Some of the older people may remember back last year, I was having all sorts of issues with Square Enix, being jailed for no reason at all, billing issues, everything. I made a complaint to The Information Commissioners Office as I'd asked Square Enix for logs relating to my account, which they refused to provide as "it's not Square Enix policy". This is detailed in This thread
One year down the line (unfortunately these things take time), and the ICO have confirmed that Square Enix are in breach of The Data Protection Act 1998 Principles 6 & 7. The full response from the ICO is below.
Quote:
I write further to my letters of 26th July and 13th September 2010 concerning your complaint about the processing of your personal information by Square Enix Ltd. As I have alread explained, our duty in relation to your complaint is to make an assessment. An assessment is a view or opinion about whether it is likely or unlikely that Square Enix Ltd complied with the principles of the Data Protection Act 1998 (the DPA) in the situation that you described to us.
You were concerned that Square Enix Ltd had refused to respond to your subject access request dated 11th August 2009.
The sixth principle says:
"Personal data shall be processed in accordance with the right of data subjects under this Act"
From the information you provided I was not able to make my assessment. I asked Square Enix Ltd for their views and they have now provided the information I requested.
As you were aware from my letter of 13 September, I had received a response from Square Enix Ltd, explaining that you would be provided with your personal data subject to certain redactions, primarily regarding third party information. I had therefore requested further information regarding these redactions in order to be sure that these are justified.
With regards to your original request, Square Enix Ltd maintain that it was not received into their offices. Although I note that you had provided proof of delivery, Square Enix Ltd explained that they had moved offices around the time your request was sent. Your request was sent to their old offices, where they no longer had any staff based. They cannot therefore account for who signed for this letter. Additionally, Square Enix Ltd maintain that the email of the 23rd September 2009 in which a letter was acknowledged was sent in error.
It might be helpful to explain that we make our assessments on the balance of probabilities, and on this balance of probabilities, we accept that proof of delivery is sufficient evidence that a letter has been received. Additional to this, in order to comply with the seventh principle of the DPA an organisation must ensure that appropriate security measures are taken to protect personal data. This appears particularly significant where an organisation moves offices and cannot account for mail received and signed for at the old office.
In terms of the information which Square Enix Ltd propose to provide you in response to your subject access request, we are of the view that much of the redacted information can in fact be provided to you.
This is because although third party information may be available, it is nothing that you would not already be aware of.
From all of the information that is now available to me, it appears that Square Enix Ltd have failed to comply with the sixth principle in this case. This is because on the balance of probabilities it appears that your subject access request was received into their offices, and we believe that the redactions they have proposed are excessive.
In light of this it is my assessment that it is unlikely that Square Enix Ltd have complied with the DPA in this case.
You were concerned that Square Enix Ltd had refused to respond to your subject access request dated 11th August 2009.
The sixth principle says:
"Personal data shall be processed in accordance with the right of data subjects under this Act"
From the information you provided I was not able to make my assessment. I asked Square Enix Ltd for their views and they have now provided the information I requested.
As you were aware from my letter of 13 September, I had received a response from Square Enix Ltd, explaining that you would be provided with your personal data subject to certain redactions, primarily regarding third party information. I had therefore requested further information regarding these redactions in order to be sure that these are justified.
With regards to your original request, Square Enix Ltd maintain that it was not received into their offices. Although I note that you had provided proof of delivery, Square Enix Ltd explained that they had moved offices around the time your request was sent. Your request was sent to their old offices, where they no longer had any staff based. They cannot therefore account for who signed for this letter. Additionally, Square Enix Ltd maintain that the email of the 23rd September 2009 in which a letter was acknowledged was sent in error.
It might be helpful to explain that we make our assessments on the balance of probabilities, and on this balance of probabilities, we accept that proof of delivery is sufficient evidence that a letter has been received. Additional to this, in order to comply with the seventh principle of the DPA an organisation must ensure that appropriate security measures are taken to protect personal data. This appears particularly significant where an organisation moves offices and cannot account for mail received and signed for at the old office.
In terms of the information which Square Enix Ltd propose to provide you in response to your subject access request, we are of the view that much of the redacted information can in fact be provided to you.
This is because although third party information may be available, it is nothing that you would not already be aware of.
From all of the information that is now available to me, it appears that Square Enix Ltd have failed to comply with the sixth principle in this case. This is because on the balance of probabilities it appears that your subject access request was received into their offices, and we believe that the redactions they have proposed are excessive.
In light of this it is my assessment that it is unlikely that Square Enix Ltd have complied with the DPA in this case.
So what does this mean?
Not a lot for those outside the UK I'm afraid. I'm only aware of UK law, but this investigation by the ICO means that it should now be easier for anyone in the UK to get information on their account and the information the SE hold, related to bannings, and the kind of action taken.
Potentially, this could lead to a damages claim from myself against SE. But I'm not interested in that or money, I just want them to be more open with the player base. It's also a good chance for them to get their FFXIV service spot on.
I'll update with any further developments.