All posts tagged data protection

Subject Access Requests: managing the process with minimum pain

Subject Access Request

What is a Subject Access Request?

Under section 7 of the Data Protection Act 1998 (DPA), individuals are entitled to access the information that an organisation holds about them.  The majority of subject access requests arise from former employees who are engaged in a dispute.  However, in this privacy-conscious age, some individuals may simple want to know what personal information a company is holding.

How common are Subject Access Requests?

Because requests only cost £10, more companies are receiving requests from disgruntled ex-employees who want to know what information their former bosses have on them.

How do I fulfil a request?

Delivering the information held on an individual can be surprisingly challenging. Businesses must carry out detailed searches which can include information held in emails, databases, paper records, CCTV records and spreadsheets. In the age of big data, what seems like a simple request on the surface can quickly become complicated and time-consuming.

Once collected, the data must be disclosed in an intelligible form.  Where necessary, companies must include supplementary explanatory information (e.g. if codes have been used) and supply context to the data that has been held, outlining:

  • What personal data has been collected?
  • How was the data obtained and from which sources?
  • Why was data pertaining to the subject processed?
  • Who has received data about the subject

What can be done to make the process easier?

1. Get your house in order
Sprawling data estates and inconsistent approaches to archiving can make searches difficult and inaccurate. Improving information governance in general is best practice, not only for handling subject access requests but for compliance with other legislation such as the GDPR.

2. Nominate a point of contact

Subject access requests must be completed within 40 days of receiving the request. Given the breadth of information held, the request is often handled via multiple departments. Cooperating across departments can challenging and 40 days can quickly disappear. Nominating a single person or department to handle such requests is a great start in streamlining the process and meeting the deadline.

3. Use technology

Ediscovery technology is designed specifically to search, filter and analyse data, making it ideally suited for responding to subject access requests. Ediscovery consultants can advise on how to collect, search, review and produce the data in an efficient, cost-effective and expedited manner.

4. Get expert advice

We guide our clients to consider various sources of information and advise on how to get the data extracted most easily. This may include email systems, server file shares, document management systems, cloud platforms and structured databases such as HR systems or accounting systems.

5. Protect personal data belonging to others

Personal data is often tangled with data belonging to other people or data that is confidential to the company. It is easy to let data pertaining to someone else slip through the net and in trying to comply with the Data Protection act, actually end up breaching it.

Information  should be carefully reviewed before being handed over to the data subject. Managed document review services can assist by reviewing the documents in accordance with your guidelines and flag any concerns about data.

To find out more about managing subject access requests, please contact one of our consultants.

 

The danger of ‘deleted’ data

data theft, deletion

What computer forensics experts talk about when they talk about deletion

As computer forensics specialists, we are often asked about deleted data. Is something truly deleted? Can deleted data be recovered? What should we do with old laptops? We thought the best way to answer these questions would be to conduct an experiment to show that in computer science, deletion is more of a spectrum than a binary state. The experiment also demonstrates the importance of protecting data, even when the device is no longer in use.

Introducing Project Gumtree

Armed with just £20, we responded to an advert on community selling portal, Gumtree and purchased four ostensibly clean hard drives from the seller, who had advertised them as coming from old family laptops.  After payment and collection, we handed over the drives to our forensics team.

The first step of any forensics investigation is undertaking a procedure called ‘imaging’. Forensic imaging involves creating an exact copy of the hard disk, enabling investigations to be conducted without endangering or tampering with the original data held on the disk. Once we had imaged the Gumtree drives, the real investigation could begin.

Upon initial inspection, three of the hard drives appeared to be blank, as promised by the seller. The fourth simply showed the Windows base installation menu.  For the average domestic user, the seller’s privacy would have been protected but the first rule of forensics is deleted does not always mean deleted and we anticipated that we would be able to extract data from the seemingly blank disks.

Lost and found

Once we examined the imaged drives closely, we uncovered an incredible amount of information. Below is an overview of exactly what we found on each disk:

Data recovered from Disk 1

  • 1400 PDFs
  • 500 Excel Files
  • 200 Word Docs
  • 8 Powerpoint Presentations
  • 40,000 picture files

Although the seller had originally described the disks as coming from family machines, the information recovered suggested otherwise, with numerous documents detailing expenditure in excess of £120,000 on roof lights and £170,000 on installing cladding on a bridge walkway.  The drive also contained other invoices for tens of thousands of pounds as well as a cache of foreign language documents, all which suggested the disk was not used in a domestic context.

Data recovered from Disk 2

Disk 2 was the drive which had a visible base windows installation but nothing else.  However, once again we were able to recover a lot of data, the majority of which consisted of confidential documents taken from the internal file sharing system, Sharepoint. Files held on Sharepoint are for internal viewing only and therefore should not have been saved on the laptop, providing furher evidence that the seller of the drives had perhaps obtained them via dubious means.

Data recovered from Disk 3

Disk 3 also yielded some interesting data. We found 3,800 Google search terms that provided a great deal of insight into the life of the previous owner. For example, we saw that the owner had searched for Patisserie Valerie bakeries, swiftly followed by a search for gyms in a particular area. More intriguingly and perhaps disturbingly, hidden amongst quotidian work documents was a raft of files relating to philosophy and the occult.

Data recovered from Disk 4

Of all the data recovered from the drives, Disk 4 contained the most sensitive information. Unfortunately, our in-house counsel has advised that we cannot go into detail about the contents of the drives as they contain data related to the UK government as well as CCTV footage.

By the end of the exercise, it was clear that the drives were not from family computers. In total, we recovered around 10,000 official documents and there is evidence that they come from the same government department. Kroll Ontrack is currently taking steps to return the data and the disks to that department so they can conduct their own investigations as to how the data was stolen.

How to disappear completely

The difficulty of truly deleting data from devices is something of a double-edged sword. On the one hand, if data appears to be lost, chances are that with the assistance of an experienced forensics technician, the data can be recovered. Yet, if a company disposing of devices capable of storing data (which comprises of a surprisingly long list including satellite navigation systems, mobile phones, USB sticks and more), the information stored on there could potentially be accessed by a third party unless actions are taken to forensically delete date the data.

We would recommend that companies disposing of devices capable of storing data should contact a forensics provider to ensure all confidential data is unrecoverable by third parties.

If you would like to find out more about how computer forensics can help you support and secure your business, please join us for a breakfast seminar in Central London on 6th April.  The seminar is specifically designed for those working in human resources or employment law.  Please click here to register your place.