In October 2002 the Lord Chancellor's Department (as it then was) issued a consultation paper on the subject access arrangements under the Data Protection Act 1998. The purpose was to seek views on how the arrangements were working in practice in the light of concern that had been expressed in response to the Government's autumn 2000 post-implementation appraisal of the 1998 Act, and against the background of recent technological and legislative change (eg the enactment of the Freedom of Information Act 2000 (the FOI Act)).
About 170 organisations and individuals responded to the consultation exercise. The list of respondents is at Annex A. This paper attempts to summarise the responses given to each of the questions. Few responses were received from individuals, giving data subjects' perspective. The paper therefore necessarily concentrates on the "corporate" responses which for the most part represent data controllers' point of view. It should be read with this imbalance in mind. Moreover, as is inevitable with any attempt to compress a very large quantity of information into just a few pages, the paper omits many specific points and probably fails to do full justice to others. Nonetheless, the Government hopes that it gives a reasonably representative flavour of the comments that were received.
Further information about this paper can be obtained by contacting:
Sophia Akram
Department for Constitutional Affairs
Information Rights Division
MWB Business Exchange
10 Greycoat Place
London
SW1P 1SB
Telephone: 020 7960 6528
E-mail: Sophia Akram
Data subjects and data controllers identified some problems with the present arrangements. The responses suggest that the number of subject access requests received under the 1998 Act is higher than under the Data Protection Act 1984.
Most respondents thought that a modest maximum fee should be retained. There were mixed views on cost recovery. About half the respondents supported aligning the fees under the 1998 Act and the FOI Act.
Most respondents thought that the current time limit was appropriate, although there was support for expressing it in working (rather than calendar) days. Most respondents thought that there should be special arrangements for time-consuming cases. About half the respondents supported aligning the time limits under the 1998 Act and the FOI Act.
Almost all respondents said that data controllers should continue to be able to ask data subjects to help locate the data they seek. Views on the limits to the information that data controllers should be able to require were mixed. A popular suggestion was that there should be a standard subject access application form.
About half the respondents supported keeping the provision of a hard copy as the basic rule. There was wide recognition of the need for flexibility.
Most respondents favoured setting a 12 or 6 month period within which repeat applications do not have to be accepted or a full cost-recovery fee can be charged. There was wide recognition of the need for flexibility to deal with special circumstances, for example where the data have changed since the first request.
About half the respondents saw a need for wider exemptions. A range of suggestions were made. There was some support for aligning the exemptions in the 1998 Act and the FOI Act.
This paper sets out in turn the specific questions asked in the consultation paper. Each question is followed by a summary of the responses to that question. Question 1 (the arrangements in operation) addressed separate questions to data subjects and data controllers. The summary of responses to the subsequent questions deals separately with the responses from corporate respondents and individual respondents.
(a) Data Subjects
| If you have made a subject access request under the 1998 Act: 1.1 Did you find any problems in getting the information you sought? If so what were they? |
Few data subjects responded to this question. All who did said that they had experienced problems in getting the information they sought. Several commented on data controllers' reluctance to confirm that they had personal data about the applicant, and the time that it took for the information to be provided. Other concerns related to:
the definition of "relevant filing system";
data controllers' reliance on exemptions and their failure to give reasons for withholding personal data;
the enforcement arrangements, including the rôle of the Information Commissioner and the procedure for claiming compensation;
the application of the subject access arrangements to the Internet.
(b) Data Controllers
| 1.2 Approximately how many subject access requests have you received in the last twelve months? How does this compare with the position under the 1984 Act? |
The following table gives information provided by respondents about the number of requests they received.
| Requests Received | 1998 Act Number of respondents |
1984 Act Number of respondents |
| 0* | 4 | 11 |
| 1-5 | 18 | 26 |
| 6-10 | 12 | 6 |
| 11-20 | 9 | 2 |
| 21-50 | 20 | 2 |
| 51-100 | 14 | – |
| 101-200 | 11 | 2 |
| 201-500 | 5 | 2 |
| 501-1000 | 1 | 2 |
| 1001 and above | 16 | 2 |
| Total | 110 | 55 |
*Includes only those respondents who expressly said they had received no requests
Many fewer respondents were able to provide figures about the 1984 Act than the 1998 Act. In addition to those who were able to provide figures, a further 9 said that they received more requests under the 1998 Act than under the 1984 Act; and one said that the number was the same.
It would be unwise to draw firm conclusions from the figures. But they do suggest that considerably more requests are being made under the 1998 Act than under the 1984 Act. For example, of the 43 respondents who received 0 -10 requests under the 1984 Act, 20 respondents received 21 or more requests under the 1998 Act; and of these, 9 respondents received 101 or more requests.
| 1.3 What is the approximate cost to your organisation of dealing with a request? How does this compare with the position under the 1984 Act? |
The following table gives information provided by respondents about the costs of dealing with a subject access request.
| Costs £ | 1998 Act Number of respondents |
1984 Act Number of respondents |
| up to 10 | 7 | 1 |
| 11-50 | 11 | 2 |
| 51-100 | 9 | 2 |
| 101-200 | 11 | – |
| 201-500 | 14 | 2 |
| 501-1000 | 11 | 2 |
| 1001 and above | 17 | 1 |
| Total | 80 | 10 |
The figures in this table need to be treated with caution. The consultation paper gave no guidance on how to assess costs and it is probable that respondents used a variety of methods and assumptions. Many respondents gave their estimates as a range (eg £110 – £350). In these cases the lower figure has been used in compiling the Table. It should be borne in mind that using this approach disguises some very wide ranges: for example £15 - £225 or £100 - £3000. In two cases the minimum was £1,000 or £1,100 and the maximum was £100,000.
Very few respondents were able to provide figures for the 1984 Act. Of the 10 who did, in 5 cases the figures given for costs under the 1998 Act were broadly similar, and in 5 cases they were markedly higher. In addition to the 10 respondents who provided figures, a further 14 respondents said that the costs under the 1998 Act were higher or much higher; and one respondent said that the costs were the same.
| 1.4 Do you find any problems in dealing with subject access requests? If so, what are they? |
Almost all respondents offered comments in response to this question. The most frequently mentioned concerns related to the management of the process of dealing with subject access requests:
identifying from the request which data the data subject wanted;
tracking down all the data requested;
redacting the data (with particular reference to the need to deal properly with third party data);
determining whether any exemptions applied;
"translating" jargon to make it intelligible.
Many respondents said that the process was time-consuming and otherwise resource-intensive; and that it was difficult to meet the time-limit.
Other frequently mentioned concerns included:
problems with interpreting certain of the definitions or other terms used in the 1998 Act (eg the definitions of "personal data" and "relevant filing system") and in deciding precisely what information constitutes personal data;
problems in dealing with e-mails, CCTV and back-up data;
coping with large numbers of requests, "fishing expeditions" and vexatious cases;
the relationship between subject access and other rules (eg those relating to money laundering).
A number of respondents called for further guidance on a variety of points which gave them difficulty.
| 2.1 Should there continue to be a subject access fee or should the fee be abolished? |
The great majority of respondents supported the retention of a fee. A small number suggested that the fee should be abolished either for all requests or for some categories of request (eg health records, first requests, requests made by employees).
Most respondents supported the retention of a fee, although in one case only for manual records. It was suggested that no fee should be charged for health records available electronically.
| If a fee is to be retained: 2.2 Should there be an absolute maximum, as now? If so, what should the level be? |
A large majority of respondents said that they were in favour of an absolute maximum fee (but see Question 2.3). A wide range of maxima were suggested. Almost all were in the range £10 (i.e. the current "standard" maximum) to £55 (ie the current proposed maximum charge, other than for disbursements, under the FOI Act). A few respondents suggested higher figures. A number of respondents pointed out that the fee had been the same since 1987, and suggested that it should be increased to take account of inflation. Some suggested that there should be a higher maximum for requests relating to manual records, because of the greater costs involved. A number of respondents noted the importance of ensuring that the fee structure should take account of the needs of those on low incomes; and that it should not deter genuine applicants.
All the respondents who supported a fee were in favour of an absolute maximum. Suggestions ranged from £10 to £100. Several respondents noted the need not to exclude those on low incomes. One suggested there should be no fee for access to personal data captured by CCTV in public places.
| 2.3 Should cost recovery be permissible? If so, which costs should it cover? Should there be a maximum? |
There were mixed views on the desirability of cost recovery. Nearly half the respondents were in favour of some form of cost recovery for data controllers, while a strong minority were opposed. About half the corporate respondents who favoured an absolute maximum fee (see Question 2.2) also supported cost recovery. A number of respondents recognised that permitting cost recovery would make it more difficult to seek the fee in advance. Several respondents suggested that data subjects should be able to recover the fee if their data had been processed unlawfully.
Many respondents suggested that the costs to be recovered should include some or all of the staff time involved in dealing with requests (eg locating, checking and redacting the information sought), and disbursements (eg the costs of copying, stationery, postage). A number said expressly that the costs covered should be the same as those covered by the FOI Act. Other suggestions made by several respondents included:
limiting cost recovery to complex cases or those involving large amounts of information or "non-standard" media (eg CCTV, X-rays, MRI scans);
recovering delivery costs, in particular delivery by courier;
introducing a sliding scale of charges (eg a fixed charge per page copied).
About a quarter of all respondents commented on the case for a cap on cost recovery. About twice as many thought that there should be a cap, as thought there should be no cap. One situation in which a number of respondents suggested that there should be no cap was where the information provided was to be used in legal proceedings. The few suggestions made for the level at which the cap should be set ranged from £50 to £250, and from 5% to 25% of total permissible costs.
Those individual respondents who commented opposed cost recovery.
| 2.4 Should the arrangements for the subject access fee under the 1998 Act and the fee for individual access under the FOI Act be the same? |
Nearly half of all respondents said that the arrangements for the two sets of fee should be the same. The main reason given for aligning the two fees was to avoid confusion to data subjects and data controllers. Less than a quarter of all respondents opposed alignment, mainly because data protection and FOI were seen as being different. Very few respondents expressed a view on whether alignment of the fees should be based on the data protection model or the FOI model, although there was a slight preference for the latter. The desirability of consistency with the forthcoming Environmental Information Regulations was also mentioned.
The views of those respondents who commented were mixed.
| 3.1 Is the 40 day time limit appropriate or should it be changed? |
Most respondents commented. Almost twice as many said that the current time limit was appropriate as said that it should be changed.
Of the minority of respondents who commented, all said that the current time limit should be changed.
| 3.2 If it should be changed, what should the time limit be? |
The suggested alternative time limits ranged from 20 days to 100 days. Some respondents suggested having a shorter period (eg 7 days or 20 days) as a target with a fixed period as a back-stop. A variant was to set a short period within which access would be given to data that could be located and disclosed immediately, with a longer period for completing the search and any associated work (eg redaction). Many respondents suggested that the time limit should be expressed in working days (as is done in the FOI Act). The period which attracted most support was 40 working days.
Suggestions were for 20 working days or 30 days/one month. All respondents who commented noted that there were problems in practice with data controllers meeting the time limit. It was suggested that arrangements for compensation should be strengthened as an incentive. A detailed time-table for each step in the process was also suggested.
| 3.3 Should there be special arrangements for time-consuming cases? If so, what should they be? |
The majority of respondents said that there should be special arrangements. Two main categories of time-consuming problems were identified: dealing with large numbers of requests which arrive simultaneously (eg as part of a "campaign"); and dealing with intrinsically complex or resource-intensive cases. Examples of the latter included cases involving large amounts of information, or information which is difficult to retrieve (eg because it is archived or dispersed among several sites); and cases requiring consultation with others (eg other individuals identifiable from the data or legal advisers).
Among the respondents who favoured special arrangements, the solution which attracted most support was for the data controller to inform the data subject before the expiry of the normal time-limit of the need for more time, and to agree an extended deadline. A number of respondents suggested that there should be a statutory maximum period as a back-stop. Suggestions for the length of this period ranged from a maximum extension of 10 days to an overall period of 6 months. Variants on this approach included informing, or seeking the agreement of, the Information Commissioner or (less favoured) the Information Tribunal; and requiring data controllers to provide information to the data subject as and when it became available.
A significant minority of respondents were not in favour of special arrangements. The main reason given was the difficulty in defining the grounds justifying special arrangements. It was also suggested that all subject access requests were difficult, and that, if necessary, it was better simply to extend the present time limit. A small number of respondents suggested that access should not have to be given in cases which could not be dealt with within set time/cost limits.
The one respondent who commented did not support special arrangements, on the ground that this would encourage delay.
| 3.4 Should the time limit under the 1998 Act and that under the FOI Act be the same? |
Nearly half of all respondents said that the time limits under the two pieces of legislation should be the same. About a third as many respondents opposed alignment. Of those respondents favouring alignment who expressed a preference, almost all said that the FOI Act time limit should be brought into line with the data protection model, or that there should be a new common limit longer than both the existing limits. A few respondents expressly reserved their position on aligning the time limits since there is no experience of operating the FOI Act regime. The desirability of consistency with the forthcoming Environmental Information Regulations was also mentioned.
| 4.1 Should it continue to be possible for the data controller to require the data subject to provide information to help the data controller locate the information sought? |
Most respondents commented. There was near unanimity that data controllers should continue to be able to ask data subjects for help in locating the information that the data subjects seek. Many respondents said that this was necessary to help data controllers, in particular large or complex organisations, focus their searches and locate the required data more readily, thereby saving time and cost. A number of respondents drew attention to the benefits for data subjects of having their requests dealt with more efficiently. Some saw asking for additional information from data subjects as a way of deterring frivolous or vexatious requests.
Those respondents who commented agreed that data controllers should be able to seek data subjects' help. One suggested imposing a time limit, and punishing frivolous use of the power.
| 4.2 If the provision remains, should there be any limits on the information required by the data controller? If so, what should they be? |
Views on the need for limits on the information data controllers should be able to require were evenly split: about as many respondents supported limits as opposed them. Although the question does not refer to "additional" limits, some respondents apparently interpreted it in this way: a number of those who opposed limits were among the large number who supported a test of "reasonableness", as the 1998 Act currently provides. Other suggestions were that the information must be "essential", "necessary", "relevant" or "not excessive". Some respondents were of the view that it was difficult to prescribe conditions that could be applied generally, and that a case by case approach was necessary.
There were a wide range of suggestions for the types of information that data controllers should be able to seek. A number of respondents thought that this should be the minimum needed to confirm the identify of the data subject and authenticate the information; while others thought that it should be permissible to request more detailed information, such as the nature of the relationship between the data subject and the organisation, the dates on which the data subject had had contact with the organisation and the name of the contact person. Some respondents pointed out, however, that there were limits to the information that the data subject could realistically be expected to provide. There was also concern that data controllers should not be able to use the power to request further information in order to frustrate the subject access request.
One respondent suggested that data controllers' requests for additional information could be confined to subject access requests for Internet data.
| 4.3 What other arrangements could be made to help focus the search? |
A popular suggestion was that there should be a standard subject access application form, either produced centrally by the Information Commissioner or tailor-made by data controllers. A few respondents also suggested that there should be a standard form for data controllers to use in seeking additional information. Another fairly frequently made suggestion was that data subjects should be asked the reason for their request, although it was recognised that requiring data subjects to give reasons would be incompatible with the present approach. Some respondents suggested that those making subject access requests should be put under a duty to co-operate with the data controller, for example by providing certain specified information. Against this, it was suggested that sanctions should be imposed on data controllers who fail to co-operate. Some respondents identified a need for more guidance, particularly on the interpretation of "reasonably required" in section 7(3) of the 1998 Act.
One respondent suggested a certification system for IT equipment used to process personal data.
| 5.1 Should the basic rule be that a hard copy of the personal data sought must be provided to the applicant? If not, what should the rule be? |
About half of all respondents said that the basic rule should continue to be that a hard copy should be provided. Rather fewer thought that provision of a hard copy should not be the rule.
There was wide recognition among all respondents of the need for flexibility and of the desirability of trying to find a means of providing the personal data which satisfied both the data controller and the data subject. No clear alternative model to the present rule emerged. There was some concern that the present rule was too rigid and that there should be greater emphasis on trying to meet the data subject's wishes. A few respondents suggested following the approach taken in the FOI Act (i.e. where the data subject expresses a preference for one of a number of specified methods, requiring the data controller to meet the preference as far as reasonably practicable). Others suggested that the rule should be that the data subject should decide how access should be provided, subject only to impracticability or disproportionate cost. There was considerable support for data controllers being able to provide access by electronic means. But even those who supported this approach recognised that there were security considerations and that not all data subjects could conveniently receive data electronically. Some respondents favoured allowing access to be provided by the most appropriate means. Among other things, this would help meet data controllers' problems in giving access to CCTV data, X-rays and other media which are difficult to reproduce, which a number of respondents noted as a problem.
Those respondents who commented supported the present rule. There was some support for providing access by electronic means.
| 5.2 Are there any other circumstances (ie besides impossibility, disproportionate effort and the applicant's agreement) in which the data controller should be able to provide the personal data sought otherwise than through a hard copy? |
The responses to this question overlapped with those to the previous question to a considerable extent. Few suggestions were made that are not already covered by "impossibility, disproportionate effort and the applicant's agreement". A number of respondents said it would be helpful to have guidance on the interpretation of "disproportionate effort". Two specific suggestions were: providing access on-line for employees (although the difficulties with this were recognised); and providing only a summary where the data subject already has the data, where the data are contained in a standard form or where heavy redaction makes the text unintelligible. Several respondents mentioned the need to cater for people whose sight is impaired.
There were no additional comments.
| 6.1 Should there be a fixed period within which repeat applications do not have to be accepted, or a full cost-recovery fee can be charged? If so what should the period be? |
A strong majority were in favour of there being a fixed period, although a significant minority were expressly opposed. By far the most popular period suggested was 12 months, and there was also strong support for 6 months. Views on whether repeat applications received within the fixed period should not have to be dealt with or should be charged a full cost-recovery fee were mixed.
One respondent suggested that, for Internet data, the period within which repeat applications were permissible should be proportionate to the length of time for which the data were lawfully held.
| 6.2 If there is to be such a period, should there be an exception for repeat applications made in special circumstances? If so, in what circumstances? |
Even among those respondents who said that there should be a fixed period, there was wide recognition of the need for an element of flexibility. In particular, many respondents said that the fixed period rule should be lifted where the personal data in question had changed since the first request, even if the subsequent request came within the fixed period. It was also suggested that repeat applications should be permitted where the data subject had asked for inaccurate data received in response to an earlier request to be amended, and wished to check that the amendments had been made. Some respondents mentioned the need to cater for repeat applications by those who had lost the data from the earlier request.
Recognition of the need for flexibility was strong among those respondents who did not support a fixed period. Many of them recognised the problem posed by repeat applications, but felt that a fixed period was not the answer: circumstances varied, and a case by case approach was necessary. A number expressly supported the present arrangements.
Concern about vexatious or frivolous applications was frequently expressed by both those who supported and those who opposed a fixed period. However, some suggested that the existing arrangements were adequate to deal with such requests.
One respondent mentioned the need to cater for repeat applications by those who had lost the data from the earlier request.
| 7.1 Are any additional exemptions needed in the UK? If so, what should they cover? |
About half of all respondents suggested that the present range of exemptions should be extended. A wide range of suggestions were made. The following list sets out the main sorts of extended or additional exemptions for which a need was identified. The list is not exhaustive.
Personal data provided to the data controller in confidence. Several respondents mentioned the need to extend the current exemption for confidential references to cover those received as well as those given. Some respondents thought that the exemption should cover references relating to the provision of credit.
The need to cover a wider range of investigatory or regulatory activity than that to which existing exemptions apply. Examples given included, but were not limited to, processing by courts, employers' disciplinary proceedings, and financial audit. It was also suggested that exemptions of this kind (including in particular section 29(1) (crime and taxation)) should continue to be available even once the case is closed. Money laundering was mentioned.
Personal data whose retrieval would be extremely onerous and from which the data subject would derive little benefit. The most frequently cited example was back-up or archived data. CCTV used for security/safety purposes in public places was also mentioned.
Personal data already provided to the data subject or available to the data subject by other means. A number of respondents referred expressly to pre-trial disclosure.
The need to protect certain public or private sector interests.
Where providing access would involve disproportionate effort.
"Fine-tuning" the exemption for legal professional privilege in paragraph 10 of Schedule 7; the exemption for journalism, literature and art in section 32; and the exemption for management forecasts in paragraph 5 of Schedule 7.
About a third of all respondents saw no need for additional exemptions. A few suggested strengthening the safeguards when exemptions are used, for example by subjecting the exemptions to a public interest test, by informing data subjects when personal data have been withheld, or by providing a right of appeal to the Information Tribunal. Concern was expressed about withholding health data from patients and about enforced subject access.
One respondent said that there were already too many exemptions.
| 7.2 Is there a case for more closely aligning the subject access exemptions under the1998 Act with the exemptions under the FOI Act? |
About a third of all respondents in principle supported aligning the exemptions in the two pieces of legislation (with those in the forthcoming Environmental Information Regulations also being mentioned). Rather fewer opposed alignment.
The main reason given for bringing the two sets of exemptions closer together was to make things simpler for data controllers and data subjects and prevent confusion. However, even among those who supported alignment some recognised that it might be difficult to do in practice, and expressed reservations given that there was no experience with operating the FOI Act. The main reason for opposing alignment was that data protection and FOI were different, and that not all the exemptions were relevant to both regimes. A number of respondents were concerned that the subject access exemptions should be limited to those that were necessary and not extended for reasons of expediency.
One respondent broadly supported alignment.
The consultation paper was issued to help the Government decide whether the current arrangements for subject access continue to operate satisfactorily or whether changes are needed. The Government is grateful to all the respondents for taking the time and trouble to offer their comments. The responses provide a valuable picture of the way in which the present arrangements work in practice, as well as a wide variety of views about how those arrangements might be improved. The Government is considering the responses carefully and will announce its conclusions in due course.
AEGON UK
Angus Council
APCIMS
Associated Newspapers Ltd
Association of Chief Police Officers
Association of Chief Police Officers for Scotland
Association of Community Health Councils for England and Wales
Association of Pension Lawyers
Association of Personal Injury Lawyers
AXA PPP Healthcare Ltd
AXA Technical Services
Barclays plc
Basingstoke and Deane Borough Council
BBC
Beachcroft Wansbrough
Bracknell Forest Borough Council
Bridgend Local Health Group
British and Irish Ombudsman Association
British Bankers' Association
British Cheque Cashers Association
British Dental Association
British Medical Association
Campaign for Freedom of Information
Cardiff and Vale NHS Trust
Carphone Warehouse
Centrica
Cheltenham & Gloucester plc
Church Commissioners for England and the Archbishops' Council
CIFAS
City of Nottingham
City of York Council
Claritas UK Limited
Clifford Chance
Commission for Local Administration in England
Common Sense Privacy Ltd
Constitution Unit
Co-operative Bank
Cornhill Insurance plc
Cornwell Management Consultants plc
Crawley Borough Council
Crown Prosecution Service
Customer's Voice
Denton Wilde Sapte
Department for Education and Skills
Department for Transport
Devon & Cornwall Constabulary
Direct Marketing Association
Dorset County Council
DSG Retail Limited
East Northamptonshire Council
East Sussex County Council
East Thames Housing Association
Egg plc
Employment Lawyers' Association
Engineering Employers' Federation
Environment Agency
Essex Police
Finance and Leasing Association
Financial Ombudsman Service Limited
Financial Services Authority
Gateshead Council
General Council of the Bar
General Medical Council
Goldfish Bank Limited
Grampian Police
Gwent Healthcare NHS Trust
Halifax and Bank of Scotland plc
Health and Safety Executive
Health Professions Council
Health Records and Data Protection Review Group
HM Customs and Excise
Imperial College London
Independent Healthcare Association
Independent Television Commission
Information Commissioner
Institute of Chartered Accountants in England and Wales
Institute of Credit Management
Institution of Electrical Engineers
Key Housing Association Ltd
KPMG
Law Society
Law Society of Scotland
Leeds City Council
Legal Services Commission
Liberty
Lincolnshire County Council
London Borough of Hammersmith and Fulham
London Borough of Lambeth Council
London Boroughs Data Protection Group
London Investment Banking Association
London Underground Limited
London Waste Ltd
Lord Chancellor's Department Open Government Unit
Mail Order Traders Association
Market Research Society
Medical Protection Society
Mersey Care NHS Trust
Midland Public Authorities Data Protection Group
Ministry of Defence
National Association of Data Protection Officers
National Audit Office
National Grid Transco plc
National Housing Federation
National Learning and Skills Council
Nationwide Building Society
Newcastle City Council
North Wales Health Authority
North West Wales NHS Trust
Nottingham Acute Hospitals Partnership
Office of the Deputy Prime Minister
Office of the Immigration Services Commissioner
Oxfordshire County Council
Parliamentary Ombudsman
Passport and Records Agency
Pembrokeshire & Derwen NHS Trust
Pensions Ombudsman
Police Complaints Authority
Prescription Pricing Authority
Pricewaterhouse Coopers
Prudential UK
Railways Pensions Management
Redcar & Cleveland Borough Council
Royal Bank of Scotland
Royal Mail
Royal Society for the Prevention of Cruelty to Animals
Salford City Council
Scottish Criminal Cases Review Commission
Scottish Executive
Sheffield Hallam University
Simmons & Simmons
Society of Pension Consultants
Solihull Metropolitan Borough Council
South West Information Compliance Group
Standard Life Assurance Company and Standard Life Investments Limited
Standard Life Bank Ltd
Stockport Metropolitan Borough Council
Student Loans Company Limited
Sunderland Community Health Council
Sutton and Merton Primary Care Trust
T-Mobile
Taylor Wessing
Thomas Tunnock Ltd
Thus plc
TLT Solicitors
Torfaen Local Health Group
Transport for London
Travers Smith Braithwaite
Treasury Solicitor's Department
UK Transplant
Universities and Colleges Admissions Service
University of Edinburgh
Warwickshire County Council
Weekenders UK Ltd
Westminster City Council
Anna Baik
Jonathan Bloch
Dr Melody Clarke
Dr John Hyslop
Mr Michael Johnson
Terry Iles
Robert Lauder
Brian Alexander Todd