Any organisation that controls data, whether public or private, large or small, may have to process subject access requests, and, depending upon the organisation and sector/industry, these requests may be regular commonplace occurrences or sporadic exercises, for more information visit www.cclgroupltd.com
1. IT Consultancy: Subject Access Requests
All UK residents have the right to request a copy of any information that they believe a
company may hold about them. This is known as a subject access request. This right of
subject access means an individual can make a request under the Data Protection Act to
any organisation that they think is holding, using or sharing their personal information,
to supply them with copies of both paper and computer records along with related
information.
Responses to subject access requests must be ‘reasonable and proportionate’ and since
the maximum amount that can be charged to process a request is £10 (or up to £50 for
education/health), it is important for data controllers to be able to respond to subject
access requests as efficiently and cost-effectively as possible.
The sheer volume of electronic data held within a typical IT landscape, the variety of this
data, including ever-increasing sources, from the cloud to social media, as well as the
more common servers and laptops, plus the speed at which organisations are creating
electronic data, throws up real challenges. These range from how best to identify the
relevant sources of information, to how efficiently and effectively irrelevant data can be
culled-down, to how deadlines can be met. And, perhaps the biggest challenge faced by
every organisation is how to carry out a reasonable search for documents, whilst
ensuring the costs of disclosure remain as proportionate as possible.
Many companies take a non-automated, manual approach when responding to a subject
access request. An example of this being an email sent to all staff, asking them to
disclose any information they have relating to the individual who has submitted the
request. This is neither cost-effective nor efficient.
There is a need for a clearly defined structure and process for dealing with subject
access requests – considering the forty day timeframe for response. The clock starts
ticking from the time that the data controller has also ascertained that the person
making the request is indeed the data subject.
Organisational structure greatly affects how an organisation responds to a subject access
request – disjointed departments make it more difficult to respond effectively by the
deadline. Joined up processes for dealing with these requests can ensure that whoever
receives the subject access request knows the process for dealing with it promptly.
The key is to be prepared. Effective information governance (having your house in
order), before a request is even made will make it so much easier to respond when a
subject access request, freedom of information request, or regulatory request does
arrive.
Over the last six months, CCL has seen an increase in the number of companies
approaching us for consultancy on how they can improve their information governance
ready for such a request. For more, please call us on 01789 261200 or email
contact@cclgroupltd.com, or check out http://www.cclgroupltd.com/consultancy the UK’s
leading supplier of IT consultancy and digital forensics, including: benchmarking,
security, strategy and computer forensics services.