IT Consultancy: Subject Access Requests
Any organisation that controls data, whether public or private, large or small, may have to process subject access requests, and, depending upon the organisation and sector/industry, these requests may be regular commonplace occurrences or sporadic exercises.
All UK residents have the right to request a copy of any information that they believe a company may hold about them. This is known as a subject access request. This right of subject access means an individual can make a request under the Data Protection Act to any organisation that they think is holding, using or sharing their personal information, to supply them with copies of both paper and computer records along with related information.
Responses to subject access requests must be ‘reasonable and proportionate’ and since the maximum amount that can be charged to process a request is £10 (or up to £50 for education/health), it is important for data controllers to be able to respond to subject access requests as efficiently and cost-effectively as possible.
The sheer volume of electronic data held within a typical IT landscape, the variety of this data, including ever-increasing sources, from the cloud to social media, as well as the more common servers and laptops, plus the speed at which organisations are creating electronic data, throws up real challenges. These range from how best to identify the relevant sources of information, to how efficiently and effectively irrelevant data can be culled-down, to how deadlines can be met. And, perhaps the biggest challenge faced by every organisation is how to carry out a reasonable search for documents, whilst ensuring the costs of disclosure remain as proportionate as possible.
Many companies take a non-automated, manual approach when responding to a subject access request. An example of this being an email sent to all staff, asking them to disclose any information they have relating to the individual who has submitted the request. This is neither cost-effective nor efficient.
There is a need for a clearly defined structure and process for dealing with subject access requests – considering the forty day timeframe for response. The clock starts ticking from the time that the data controller has also ascertained that the person making the request is indeed the data subject.
Organisational structure greatly affects how an organisation responds to a subject access request – disjointed departments make it more difficult to respond effectively by the deadline. Joined up processes for dealing with these requests can ensure that whoever receives the subject access request knows the process for dealing with it promptly.
The key is to be prepared. Effective information governance (having your house in order), before a request is even made will make it so much easier to respond when a subject access request, freedom of information request, or regulatory request does arrive.
Over the last six months, CCL has seen an increase in the number of companies approaching us for consultancy on how they can improve their information governance ready for such a request. For more, please call us on 01789 261200 or email firstname.lastname@example.org, or check out http://www.cclgroupltd.com/consultancy
Wayne is an IT consultant at CCL Group - the UK’s leading supplier of IT consultancy and digital forensics, including: benchmarking, security, strategy and computer forensics services, for more information visit www.cclgroupltd.com
|share||like 2||report||34 views|