IC's review of MIG data question

greenspun.com : LUSENET : Repossession : One Thread

For anyone who was following this thread earlier, here's the result of the review I requested of Citibank's refusal to grant access to MIG data under the DPA.

"Dear ------, I refer to your request for a review of the assessment made by Miss ---- in relation to the subject access request made to Citibank International plc.

I have made further enquiries of the bank about why they believe the MIG policy is not held in a relevant filing system and is not therefore data that has to be provided under the provisions of section 7 of the Data Protection Act, 1998. I have also consulted the Council of Mortgage Lenders more generally about the recording and holding of MIG policies. In the light of the information provided to me, I have decided that Miss ------'s assessment was correct and that Citibank are likely to have complied with the provisions of the Act. I will now try and explain my reasons for reaching this conclusion. Citibank have explained that they took out a policy with insurers as an indemnity for them against lending money outside criteria. In Citibank's case these policies are taken out in a block and you are not named on the policy nor are you identifiable from it. I appreciate that you believe you are entitled to have access to this information because you paid the fee for it. However the test under the DPA is not whether you paid for the service but whether the information held by the data controller consists of personal data as defined in the Act. I note the discussions you refer to that have taken place on a website, however the points made there do not display a complete understanding of the issues that arise under Data Protection and subject access. The IC has her own enquiry line which you may wish to contact in the future, should you wish to seek further advice about the application of the legislation. To return to the rights under section 7; the Act does now give an individual the right of access to information being held about them in manual files. The right is not, however, equivalent to the right of access to data that is automatically processed. In the case of manual data the first test is not whether the information is personal data but how that informationn is held. If the information is not held in a 'relevant filing system' then it is not data within the meaning of the Act and there is no right of access even though some information may relate to a data subject. In order for something to be a relevant filing system it has to have three elements: 1. a set of information relating to individuals and 2. the set must be structured either by reference to individuals or by criteria relating to individuals; and 3. the set must be structured in such a way that specific information relating to a particular individual is readily accessible. The IC's Legal Guidance states that 'readily accessible' means the information is 'as a matter of fact, generally accessible at any time to one or more people within teh data controller's organisaion in connection with the day-to-day operation of that organisation'. Citibank have not directly responded on the second point that the MIG information is privileged although they do confirm that the contractual relationship for the insurance provision is between the bank and the insurers. As it appears unlikely that the information is data that is caught by the Act, this second argument becomes moot for the purposes of this assessment. I realise that you will be disappointed with the outcome of this review. The Commissioner is required by section 42 to assess, on the balance of probabilities, whether compliance with the Act is likely or unlikely. It is not therefore a final determination of rights. Section 7(9) provides that an individual can ask a court to consider whether or not their subject access request has been complied with.......[further information about applying to the court]....yours sincerely,-------"

Reading between the lines, I gather from this that Citibank are claiming MIG data is only kept as manual files, which is not structured by reference to individuals or related criteria. This is of course possible, but I'd love to know if this particular filing system has been restructured in the light of the 1998 Act???

-- Melody (mbc109@york.ac.uk), April 21, 2002

Answers

Mig Data

With reference to the earlier coment regarding MIG, I think you'll find if a company has mig cover this would be a general insurance to cover mortgages over 75% ltv. The insurance/policy is across the board and not specifically applied to individual cases. As a result under DPA lenders of course have no obligation to show you the details, it is not personnal data that would contain any connection to yourself. How it is filed is irrelavent

-- Omar sherrif Cahoot Mammod (Omar@aol.co.uk), April 22, 2002.

Hmmmm, if its a block policy and you cannot be identified from it them perhaps your MIG now becomes a confidental agreement between your BS and a 3rd Party, if this is the case then your BS cannot take you to court to recover moneys owing under a confidental agreement between them and a 3rd party. The above is how I understand it, please advise if this is NOT the case.

Rgds

-- John (sharky_john@hotmail.com), April 22, 2002.


Yes, unfortunately they can John. Do a search on "Right(s) of Subrogation". There are also many, many threads on this subject on this site. Sorry!

-- Too scared to say (iwasduped@yahoo.com), April 23, 2002.

Moderation questions? read the FAQ