Home > News
Mind my data Click to visit the homepage
The ICO is manipulating the process again
The basics
Plausible deniability
Employment agencies
Useful links
Open in a new window/tab
The Information Commissioner
Mailing Preference Service
Telephone Preference Service
Royal Mail junk mail opt-out
Register of data controllers
My response to the ICO's tweet about policy
Are data controllers 'officially' lying to us?
Why do we need to accept a Privacy Policy?
Can I opt-out of a renewal quote under section 11 of the DPA?
Who's texting me about PPI?
Marketing corporate employees by e-mail

Cathedral Recruitment unable to identify data source

In response to my request for assessment, the ICO has concluded that Cathedral RecruitmentNew window had likely failed to comply with the sixth data principle by failing to fulfil the requirements of my Subject Access Request (SAR).

I submitted the SAR in response to a marketing e-mail that I received from Cathedral Recruitment; the e-mail promoted Cathedral’s iProfile feature and contained a statement claiming that I had received the e-mail because I had previously registered my CV with them.

However, in their response to the ICO’s investigation, Cathedral admitted that it was unlikely that had registered my CV with them; instead it was likely they had obtained my data by purchasing a mailing list. Cathedral were still unable though to identify the source of the data.

In their assessment the ICO said:

'On the basis of the information provided to Ico, it appears unlikely that Cathedral Recruitment Ltd has complied with the requirements of the Sixth Data Protection Principle of the DPA in this case. This is because technically CR should have provided you with any information available as to the source of the information held about you'.

No further action was taken by the ICO on this occasion.

I would urge anyone who receives unexpected marketing e-mails from this company, or any other company, to submit a subject access request and demand to know the source. If they are unable to tell you the name of the organisation that they obtained your data from then you might want to consider submitting a request for assessment to the ICO. He're how I word my SARs:

According to the guidance published by the Information Commissioner’s Office I am entitled to submit a Subject Access Request by e-mail or by post: http://www.ico.gov.uk/upload/documents/new_pia_handbook_html/access.html

Please send me the information which I am entitled to under section 7(1) of the Data Protection Act 1998 in relation to how you obtained my personal e-mail address: [insert your e-mail address]. In particular, I wish to be provided with any information available to you as the data controller about the source of the data and at what point you obtained my consent to send me electronic marketing.

You have 40 days from tomorrow – the [insert date], to provide me with the information that I require. If you require any further information from me please let me know.

I would appreciate it if you would acknowledge receipt of the e-mail and clarify whether you want me to pay the £10 fee for such a request; bearing in mind that I reserve the right to recover the £10 payment, via the small claims court if necessary, if you are unable to show that you obtained and processed my personal data in accordance with existing data protection laws and regulations. Furthermore, if you are unable to show that you obtained my personal data from a trusted source, I will submit a formal request for assessment to the Information Commissioner’s Office and, regardless of what action they take, I will hand the matter over to a solicitor and seek a court order against you.

Added: 16.11.2011