Fixing the resource challenge of subject access and FoIA requests
The Outsourced DPO has been out on the road this week visiting a variety of customers and prospects … meanwhile back in Leeds, DPPs support team has been busy handling subject access requests on behalf of a number of clients, and our DataWise developer has been enhancing the way that DataWise supports request management.
From discussions with customers and prospects, the resources needed to handle data subject rights requests (DSRR) and freedom of information requests (FoIAR) is seen as a growing issue. Those, such as local authorities with dedicated resources to handling information rights requests, are finding that those specialist teams are snowed-under with little additional capacity. One large, complex, “give me everything” kind of subject access request is very resource hungry and causing them pain. Those without the resources are finding that when they do receive a request, they have to pull people off other tasks to handle the request.
A good example of this is a school we work with who have received three dSARs in quick succession and had to enlist every secretary and admin assistant in the school to ensure that the requests were responded to on time. The danger with this approach is that generally these people, while willing to help, are not trained nor experienced in techniques such as redaction. They don’t necessary understand the nuances of redaction and that references to “him” might be sufficient in the context to identify an individual and they certainly would not have the confidence to exclude information from disclosure based on an exemption set out in the Data Protection Act. They may also not have the space to handle information securely nor the software to undertake effective irreversible redaction.
As we know, the process for handling requests from data subject to exercise their rights has a very clear and structured flow and the time-consuming, resource-hungry elements are the review of information resulting from an information search and the application of redaction and exemptions. But the redaction piece is vitally important because a) it ensures data controllers comply with the requirement of Article 15(4) of the GDPR that, the right to obtain a copy of the personal data undergoing processing shall not adversely affect the rights and freedoms of others, and b) it ensures that other information that does not comprise personal data but which may be contained in documentation caught in the information search such as commercially sensitive information is also redacted.
Some DPP customers simply want to know that we are available in the event of it raining dSARs while others wish to contract out the entire management and handling of rights requests. The benefit of using an external service such as DPPs is that the external support team is fully trained in data protection law, in particular how it relates to individual rights, and have experience of the practicalities of handling them. It’s team based so not just one person making decisions, redaction can be “double entry” to reduce the risk of error, and they have the right equipment and software to apply and explain redactions and exemptions. It’s also scalable so that large and complex requests can be accommodated without having to carry the cost of a large, trained DSSR/FoIAR team.
The Outsourced DPO is also itching to get the enhancements to DataWise concluded and deployed. Once they are nearing completion, DPP will release further information about how the enhanced functionality helps us to manage and keep track of requests.
Phil Brining, May 2019