fees (.doc file), which says:

If a data subject provides the correct fee in a format which is legally recognised in the UK to denote payment eg cash, cheque or postal order etc. and assuming that they have correctly provided all the other elements of a subject access request eg adequate identification etc, the moment the data controller has received the request (section 7(2)), its obligations under section 7 begin.

A data controller does not have to accept the payment, but the obligation begins nonetheless – acceptance is not a condition of receiving. A data controller is well within its rights to state a preference for a particular format of payment, but it cannot demand it.

To me, that doesn’t fit with what the ICO has just written in the above email to me:

In general there is no legal obligation on a data controller to accept a particular method of payment. … The data subject is not able to insist that any recognised legal method of payment should be acceptable to the data controller. Consequently, there is no requirement for the data controller to accept any form of payment just because that is the preference expressed by the data subject.

Clear as mud to me…

One Reply to “Payment methods for £10 DPA SAR fee #2”

  1. I’ve reverted back to the ICO:

    Hello,

    Thank you for this, much appreciated.

    If I may summarise what you have said: The bottom line is that the
    data controller can legally refuse to accept payment via the
    requester’s preferred mechanism, but if the controller uses that
    mechanism for other functions then the ICO would think they were being
    unreasonable, also the data controller has to make reasonable
    adjustments for disabled people.

    That doesn’t appear to be in accordance with the ICO LTT on the issue.

    You say:

    “The data subject is not able to insist that any recognised legal
    method of payment should be acceptable to the data controller.
    Consequently, there is no requirement for the data controller to
    accept any form of payment just because that is the preference
    expressed by the data subject.”

    Your LTT at https://www.kingqueen.org.uk/dppltt/sarfeepaymenttypes.doc
    says:

    “If a data subject provides the correct fee in a format which is
    legally recognised in the UK to denote payment eg cash, cheque or
    postal order etc. and assuming that they have correctly provided
    all the other elements of a subject access request eg adequate
    identification etc, the moment the data controller has received
    the request (section 7(2)), its obligations under section 7
    begin.

    “A data controller does not have to accept the payment, but the
    obligation begins nonetheless – acceptance is not a condition of
    receiving. A data controller is well within its rights to state a
    preference for a particular format of payment, but it cannot
    demand it.”

    Barring any semantics about offering and accepting the payment: If a
    data controller refuses my £10 in cash at their office because they
    only accept cheques, according to the LTT they still must provide the
    SAR response; but according to your email, they could legally refuse
    to process the SAR but may be considered to be obstructive in doing
    so?

    I don’t get it.

    Sorry, I’m not intending on being argumentative or obtuse – just
    trying to get a well-formed ICO opinion and understanding on the
    issue.

    All the best

    Doug Paulley

Comments are closed.