Perspective in Practice: The Unseen Danger; Data Subject Access Requests
Now that we have crossed over into the new regulation for the protection of data, there are troublingly clear indications that preparations have not been as rounded as they need to be.
The ICO did not knock on the door of every organisation in the UK, at one minute past midnight on 25 May, to demand to see evidence of compliance with the new regulation; GDPR into the DPA2018.
Battering-rams-at-dawn was never going to happen, but the ICO knows what it is looking for, and the wealth of intelligence and insight at its disposal as to ‘problem areas’ is becoming richer every day. And yes, whilst they have their eyes on everyone, some sectors/industries in particular are inevitably going to be subjects of the spotlight.
In a professional capacity I’ve spoken with dozens of people at work since 25 May and I’m delighted to report that (at least amongst the organisations with which I’ve had first-person contact) alertness for data breaches is good. So too, is the knowledge of the timeframes for reporting to the regulator and to the data subject(s), and the lines of internal reporting in the event of concern about a breach.
That’s good news; now, for the bad.
All of the professionals that I’ve spoken to are doing their best to stay frosty and on the lookout for some of the more obvious potential breaches of personal data such as, sending an email to the wrong recipient or a cyber attack. And, so they should be; there is a lot of communication about these aspects.
Indeed, if there is harm to an individual or individuals as a result of a breach of personal data, the ICO (and other industry/sector regulators) are applying the due penalties.
But, what about not complying with the rules, themselves?
A small breach of minimal impact may raise an eyebrow at the ICO, but in isolation it might not trigger an audit or visit from the regulator; after all, one-off accidents happen. But, disregard (by accident or by design) for the rules governing the rights of data subjects could result in far more expeditious interest from the ICO, and ignorance will not be a valid excuse.
The ICO appears to be taking the line that it would rather see organisations doing everything they can that is reasonable to protect the rights of data subjects. In other words, the ICO would like to encourage a healthy data culture/landscape. So, an email sent to the wrong recipient could be a one-off lapse of concentration, whereas an organisation that might not understand the rules at all, or is not prepared to enforce them, is not unlikely to be the cause of not one, but several breaches in the fullness of time.
That is, if an organisation has not appropriately briefed/trained its staff or put effective controls in place, which results in a breach of the rules, the ICO could quite reasonably ask the question; “Well, what else have they missed?”.
Within this context, there is an aspect (one of many) that I am watching with great interest because it could be a minefield for organisations (and potentially a source of income for litigation, in due course, for those in that line of business.).
To test the water, in discussion with dozens of professionals, I’ve presented a fictitious scenario where a data subject has asked the organisation for the details of the personal data that the organisation is holding about them.
The upshot was, of the dozens that I spoke to, only two people recognised that the scenario was actually a Data Subject Access Request (‘DSAR’).
Perusal of the ICO’s guidance sets out that a DSAR could be presented to an organisation by a number of means, including verbally, by email, by text message, in writing, etc.
Under normal conditions, organisations have one month only to process a DSAR. Failure to do so is a breach of the rules.
Picture this scenario:
You run an air-conditioning maintenance business and you have a team of 30 or so individuals, comprising employees and contractors. From time to time, employment/contracts end which could result in some individuals being less than pleased with the termination of their work with you.
A few weeks after having their work terminated, one such individual pings an email to your ‘info@’ email address asking for, ‘the information that you have on me’.
He has sent it to the ‘info@’ email address which only gets checked once every few weeks and the person who checks it is relatively junior/inexperienced in the organisation.
He is not an expert in this area of regulation and his email certainly didn’t include the word ‘data’ or ‘subject’ or ‘access’ or ‘request’. But, what he has done is to leave a clear footprint that he has initiated a DSAR.
The clock is now ticking; the organisation has no more than 30 days to deal with the request. The chances are, and indeed, the evidence I have received so far certainly points to, if the request is even picked up in reasonable time, the person who reads it may not understand what it is they have actually received.
Or, perhaps this scenario:
An estate agent receives an enquiry from a homeowner who has dropped by the high street office in Anytown because they are considering selling their property. At the request of the individual, the estate agent writes back to them with general information about their services and pricing. To be able to write to the homeowner, he must have their name and address, at least.
Because it was a ‘prospect’ letter, perhaps the file hasn’t been stored on the estate agency central register of client/potential client information.
Two weeks later, the same homeowner visits another branch of the same estate agency, on the high street in Anyvillage. It’s lunchtime and the member of staff at the reception desk is the only person available at the time. The homeowner isn’t ready to instruct the agency yet, but asks them if they could just “…refresh her memory as to what information the agency has about her.”.
The homeowner has potentially just initiated a DSAR. But, there is a risk that even if the member of staff on the reception desk takes the trouble to call the agency’s other local offices, the homeowner might not appear on the central system even though the agency does in fact have the homeowner’s personal data.
The legal sector has some additional challenges in this respect. Clients can request for the firm to provide them with their matter (‘case’) file. On the other hand, clients might simply issue a legal practice with a DSAR (albeit, it is highly unlikely that the term ‘DSAR’ will actually be used by the client). The legal practice could make a charge for the former, but could get in trouble for making a charge for the latter. It’s important that staff understand the difference.
Data protection is rather a lot like cybersecurity; error or inaction by people is the cause of almost all breaches. Conversely, people who are aware of the risks and what to look out for are without doubt the first and very best line of defence.
I’m not convinced that there isn’t opportunity for civil legal practices in this area of law, where organisations fail to meet their DSAR obligations to data subjects, giving rise to subsequent hardship for the data subject.
In any case, I’ll be presenting more ‘hypotheticals’ to professionals over the coming months to measure the awareness of this ‘hidden danger’. Watch this space for more news…