The Outsourced DPO remembers the very first subject access request he undertook on behalf of a client 12 or more years ago and since then has provided SAR support on many occasions. Last week DPP attended the National Housing Federation’s governance conference in London and re-launched its SAR support service building on the multi-year experience of its consultants and support desk.
All SARs follow a defined path and one that we have recently built as a workflow process into our DataWise compliance platform. Where we can help in a SAR is a) in the initial validation and qualification process; b) through the application of redaction and exemptions, and/or c) sense-checking a client’s redactions and use of exemptions.
This week DPP has been helping out with three SARs for clients. Those familiar with handling complex SARs with large volumes of data will no doubt have some sympathy for DPP’s Redactors. The documentation for review comprises: emails to which the requestor was party and emails between other people about the requestor; informal meeting notes and official meeting minutes; reports by third parties; images and recordings; and a variety of other information supplied in a range of formats including humungous PDFs, MP3s and ZIP files containing hundreds of emails and attachments.
Step 1: Inventory
Our first job is to catalogue the information provided and ensure our team can handle the various document formats. While this can be a laborious and time-consuming process it this helps to get a feel for the documentation and identify duplicates for example emails contained in email trails etc. Our goal at this stage is to create an inventory of unique documents. A typical inventory could for example be:
|Doc 001||Bill’s Emails May to Nov.PDF||page 1 – 28||Deloitte report into xyz|
|Doc 002||Bill’s Emails May to Nov.PDF||page 29 – 31||Email from [email protected]: dd/mm/yyyy hh:mm: subject: etc.|
|Doc 203||Helena’s Emails Feb to July.PDF||page 809 – 811||duplicate of Doc 2|
We also convert and consolidate files at this point, for example creating a PDF of a collection of emails provided as a .ost file. Once we have the inventory we can control who does what with which pages of which file and monitor and report on our progress.
Step 2: First pass redaction review
The first pass review involves one or our Redactors reviewing the documentation and highlighting for disclosure information that comprises the personal data of the requestor. Anything highlighted is to be disclosed; anything not highlighted is for redaction. This is usually not as simple as it sounds as the context of each document is usually relevant as to whether the information relates to the requestor and enables them to be identified. In an ideal world you’d be able to simply search a document for known search terms, such as first name and last name of the requestor, and review everything that is found but this is not usually possible for several reasons. For example, a PDF may contain scanned documents which appear as images rendering their contents unsearchable, or a situation may arise where a document is obviously about the requestor without necessarily mentioning them directly. Search engines find these kinds of fuzzy searches difficult to perform with any degree of accuracy at the moment.
At the end of this process we have a series of files containing highlighted passages we suggest should be disclosed to the requestor.
Step 3: Second pass (QA) review
The second pass review involves a different Redactor reviewing the information highlighted for disclosure and approving or amending the highlights as well as highlighting information that we believe may be subject to a disclosure exemption. Again this is not necessarily as simple as it may seem – just because an email is marked as “subject to legal privilege” or “confidential” does not mean that a disclosure exemption can be applied. It takes experience, skill and context to determine if exemptions are applicable – and usually it also requires consultation with our client.
Step 4: Client consultation
Following consultation our SARs team will apply the redaction to the documents and create a disclosure bundle for the requestor and a summary report for the client. In an ideal world this will include a list of the redactions made along with a justification either as comments in a PDF and/or marked up on the inventory but we are always working against the clock and clients may instruct us to simply redact documents and prepare them for disclosure.
We understand that to some people, the thought of reading and marking up thousands of pages of documentation is a incredibly dull work and an interruption to their normal job. To us, there is immense satisfaction in turning a bundle of accurately redacted information over to a client as well as an inventory of the documentation reviewed and the redactions/exemptions applied. The Outsourced DPO is confident that Data Protection People’s SAR support service results in the provision of accurately redacted information being prepared for data subjects and having an external team working on SARs reduces the opportunity for redactor fatigue and bias.
Process is important
Over the years it has also been apparent that having a robust process and audit trail is vitally important in the event that the data subject makes further enquiries or challenges the disclosure and if the ICO “calls in” the SAR following a complaint. Without a robust process and audit trail it is our view that controllers bake doubt into their SAR processes and find themselves on rocky ground in the event of a challenge.
For more information about DPP’s SAR Service please refer to our website or contact [email protected]