GDPR didn’t “invent” the Right of Access – but it did raise its profile, remove the fee and enhance the requirements. Sure enough, many organisations have seen an increase in the number they receive – and the headaches that come with it.
Some organisations worry whether they are including all in-scope information in their response. Others worry whether they are including information they shouldn’t and almost all organisations worry about the amount of time their employees spend away from the ‘day job’ fulfilling them.
The good news is, all these problems can be solved. Here are our top tips to take the stress away.
Subject Access is just eDiscovery in a new hat
If you have ever had to preserve electronic evidence for a legal case, you will be familiar with eDiscovery – or the Electronic Discovery Reference Model, to give it its full title. This nine step process should be the basis for your Subject Access Request (SAR) process.
1. Information Governance
This means keeping your data well organised so you can find it easily. Your Records of Processing will tell you what type of information is held where, but do you know how to extract it? You should ensure you have documented Standard Operating Processes for each filing system, explaining how to structure a search that collects all the in-scope information and minimises the number of ‘false positives’.
This means locating the in-scope information. The makes it clear that, while organisations can’t query or challenge a request for information, they can clarify what information is acceptable to fulfil the SAR. Very few people actually want ‘everything’. Having confirmed the in-scope information, this needs to be specified in a way that can be turned into rules for a database or physical archive search.
This means ensuring that information is protected against alteration or deletion. Depending on the purpose of the SAR, you may need to stop information being deleted as part of your normal data retention and erasure processes – or you may not. You need to ensure this is communicated clearly to the data owners. You also need to ensure that data is not deleted or altered in the process of extracting it – a particular risk where the information may be incriminating or the location is unstable.
This means gathering the information together centrally for use in the eDiscovery process. This process may be the only time all the in scope data is held together in one location so it’s essential to ensure it is appropriately secure. It also needs to be appropriately structured to facilitate the next two steps.
This means performing an initial review of the data to identify ‘false positives’ – information that is irrelevant to the request, perhaps because it is not personal data, or not personal data relating to the data subject, or not in scope of the request. Completing Stage 2 well should minimise the amount of data in this category.
This step is a detailed review of the remaining data, with a view to removing any information that must lawfully be redacted. This may include health information that a health professional considers would be harmful if released, information held in connection with an investigation or legal case, or information that is otherwise exempted or legally excluded from the SAR.
The next step is more complex. At this stage, you may be removing information that you are unable to find a lawful basis to include. For example, personal data may belong to more than one individual (for example, emails or joint accounts) and you may need consent in order to release it. If consent is necessary and you are unable to collect it, you will need to redact this information too. Depending on the purpose of the SAR, you may also want to consider the implications of the information located – for example, if it provides evidence of wrongdoing. It’s important to note that this is not a reason not to provide the information, however you may need to investigate what you find, or start preparing for any action the data subject may take on receipt. Where information is held in a coded format, you may need to prepare a key to help the recipient understand it.
This stage means readying the information for release. Information may be held and prepared in many formats, but the law requires it to be released in a commonly used format, such as pdf. The purpose is to ensure that the data is usable by the recipient. It is not necessary to translate information into another language or transcribe it, just make the format accessible.
This stage means providing the information to the recipient. At this stage you need to consider how you will ensure that the information is only made available to the individual with the right to receive it. On the flip side – you also need to consider how you would recognise, mitigate and recover a data breach.
There are tools that can help with this. The best automated redaction tools can significantly reduce the time it takes to complete stages 5-8 if they are properly configured for your organisation. Similarly, detailed operating procedures and good training can make the processes of identifying and collecting data much faster and should be considered together to ensure that the information collected can be converted into a useful technical specification for the search.
Don’t forget governance
Producing Subject Access Requests is a risky business and it is essential that you have appropriate control measures in place.
At the beginning of the process, you must ensure that the individual making the request has the right to receive the data. If you already have enough information to verify this, you cannot ask for more – and you also can’t use a verification process to artificially slow the production process. However, Subject Access Requests are clearly an opportunity that nefarious types could use to gain unauthorised access to information. You should consider whether your current identification and verification processes are appropriate for SARs.
Once you are satisfied that the SAR is valid, you will need to grant otherwise unprecedented access to organisational data in order to collect the information. Individuals who can collect data for a SAR have access to everything. That includes all HR files, the CEO’s emails, private photographs, location data… everything. These individuals are particularly attractive targets for hackers and, if sufficiently nosy or disgruntled, have the potential to wreak havoc in their own right. You need to ensure that your access control policy and procedures, audit programme and HR documentation are sufficient to manage these risks.
Most SAR processes can be made significantly more efficient. As well as reducing the financial cost of compliance, an efficient process will also reduce the opportunity cost from the diversion of resources. If your organisation hasn’t already covered the tips in this post, addressing them will pay dividends.