10 April 2012

Subject Access Requests and Disproportionate Effort

What functionality do your applications include to support subject access requests? During operation and after decommissioning?

The concept of disproportionate effort in section 8(2) of the Act applies only to the task of responding to a subject access request by providing a copy of the information in permanent form. It does not apply to the effort required to locate the personal data.

At the end of last month the UK's Information Commissioner's Office (ICO) published updated guidance on what is meant by the term "disproportionate effort" under an organisation's obligation to comply with subject access requests.

The ICO recognises that searching for personal data on live systems should be easier, that doesn't negate the need to identify relevant personal data in terminated, offline, backup and archival systems and locations. Data controllers can only use the "disproportionate effort" qualification in respect of "supplying a copy", not in regard to "locating" the information in the first place.

Under the UK's Data protection Act 1998, organisations processing personal data must comply with the eight data protection principles

So, apart from ensuring the personal data your applications are processing is being processed fairly and lawfully, has been obtained for one or more specific purposes, is adequate, relevant and not excessive, is accurate and, where necessary, kept up to date, is not be kept for longer than is necessary, is processed in accordance with the rights of data subjects and is secure... do you applications allow for accurate data identification and extraction? How do your applications track where data are exported to?

Quite a collection of requirements there then.

Posted on: 10 April 2012 at 07:56 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter


Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Subject Access Requests and Disproportionate Effort
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Page https://www.clerkendweller.uk/2012/4/10/Subject-Access-Requests-and-Disproportionate-Effort
Requested by on Friday, 27 November 2015 at 15:22 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2012-2015 clerkendweller.uk