Three fails to comply with GDPR Articles 15(3) & 20(1)

NFH

Prepaid customers of Three will already know that Three fails to routinely make available any personal usage data to them. The only way to see one's personal usage data was previously to pay £10 for a subject access request under Section 7 of the Data Protection Act 1998, but customers can now request this for free via a right of access request under Article 15 of Regulation (EU) 2016/679 (General Data Protection Regulation).

Not only does the GDPR entitle customers to their personal usage data for free, but it also requires organisations to supply it, if requested, by e-mail pursuant to Article 15(3) and "in a structured, commonly used and machine-readable format" pursuant to Article 20(1). Three refuses to comply with these two requirements with the reason that it does not want to supply the data in a format that could be edited, which is not a valid excuse for non-compliance. It also fails to supply charge data with the reason that charge data is held in a separate system, which again is not a valid excuse for non-compliance. Three is obliged to supply you with your personal data, no matter which of its databases the data is stored in.

If you're a Three prepaid customer, you can very easily request your personal usage data by sending the following e-mail to Three:

Send to: [EMAIL="DPA.Officer@three.co.uk"]DPA.Officer@three.co.uk[/EMAIL]
Subject: Request for personal usage data under Article 15 of GDPR

Pursuant to my right of access under Article 15 of Regulation (EU) 2016/679 (General Data Protection Regulation), I would be grateful if you could supply me with a copy all my personal data that Three holds pertaining to usage of my pay-as-you-go mobile number 07XXX XXXXXX.

Please supply the data:
1. By e-mail to X@X.X, pursuant to Article 15(3) of the GDPR. Given that I am requesting the data to be sent to my e-mail address that you already have on file, no additional identity checks are needed pursuant to Article 12(6) of the GDPR. For further guidance on verification of identity for Article 15 requests, please see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/#10
2. In a structured, commonly used and machine-readable format (e.g. CSV, TXT or XLS, but not PDF) pursuant to Article 20(1) of the GDPR. For guidance on your obligation to supply the data in "machine-readable format", please see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/
3. Including the date and time of each item of usage, quantity consumed (e.g. minutes or mobile data), number dialled (for calls) and charge (for all chargeable items).
4. For all usage history since I have been a customer of Three that continues to be stored in any of your systems, including any usage data stored in compliance with a retention notice issued under Part 4 of the Investigatory Powers Act 2016 or equivalent prior legislation.
5. Within one month pursuant to Article 12(3) of the GDPR.
6. Free of charge, pursuant to Article 12(5) of the GDPR.

I would also be grateful if you could comply with Recital 63 of the GDPR, which gives a best practice recommendation that "Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data". Three complies with Recital 63 for postpaid customers, but not for prepaid customers. While Three fails to comply with Recital 63, it necessitates further manual Article 15 requests for access to personal usage data, which is both onerous for customers and administratively costly for Three. Therefore why does Three not comply with Recital 63 for prepaid customers?

When Three fails to send your personal usage data to you by e-mail in a structured, commonly used and machine-readable format, you can escalate it very easily to the Information Commissioner's Office by inserting the text below into this form and sending it to [EMAIL="casework@ico.org.uk"]casework@ico.org.uk[/EMAIL].

I am a prepaid (pay-as-you-go) customer of Three's mobile network.

Three fails to provide usage history to its prepaid customers, thereby not complying with the best practice recommendation in Recital 63 of the GDPR.

I therefore made a right of access request to Three for my personal data pertaining to my usage history pursuant to my right of access under Article 15 of Regulation (EU) 2016/679 (General Data Protection Regulation). I requested the data:

- By e-mail pursuant to Article 15(3) of the GDPR.
- In a structured, commonly used and machine-readable format (e.g. CSV, TXT or XLS, but not PDF) pursuant to Article 20(1) of the GDPR.
- To include the charge for any chargeable items of usage.

Three sent the data by post instead of by e-mail and instead in a structured, commonly used and machine-readable format. Furthermore, all charge data was shown as zero.

Three explain their non-compliance with Articles 15(3) and 20(1) by stating that it is their policy to supply data in a format that cannot be edited. Three explain that they could not give me details of the charges for each item because for prepaid customers, charges are stored in a separate database from which the data controller cannot easily extract data. Neither are valid reasons for non-compliance.

I would like the ICO to enforce Three's compliance with Articles 15(3) and 20(1) of the GDPR, including charge data, and also encourage Three to comply with the best practice recommendation contained within Recital 63 of the GDPR that "Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data". Three complies with Recital 63 only for postpaid customers, not for prepaid customers.

PHK

Why would you go to all the trouble of a DSAR when every handset has a log of activity?

buglawton

I’m curious as to why Three is so coy about allowing you see your usage dats, even if it’s only a list of calls and MB used. It’s the fly in the ointment with an otherwise great PAYG service. Once or twice a year my credit disappears more quickly than expected and its at these times that a quick usage review would help avoiding mistakes like dialling a foreign number without the right acces code, or allowing some app to use 4G when it should have been limited to wifi.

The only reason I can imagine is that the withholding of your usage record is a barefaced cynical attempt to nudge you into a contract. With wifi available everywhere including at work I don’t need a contract and I love the assurance that theft of my SIM card or mistaken roaming in the wrong country cannot result in a £1000s bill.

buglawton

PHK wrote: »

Why would you go to all the trouble of a DSAR when every handset has a log of activity?

On an iPhone, where do I see a log by the of how much data in last day was used on 4g and what that unexpectedly expensive call to a non 03x or foreign number cost?

eDicky

PHK wrote: »

Why would you go to all the trouble of a DSAR when every handset has a log of activity?

A handset can list calls and texts, but not exact data usage, and not itemised charges for a particular SIM. These can be found in the online account or app of most networks, but not Three PAYG.

NFH

PHK wrote: »

Why would you go to all the trouble of a DSAR when every handset has a log of activity?

It doesn't have a log of all activity. The iPhone stores only a specific number of previous calls (maybe 100). The iPhone also doesn't show charges.

How does one identify billing errors with no itemised usage history from the network? For example, try making a call to a +800 number, and you will see that Three charges 10p/min (or part thereof), yet they don't specify this in their published charges, and Three customer services say that the charge is supposed to be zero. This is just one of many examples.

If you think that an Article 15 request is just about seeing the numbers called and duration of your last few calls, then you've totally missed the point.

PHK

Perhaps you could have explained more clearly? Rather than a wall of text and awkward phrasing.
If you'd put "Three doesn't let pay and go customers see a breakdown of data usage and itemised call costs. I've made a DSAR for these but Three say they can't or won't provide the data. I believe they are in contravention of the GDPR, how can I enforce my rights?" Then you may have a better response rate.
Incidentally, I don't agree that Three is the only pay and go provider that doesn't provide this information. Incidentally, the Three app, let's you check a call cost. I'm not on pay as you go, so I can't speak for the completeness or accuracy of the data .

eDicky

PHK wrote: »

Incidentally, the Three app, let's you check a call cost. I'm not on pay as you go, so I can't speak for the completeness or accuracy of the data .

For PAYG I'm pretty sure the app doesn't let you check call cost or usage history. I cannot open the app to make sure because I'm not now in UK or a 'Go Roam' country and the app only works, and then only occasionally, with data connection on the Three SIM.

NFH

PHK wrote: »

Incidentally, I don't agree that Three is the only pay and go provider that doesn't provide this information.

It's true that the majority of UK prepaid providers fail to comply with optional Recital 63, but the issue here is that Three refuses to comply with obligatory Articles 15(3) and 20(1).

PHK

Surely the ICO is the best way to go forward.

NFH

PHK wrote: »

Surely the ICO is the best way to go forward.

Exactly. The more who complain, the better, hence the template correspondence above for all to use.