Search

Don’t get caught out by subject access requests

The right of individuals to access the information an organisation holds about them is an important safeguard and a cornerstone of data protection. Garreth Cameron, group manager (business and industry) at the ICO, explains more

LinkedIn Twitter

Whatever business you’re in, if you hold personal data, you will probably have to respond to a request at some point.

 

Subject access requests happen to be the top cause of complaint to the ICO, accounting for 46 percent of cases we receive.

 

We know that when businesses fail to respond properly to a subject access request it can end up costing them time, money and reputational damage.

 

What concerns do individuals raise with us?

 

We often see cases where a subject access request is made following a dispute with a customer or employee that hasn’t been resolved, or has been badly managed.

 

If you can avoid a position where the requestor feels their only option is making a subject access request, you stand a good chance of not receiving a request in the first place.

 

The importance of good customer service and a pragmatic approach cannot be overstated.

 

A disgruntled requestor may be motivated to complain if you’ve clearly not met legal obligations. Failing to respond within the statutory 40-day time limit is a common problem.

 

We understand it can take time to get the information required together and review it.

 

On the records

 

Good records management is key to ensuring information can be easily identified and retrieved. Of course, you shouldn’t be retaining information you no longer have a justifiable need for anyway.

 

It goes without saying; you should be conducting an extensive search for the data, because failing to provide something the requestor knows you hold, is a sure fire way to a concern being raised with the ICO.

 

In some cases individuals’ requests are just plain ignored. While in a low number of cases it may be reasonable to inform a vexatious customer that you are ceasing contact with them, you’re still obliged to respond to their subject access request if they make one.

 

In other cases we see, organisations fail to identify receipt of a request. It’s important that frontline staff are trained on individuals’ rights individuals, and know how to respond when a request is received.

 

Extra care is needed to ensure information about third parties is not inappropriately disclosed.

 

We recently fined a GP surgery £40,000 after the practice revealed confidential details about a woman and her family to her estranged ex-partner, after he made a subject access request.

 

It’s about control

 

Giving people more control over their data is crucial to building consumer trust.

 

While individuals have legal rights under data protection, you should consider whether you want to force people to resort to the law to see what information you hold about them.

 

It’s a better experience for the customer to be in the driving seat, with the ability to access their data without going through a formal legal process. The growth of digital services helps to make this a reality.

 

Remember, individuals’ rights will be brought into focus across the European Union when the General Data Protection Regulation comes into force in May 2018. The regulation will require the data to be provided free of charge and, in certain cases, in a common electronic format.

 

No matter what happens in the UK post-Brexit, it’s time to ensure your house is in order when it comes to subject access.

LinkedIn Twitter
YOU MIGHT ALSO LIKE

Cyber attack affects 143 million US Equifax consumers

A cyber attack on Equifax has exploited a website application vulnerability to gain access to consumer files, the credit reference agency reported yesterday (September 7)

Tesco Bank and Capita extend mortgage services contract

Business processing outsourcer Capita has agreed a contract extension until 2020 to provide mortgage services to Tesco Bank.
LATEST IN ANALYSIS

The CS Interview

Renaissance man
LinkedIn Twitter

Renaissance man

Features

Engineering a self-service solution in car finance
LinkedIn Twitter

Engineering a self-service solution in car finance

Opinion

"It’s up to the financial services industry to help teach students the necessary skills to manage their finances"
LinkedIn Twitter

"It’s up to the financial services industry to help teach students the necessary skills to manage their finances"

Dispatches

Lloyds results reveal £2bn of debt in forbearance
LinkedIn Twitter

Lloyds results reveal £2bn of debt in forbearance

Credit Strategy

Did you find our website useful?

Thank you for your input

Thank you for your feedback

creditstrategy.co.uk – an online news and information service for the UK’s commercial and consumer credit industry. creditstrategy.co.uk is published by Shard Financial Media Limited, registered in England & Wales as 5481132, Axe & Bottle Court, 70 Newcomen St, London, SE1 1YT. All rights reserved. Credit Strategy is committed to diversity in the workplace.
@ Copyright Shard Media Group