DIGITAL INSIGHT EDITION 3
IN THIS EDITION
SUBJECT ACCESS REQUESTS – WHAT WILL IT COST YOU TO RESPOND?
This right of subject access means an individual can make a request under the Data Protection Act to any organisation that they think is holding, using or sharing their personal information, to supply them with copies of both paper and computer records along with related information. Conversely, any organisation that controls data, whether public or private, large or small, may have to process subject access requests, and, depending upon the organisation and sector/industry, these requests may be regular commonplace occurrences or sporadic exercises. Responses to subject access requests must be ‘reasonable and proportionate’ and since the maximum amount that can be
01789 261200
|
> Rise of the cryptocurrencies
> About CCL
The sheer volume of electronic data held within a typical IT landscape, the variety of this data, including ever-increasing sources, from the cloud to social media, as well as the more common servers and laptops, plus the speed at which organisations are creating electronic data, throws up real challenges. These range from how best to identify the relevant sources of information, to how efficiently and effectively irrelevant data can be culled-down, to how deadlines can be met. And, perhaps the biggest challenge faced by every organisation is how to carry out a reasonable search for documents, whilst ensuring the costs of disclosure remain as proportionate as possible.
|
> IT benchmarking
> First Response course
charged to process a request is £10 (or up to £50 for education/health), it is important for data controllers to be able to respond to subject access requests as efficiently and costeffectively as possible.
WWW.CCLGROUPLTD.COM
> Thoughts for the month
> The real CSI
by Peter Cogger
All UK residents have the right to request a copy of any information that they believe a company may hold about them. This is known as a subject access request.
> Subject access requests
In our experience, many companies take a non-automated, manual approach when responding to a subject access request. An example of this being an email sent to all staff, asking them to disclose any information they have relating to the individual who has submitted the request. This is neither cost-effective nor efficient. There is a need for a clearly defined structure and process for dealing with subject access requests – considering the forty day timeframe for response. The clock starts ticking from the time that the data controller has also ascertained that the person making the request is indeed the data subject. Further, the data controller is also entitled to ask the data subject for any additional information that may assist in narrowing down their request for information, such as trying to understand exactly what information the data subject requires.
Continued on page 6…
INFO@CCLGROUPLTD.COM
1