What functionality do your applications include to support subject access requests? During operation and after decommissioning?
The concept of disproportionate effort in section 8(2) of the Act applies only to the task of responding to a subject access request by providing a copy of the information in permanent form. It does not apply to the effort required to locate the personal data.
At the end of last month the UK's Information Commissioner's Office (ICO) published updated guidance on what is meant by the term "disproportionate effort" under an organisation's obligation to comply with subject access requests.
The ICO recognises that searching for personal data on live systems should be easier, that doesn't negate the need to identify relevant personal data in terminated, offline, backup and archival systems and locations. Data controllers can only use the "disproportionate effort" qualification in respect of "supplying a copy", not in regard to "locating" the information in the first place.
Under the UK's Data protection Act 1998, organisations processing personal data must comply with the eight data protection principles
So, apart from ensuring the personal data your applications are processing is being processed fairly and lawfully, has been obtained for one or more specific purposes, is adequate, relevant and not excessive, is accurate and, where necessary, kept up to date, is not be kept for longer than is necessary, is processed in accordance with the rights of data subjects and is secure... do you applications allow for accurate data identification and extraction? How do your applications track where data are exported to?
Quite a collection of requirements there then.
Posted on: 10 April 2012 at 07:56 hrs