Subject Access Requests: managing the process with minimum pain
What is a Subject Access Request?
Under section 7 of the Data Protection Act 1998 (DPA), individuals are entitled to access the information that an organisation holds about them. The majority of subject access requests arise from former employees who are engaged in a dispute. However, in this privacy-conscious age, some individuals may simple want to know what personal information a company is holding.
How common are Subject Access Requests?
Because requests only cost £10, more companies are receiving requests from disgruntled ex-employees who want to know what information their former bosses have on them.
How do I fulfil a request?
Delivering the information held on an individual can be surprisingly challenging. Businesses must carry out detailed searches which can include information held in emails, databases, paper records, CCTV records and spreadsheets. In the age of big data, what seems like a simple request on the surface can quickly become complicated and time-consuming.
Once collected, the data must be disclosed in an intelligible form. Where necessary, companies must include supplementary explanatory information (e.g. if codes have been used) and supply context to the data that has been held, outlining:
- What personal data has been collected?
- How was the data obtained and from which sources?
- Why was data pertaining to the subject processed?
- Who has received data about the subject
What can be done to make the process easier?
1. Get your house in order Sprawling data estates and inconsistent approaches to archiving can make searches difficult and inaccurate. Improving information governance in general is best practice, not only for handling subject access requests but for compliance with other legislation such as the GDPR.
2. Nominate a point of contact
Subject access requests must be completed within 40 days of receiving the request. Given the breadth of information held, the request is often handled via multiple departments. Cooperating across departments can challenging and 40 days can quickly disappear. Nominating a single person or department to handle such requests is a great start in streamlining the process and meeting the deadline.
3. Use technology
Ediscovery technology is designed specifically to search, filter and analyse data, making it ideally suited for responding to subject access requests. Ediscovery consultants can advise on how to collect, search, review and produce the data in an efficient, cost-effective and expedited manner.
4. Get expert advice
We guide our clients to consider various sources of information and advise on how to get the data extracted most easily. This may include email systems, server file shares, document management systems, cloud platforms and structured databases such as HR systems or accounting systems.
5. Protect personal data belonging to others
Personal data is often tangled with data belonging to other people or data that is confidential to the company. It is easy to let data pertaining to someone else slip through the net and in trying to comply with the Data Protection act, actually end up breaching it.
Information should be carefully reviewed before being handed over to the data subject. Managed document review services can assist by reviewing the documents in accordance with your guidelines and flag any concerns about data.
To find out more about managing subject access requests, please contact one of our consultants.