Responding Effectively To Subject Access Requests

By Author: Nathan Wilson
Total Articles: 8
Comment this article

Any organisation that controls data, whether public or private, large or small, may have to process a subject access request, and, depending upon the organisation and sector/industry, these requests may be regular commonplace occurrences or sporadic exercises. Despite the different aims and objectives between processing a subject access request and disclosing documents as part of litigation, both litigators and data protection lawyers can learn from one another about how to deal with the disclosure as effectively, and as proportionately, as possible.

The challenges facing litigators during e-disclosure exercises, from attempting to navigate the labyrinthine IT landscape of their clients, through to collecting and reviewing the most relevant documents, and then redacting and/or removing documents before ultimately producing the disc losable document set. The sheer volume of electronic data held within a typical IT landscape, the variety of these electronic data, including the ever-increasing sources of it, from the cloud to social media, as well as the more common servers and laptops, and the speed at which organisations ...
... are creating electronic data throws up real challenges. These range from how best to identify the relevant sources of information, to how efficiently and effectively irrelevant data can be culled-down, to how deadlines can be met.

These challenges are also a key consideration for information and data protection lawyers when they are advising clients on how best to process an electronic disclosure request. Timescales for processing subject access requests are strict; from the time that the data controller has ascertained that the person making the request is indeed the data subject, there is 40 days to respond. The data controller is entitled to ask the data subject for further information that may assist in narrowing down their request for information.

Here are ten simple steps for responding to e-discovery subject access requests:

1. Identify whether a request should be considered as a subject access request
2. Make sure you have enough information to be sure of the requester’s identity
3. If you need more information from the requester to find out what they want, then ask at an early stage
4. If you’re charging a fee, ask for it promptly
5. Check whether you have the information the requester wants
6. Don’t be tempted to make changes to the records, even if they’re inaccurate or embarrassing…
7. But do consider whether the records contain information about other people
8. Consider whether any of the exemptions apply
9. If the information includes complex terms or codes, then make sure you explain them
10. Provide the response in a permanent form, where appropriate.

For more information on electronic disclosure and the Electronic Disclosure Reference Model, please check out http://www.cclgroupltd.com/e-disclosure/, email contact@cclgroupltd.com or call us on 01789 261200.

Author:
Nathan is an e-disclosure digital forensics specialist at CCL Group - the UK’s leading supplier of digital forensics, including: computer forensics, mobile phone forensics and cell site analysis services, for more information visit www.cclgroupltd.com