What privacy lessons can we learn from Online Dating

March 2021

Here are our top 10 tips…

Recently, I was joined by John Mitchison from DMA and Chris Field from Harte Hanks in Texas to talk about privacy issues in the online dating industry. DPN are now Associate members of the Online Dating Association, the International trade body for dating businesses, and we were delighted to speak to their members on this topic.

The discussion was wide ranging – here are my ten lessons:

1. International data protection laws appear to be converging

We know EU GDPR has set the bar high but we can see that, to an extent, this is being replicated in some states in US, most notably California. It’s also clear with the Biden/Harris presidential team there will be a greater focus on protecting privacy and the possible introduction of a Federal data protection law.

The fact the UK is likely to be granted adequacy is another reason to believe high data protection standards are here to stay.

2. Questions around trust and transparency will increase

Since the introduction of GDPR and the start of the Covid pandemic the wider population has an increased awareness of privacy questions. People know their rights and there’s an increasing awareness of data breaches.

Being open and transparent is a core principle of GDPR and, to build trust, more businesses will treat trust as a core operating principle.

3. Special category data must be handled carefully

A lot of very personal information is shared through an online dating account and some of it will be considered special category data. This is, anything to do with health, sexual orientation, sex life, racial origin and religious beliefs.

The UK’s ICO cautions against using this data unless its use has been carefully risk assessed.  In particular if this data is shared as part of a profile it should not necessarily be used to help build segments for marketing purposes.

4. Distinguish between service messages and marketing messages

It may not be desirable or necessary to use all the data contained in a user profile to create segments for marketing. It would make sense to minimise the use of personal data and identify the key variables which will generate a sale.

The remainder of the data could be used to help deliver the service, but understanding the difference between service and marketing messages is paramount.

5. Right to be Forgotten is not an absolute right

It’s almost never a good idea to completely erase a data subject from your system as, somehow, you need to know not to add them back in again. This means keeping a small snippet of information in a suppression file to ensure they can never sign up for marketing again.

However, with the dating industry, there’s also the need to have safeguards in place to protect other members from stalkers, convicted rapists or other criminals. In this case, producing a DPIA and documenting the reasons for keeping any data is absolutely essential.

6. DSARs (Data Subject Access Requests) are growing

Individuals know their rights and are making more requests whether it’s through a third party or a direct request. In the US, there’s a similar requirement in California. Having the necessary processes in place to ensure these can be responded to within a month is key.

7. Removal of fake profiles is not a privacy matter

Within the terms and conditions of most dating sites will be the absolute right to remove fake profiles. This is not a privacy matter but part of the terms and conditions of use to protect other users.

8. Wean yourselves off use of third-party cookies

Although Firefox and Mozilla have already stopped supporting third party cookies for targeting purposes, Google’s decision to stop supporting them in 2022 is a game changer. Chrome represents over 65% of the browser market and their decision will effectively kill off third-party cookies.

Now is the time to think about alternative ways of targeting. This could be through the development of profiles using data you’ve compliantly collected yourselves, the use of contextual targeting tools or collaborations to share data insights. The world will change and the race is on to change ways of targeting.

9. Social media marketing is under scrutiny

What do you need to create look alike audiences on Facebook or Instagram? Can you create anonymised segments which can be uploaded for targeting? Do you need to upload emails to create segments and if you do, have you gained the necessary consent from your customers/prospects? Uploading emails is a high risk activity without consent.

10. Data breaches are endemic

In UK, 88% of companies were affected by a breach in last 12 months whilst in US the number is 49%.  The most recent ICO quarterly breach review indicated 72% of breaches were non-cyber security related.

In a nutshell, most problems are down to user error whether it’s not updating user access, not changing passwords, insecure data sharing. The list of possible infringements due to error are endless. For any organisation handling such huge volumes of personally sensitive data, the challenge is substantial.

We may have been talking about dating but these top 10 tips can apply to any digital business.

 

Data protection team over-stretched? Find out how we can support you with our Privacy Manager Service.

Right to Erasure: 10 Tips

March 2021

What data should you erase? When can you refuse? And, on a technical level, how do you ensure everything is deleted?

Fulfilling people’s privacy rights aren’t easy, and the Right to Erasure raises complex challenges. Add to this the tight timeframe to action requests, or bulk requests from third parties, and it can turn into a bit of a minefield.

Don’t worry too much, though – we’ve got some tips to help navigate around the quicksand. But first, a little refresher on what the Right of Erasure means.

What is the Right to Erasure?

As the name suggests, a person has the right to request their personal data is erased from your systems if you’ve no longer have a compelling reason to keep it.

You may hear it referred to as the ‘Right to be Forgotten’. This stems from a decision in 2014 by the Court of Justice of the EU which recognised the right of EU citizens to request the removal of links to personal information on search engines.

GDPR took this ruling a step further and enshrined a broader right into EU law, taking it beyond the context of publicly available personal information.

It’s not an absolute right, and there are circumstances in which it can be denied.

By the way, post-Brexit and under UK GDPR, the right remains unchanged. (See UK data protection law post-Brexit)  

When does the right to erasure apply?

You need to fulfil a person’s request for erasure in the following circumstances;

  • Their personal data is no longer necessary for the purposes you originally collected it for
  • They gave you their consent and now wish to withdraw this consent
  • You’re relying on your legitimate interests to handle their data, they object to this, and you have no overriding legitimate interest to continue to keep it
  • They gave you their details for direct marketing purposes and now want you to erase them
  • You’re fulfilling a legal ruling or legal obligation to erase the data
  • You’re processing a child’s data to provide information services (i.e. online services)
  • You’re handing their data unlawfully

The last point, a general ‘catch-all’, is a tricky one to balance, as there may be many reasons why personal data could be processed unlawfully.

For example, the handling of personal data might be considered unlawful if it’s inaccurate, or if necessary information has not been provided in a privacy notice.

When can you refuse an erasure request?

Under both EU & UK GDPR, the right doesn’t apply when you’re handling personal data for the following reasons:

  • to exercise the right of freedom of expression and information
  • to comply with a legal obligation
  • for the establishment or defence of legal claims
  • to perform a task carried out in the public interest or when exercising and organisation’s official authority
  • for public interest in the area of public health
  • for archiving purposes in the public interest, scientific or historical research or statistical purposes (where erasure would make this impossible or seriously impair your objectives)

There may also be grounds for a refusing a request where you can justify it’s manifestly unfounded or excessive.

The UK’s Data Protection Act 2018 provides a full list of exemptions.

If you refuse to comply with a request you must tell the person promptly, explaining why and telling them they’ve the right to raise a complaint with the ICO (or other supervisory authority).

There are many variables at play; each request needs to be assessed on a case-by-case basis. This is where the devil really is in the detail.

10 tips for handling the Right to Erasure

1. Awareness

Someone can request their data is erased, either in writing or verbally. They might make this request to anyone in your business or organisation. So, everyone needs to know how to recognise this request, what to do if they receive one, how to log it, who to direct it to and so on.

Awareness campaigns, training, easy-to-understand policies and straightforward procedures all play their part in getting key messages across to all staff.

2. Identity verification

You clearly don’t want to delete someone’s details unless you are absolutely sure they are who they say they are. Sometimes this will be obvious, but in other circumstances you’ll need to ask for verification.

Be careful to only ask for the minimum amount of information necessary to confirm identity. Don’t accumulate more information such as copies of passports or driving licences, unless it’s justified.

If a request is received via another organisation, make sure this third party definitely has the authority to act on behalf of the individual in question. The responsibility lies with the third party to provide any necessary evidence to prove this – bear this in mind if you’re the third party!

3. Technical measures

Your customers might think deleting their data is as simple as clicking a button. If only it were that easy!

It can be difficult to locate, identify, assess and properly delete data – especially if it’s held on different systems, media or other platforms. You might hold records on emails, backed-up systems, on the cloud… all must be deleted.

You need to make sure your systems, applications and databases allow the easy identification and deletion of individuals. You may also need to assess the implications of deletion; it can impact on how different software works.

This is where the concept of Data Protection by Design really supports businesses. If from the outset of any new project or initiative you make sure you factor in managing individual data rights, it will make life much easier in the long run.

It’s worth reiterating – the right to erasure extends to deleting data from backups. The Information Commissioner’s Office recognises this and says, “the key issue is to put the backup data ‘beyond use’, even if it cannot be immediately overwritten.”

4. Timeline

You don’t have long to comply with requests, so keeping track of time is crucial. The request must be actioned without ‘undue delay,’ and in any case within one calendar month of receiving it.

You may be able to extend this by up to two months if it’s particularly complex. If you need to extend, make sure you tell the individual before the first month is up, giving them clear reasons for the delay – reasons you must be ready to explain to the regulator if necessary.

5. Who else holds their data?

The right to erasure doesn’t just apply to the records your organisation holds. You’re also expected to tell other organisations to whom you’ve disclosed the personal data.

Having a clear understanding of all your suppliers, any other organisations you share personal data with, means you can efficiently contact them and inform them of erasure requests.

You don’t have to do this if it would prove impossible or involves disproportionate effort. (But again, you must be able to justify this was the case).

6. Public domain data

The Right to Erasure also applies to personal data that’s been made public in an online environment (‘The Right to be Forgotten’).

You need to be ready to take reasonable steps to inform other organisations who are handling the personal data; asking them to erase links to, copies of, or replication of the data.

What is reasonable will depend on available technology and the cost of implementation. This expectation scales with size; the bigger your organisation and the more resources you have, the more you’ll be expected to do.

7. Children’s specific rights

Children have special protection under data protection law, and the right to erasure is particularly relevant when a child has given their consent and later wants their personal information removed, especially if it’s available on the internet.

Someone can exercise this right, even if they are no longer a child. Baking in the ability to delete children’s information from the start is crucial.

8. Exemptions

It’s helpful to have a clear checklist of the exemptions that might apply. They don’t all apply in the same way, so be sure to examine each exemption on a case-by-case basis.

The ICO’s exemptions guide is a good starting point. 

If you believe the request is manifestly unfounded or excessive, the duty is on you to make sure you’ve a strong justification for this.

9. Maintain a log

How do we delete someone, but also prove we have? Feels ambiguous doesn’t it?

You’re allowed to keep a log of erasure requests, actions taken and justifications for these. You need to do this to demonstrate compliance.

Be sure to make sure this is kept securely and only keep the minimum amount of information necessary. I know some organisations who’ve taken the step of making sure this log is pseudonymised for extra protection.

10. Minimisation and retention

The right to erasure (and indeed other privacy rights, such as DSARs) can be less complex if we try to stick to two of the core data protection principles; data minimisation and storage limitation.

By collecting less data in the first place and only keeping it for as long as we need it, means there’s less data to trawl through when we get a request to delete it.

Sounds simple, less easy in practice, but worth the effort.

Just finally, no matter how belligerent someone’s being, try to remain upfront and honest with them.

Yes, this was a blatant excuse for me to shoehorn a 80s pop gag into the article in the form of an Erasure reference – just show complainers ‘A little Respect’. Oh, and you can’t only be compliant with requests Sometimes!

For more information see: GDPR Article 17, Recital 65.  Recital 66ICO Right to Erasure Guidance

 

Data protection team over-stretched? Find out how we can help with our flexible no-nonsense Privacy Manager Service

 

ICO Subject Access Request Guidance: help or hindrance?

October 2020

The ICO published its hotly anticipated detailed ‘Right of Access’ guidance on 21st October, following a consultation which closed in February 2020. Does it help, or add to the complexity of handling access requests?

(For the sake of clarity, the Right of Access is commonly referred to as Data Subject Access Requests – DSAR/SAR).

First off, I’ll be diplomatic and say the ICO was being slightly optimistic by titling its accompanying blog, ‘Simplifying subject access requests new detailed SARs guidance’.

Simplifying isn’t a word I’d have chosen for 81 pages of detailed guidance – much of which rests on interpretation, careful assessment and justifiable decision-making.

SARs are often an area where the devil is in the detail and they can be a minefield for the initiated, let alone the uninitiated.

What are the key highlights of the guidance?

  • ‘Stopping the clock’ is now permitted when you need to seek clarification. But seeking clarification shouldn’t be a blanket approach
  • Examples are provided to help organisations assess when a request might be considered ‘manifestly unfounded’
  • Some pointers are given for setting a ‘reasonable’ admin fee. This is only permitted when responding to manifestly unfounded or excessive requests, or when responding to follow up SARs.

I’ve taken a look at these in more detail.

‘Stopping the clock’

If you process ‘a large amount of information’ about someone, you may ask them to specify the information or activities their request relates to before you respond, but the regulatory guidance is that this should’t be your routine approach.

The ICO has confirmed the one calendar month for responding can be paused while you wait for the requestor to provide clarification. (In their draft they had suggested the clock didn’t stop).

You may choose to conduct a ‘reasonable’ search instead of seeking clarification and it is up to you to assess and justify what constitutes a ‘large amount of information’, considering the size of your organisation and resources.

The guidance states:

“It is unlikely to be reasonable or necessary to seek clarification if you process a large volume of information in relation to the individual but can obtain and provide the requested information quickly and easily.

You can ask the requester to provide additional details about the information they want to receive, such as the context in which you may have processed their information and the likely dates of when you processed it.

However, you cannot force an individual to narrow the scope of their request, as they are still entitled to ask for ‘all the information you hold’ about them.”

If you judge it necessary to seek clarification, you should make sure it’s quick and easy for the individual to respond, and you should let them know the clock will be paused and will resume once they respond.

Good communications with people submitting access requests can’t be underestimated, as highlighted in our article 10 DSAR tips from 10 DPOs.

I can foresee some scratching of heads here; what type of clarification can be sought? when is it reasonable to ask for this? what to do if someone fails to respond? how much should you chase up? and so on.

‘Manifestly unfounded’

There is an exemption whereby you’re permitted to refuse to respond to a SAR (wholly or in part) if you judge it to be ‘manifestly unfounded’ or ‘excessive’.

This has been an area which has vexed many, and the ICO has attempted to clarify this by giving some examples, such as;

  • Where there is no intention to exercise their right of access. This could be when the individual offers to withdraw their request in return for some kind of benefit.
  • Where the request is malicious and is being used to harass or cause disruption. This could include a request which targets a particular employer based on a personal grudge, or where different requests are systematically sent as a part of a campaign.

The onus rests with you to be able to justify a decision that a request is manifestly unfounded. Also, be careful, it’s not enough to use this exemption simply because of the individual’s motive. An ex-employee on a fishing exercise because they are unhappy with being made redundant is highly unlikely to fall under ‘manifestly unfounded’.

The ICO guidance states:

“If the individual genuinely wants to exercise their rights, it is unlikely that the request is manifestly unfounded.

Whilst aggressive or abusive language is not acceptable, the use of such language does not necessarily make a request manifestly unfounded.”

The guidance also provides examples of what would be considered manifestly ‘excessive’. Such as requests which largely repeat previous requests without a reasonable interval.

‘Charging an admin fee’

As we know, the old £10 fee disappeared with GDPR, and the general rule is no fee should be charged. However, you can charge a ‘reasonable fee’ to cover administrative costs if:

  • you’ve assessed the request to be manifestly unfounded or excessive
  • the individual asks for further copies of their data following a request.

Many organisations are therefore left with (1) having to assess whether a request is manifestly unfounded, and (2) what would be reasonable fee.

The guidance tries to help organisations judge what criteria they should consider, by coming up with a reasonable fee for the costs of locating, retrieving and extracting the information, communicating the response and staff time.

The ICO says it’s good practice to establish an unbiased set of criteria for charging fees and that this should be explained to individuals.

I found the following paragraph in the guidance unnecessarily confusing;

“If you choose to charge a fee, you do not need to comply with the request until you have received the fee. However you should request the fee promptly and at the latest within one month of receiving the SAR. This means you must request the fee as soon as possible. You must not unnecessarily delay requesting it until you are nearing the end of the one month time limit.”

So, request the fee promptly and at the latest within one month of receiving the SAR, but don’t delay requesting it until you’re nearing the end of the one month time limit? (Hmmm…)

My advice? Request the fee promptly, and not when you’re nearing the end of the month time limit.

Is there a risk organisations are being given more leeway to refuse SARs?

Michael Bond, Group DPO at News UK, raises some concerns about the ICO’s approach;

“It appears to have capitulated under the weight of lobbying and produced something that could well have a chilling effect on this cornerstone of information rights. Clarification is always welcome but, in my view, it will make the entire subject access process more complex for organisations and individuals to understand and increase administrative burden.”

As I said, the ICO blog title ‘simplifying subject access requests’ isn’t a phrase I’d have used, for an area which can quickly become complex. So much rests on balanced decisions and being able to justify these.

There are places in the guidance which organisations may use to push back on requests (perhaps unfairly). On the other hand the guide is extensive and a useful resource, especially for organisations with less experience in handling SARs.

Remember it’s ‘guidance’ and you may decide you disagree, but if you do be sure to have a strong case for doing so.

A final tiny tip – I’d recommend downloading the Right of Access Guidance, as on the ICO website it can be tricky to search if you are looking for something specific. Also, be sure to check for updates.

 

Need DSAR support? If you’d like helpe handling SARs or other individual rights get in touch

10 DSAR tips from 10 DPOs

October 2020

While it’s great people have the right to request copies of their personal data, there’s no doubt Subject Access Requests (SARs) can be challenging to complete adequately and on time.

(If you’ve ever had the misfortune to get a request from a disgruntled employee, for example, you’ll understand how complex these requests can become).

Some organisations are turning to tech to improve their processes for gathering information and redacting data where necessary. However, our recent survey shows the take-up of organisations using external tech solutions is currently relatively low, with just 15% of organisations using an external solution to ease the burden of DSAR requests.

To give you a helping hand, we’ve asked 10 experts who routinely handle requests, to share their top tips, (they’re not all strictly speaking DPOs, but forgive me for wanting to keep the headline succinct).

1. Keep in touch

Chris Field | Privacy Director | Harte Hanks (US)

When addressing a DSARs, it is critical DPOs take the time to ensure their communications with data subjects are positive. Always use simple language that’s easily understood when communicating. Acknowledge requests as soon as possible and set expectations as to when requests will be complete. Use calendar reminders to help you proactively notify data subjects of any delays and always check the information provided by the business. Be sure it relates to the data subject, and include clear descriptions as to what the data represents and how it is used.

2. The personal touch

Andy Bridges | Data Quality and Governance Manager | REaD Group

In our experience, one of the most important aspects when dealing with both DSARs and standard DPO cases is to ensure there is acknowledgment and understanding from the first stage. It is, of course, fundamental to ensure that your organisations’ processes and procedures are properly implemented, but also important not to lose sight of the human elements which often gets missed. I have spoken directly to many data subjects and in most cases that personal touch has made a big difference and reassures the consumer that they are being treated with respect and dignity – which in turn helps to alleviate their concerns about how their personal data is being processed and why.

3. Focus on the agreed scope

Sara Howers | Data Protection Officer UK | CGI IT UK Ltd.

Although we cannot insist on a data subject giving us parameters for their access request, many do, and in these cases it’s important to restrict the data selected and supplied to within those parameters and not to over-supply the data. As many of us rely on a number of parties to collate information for us, even when we pass on those parameters, they aren’t always picked up and adhered to (sometimes because their own selection tools are a little overly inclusive), so it’s very important that we sense check all feeds in & restrict them accordingly. After all, you don’t want your DSAR to end up being the cause of a data breach in itself.

4. Don’t be unduly influenced by other matters

Michael Bond | Group Data Protection Officer | News UK

In my experience, the right of subject access is most often asserted where there are ongoing grievances or complaints relating to employees or customers. As such, there may be broader issues that turn on the results of a request. As the person managing the request, it is important to ensure that the subject access process is not unduly influenced by these broader customer or employee matters but kept separate; thereby preserving the integrity of the subject access process and impartiality and independence of the DPO.

5. What about request from third party portals?

Gerald Coppin | Deputy Group Data Protection Officer | Springer Nature Group

A growing trend is for a DSAR to be submitted by a third party portal that insists the data subject is not contacted as part of the process, and organisations are instructed that any questions or follow up be undertaken solely through the third party. There is still the responsibility on your organisation to verify the identity of the data subject and this can be done by using the direct contact details of the data subject (if provided). Often these requests are accompanied with scanned images of legal documents (passport, driving licence, visas, permits, ID card, etc) and you should be mindful that these images are still stored on your systems even if the data subject has not confirmed the request as genuine.

6. Keep track of time

Claire Robson | Data Protection Officer | Great Ormond Street Hospital Children’s Charity

Managing a DSAR within the 1-month timescale is tricky, particularly where you have a geographically spread organisation or multiple record-keeping systems. Establish a process to help staff identify a request – getting it to you promptly ensures you don’t lose too many days before you’ve even started. Know your record keeping systems – understanding what is held where, helps you locate, and retrieve the records needed. Are you reliant on other teams? Establishing KPIs for response times and setting expectations of them can help. Throughout, keep an eye on progress so you can quickly identify and notify the requestor if it’s going to take longer.

7. Can tech help?

Simon Morrissey | Legal Director Information Rights | BBC

The frequency and scale of individual DSARs has led to technology assuming an increasingly important role to play in the handling of DSARs, both in terms of managing the overall DSAR workflow and the collation, review and redaction process. There are now technology solutions available that allow an organisation to track a DSAR from inception to completion and which also contain a reporting tool that can assist with compliance reporting. As far as collation, review and redaction is concerned, there are also technology solutions which use machine learning to improve de-duplication and email de-threading, thereby reducing the volume of documents that require review. Machine learning is also being used to analyse the human level review and redaction of the documents potentially in scope to ascertain the relevance of the documents not yet reviewed. This can also result in a significant reduction in the number of documents that require manual review and redaction.

8. How to cope with employee emails?

Data Protection Officer | Haymarket Media Group

Employee DSARs can be the most complex. You will need to take a view on how to tackle email communications and strike a balance between other employees’ confidentially and the right of access. An employee expressing an opinion about another employee to somebody else is personal data, but did they expect a level of confidentiality to be upheld when it was written as a private message? Whichever way you decide, it’s important all employees are clear on your company’s stance, so they know such messages may be disclosed as part of a DSAR. Remember, only the personal data needs to be provided, so including hundreds (if not thousands) of BAU emails might not be necessary. Automatically filter out those that would clearly be BAU and search for any personal data on a smaller volume of emails.

9. Remember the exemptions

Chris Whitewood | Privacy & Data Protection Officer | Direct Line Group

When considering what your DSAR response will consist of, you will need to understand what information a data subject is legally entitled to and when information can legitimately be withheld. If information is to be withheld, then it is important that you clearly document internally what information is to be withheld and what exemption you are relying upon. Your DSAR Team will need to be trained as to how exemptions apply and understand the nuances of the Data Protection Act 2018. This will assist you when responding to any requests for clarification from the ICO or further correspondence from data subjects.

10. Respond securely

Temi Akindele | Data Protection & Legal Counsel | The Prince’s Trust

When responding to a request by email, the information must be sent securely. Often (depending on the secure email solution) the secure email will look different from the regular email address that the DSAR was sent to and/or acknowledged from. It is advisable to follow up immediately with an email (from the regular email) to ask the recipient to confirm that they have received the information and are able to view it. Their reply will serve as proof of receipt of the response. If your secure email solution can track when the response was viewed and the information downloaded, save this receipt with the DSAR records. The cover email should also inform the recipient how to escalate if they are unhappy with the response; include the details for an internal contact in the first instance as well as the ICO’s details.

On 21 October 2020 the ICO published new detailed Right of Access Guidance.

You’ve been SAR-bombed!

July 2020

You are at the end of long day; just about to turn in for the night. You just do one last check of your inbox for any signs of a reported security incident. Suddenly you are aghast, the new email count in your inbox registers over 9,000 new emails! You quickly scan to fathom what on earth has happened…

All the emails come from the same sender and the subject lines all declare they are SAR (Subject Access Request) requests. Looking closer you note the emails include personal information, describe that “so-and-so” wants to exercise a privacy right and references different privacy laws.

Laws you know require you reasonably address privacy requests, with penalties should you fail to address the request in good faith and in a timely manner.

While I hope you never experience 9,000 requests in one hit, people seem to be increasingly relying on third parties and apps to facilitate their privacy rights. Indeed, some third-party portals are actively encouraging people to use their services.

Once your organisation is identified, you are likely to receive requests from the third party’s entire user base; all delivered to the email address published via your privacy statements.

Let’s explore this trend in more detail and give you a glimpse of how to tackle the SAR-bomb experience.

The Dawn of Privacy Preference Apps

Chances are you’ve already received or honoured an individual’s privacy request received via a third party in some fashion or another. Country and channel specific regulatory “do not contact” lists have for some years allowed people to ‘opt-out’ of direct marketing “en masse.” Some third parties offer people template letters to express privacy choices with a pre-defined list of organisations that should receive them.

Mobile apps are also available to help individuals exercise their requests. One such app seeks to help individuals to identify organisations they have previously transacted with for the purposes of exercising their privacy rights and another is designed to help individuals address legal disputes.

Of course, California’s Consumer Privacy Act (CCPA) now requires organisations to process privacy requests delivered by third parties (defined as “authorised agents”). As the world’s sixth largest economy, CCPA’s “authorized agent” mandates are likely to be replicated and influence individual’s expectations beyond California.

Mindset

When addressing privacy requests delivered to you via third parties, be sure your response plan considers first the people submitting these requests. They’ve already invested some time and energy and may have even paid for the help these parties and solutions offer.

People may have turned to such third parties to assert control over their data in as broad a manner possible. Some may be frustrated, confused or upset, and others may not be aware or care that your organisation has specific obligations under the law.

Your procedures to authenticate identity, validate the processing of personal data, address requests within your organisation and ensure the security of the data in your care, are likely of little concern to individuals.

Even though the law may require you to separately affirm certain requests received online, some individuals simply won’t appreciate your attempts to confirm the authenticity of their requests.

Furthermore your requests of people to follow your processes may be met with frustration, indifference and scepticism; especially when you need them to take additional action to facilitate their original request.

Your experience addressing sensitive SAR requests, such as those associated by disgruntled employees or customers punishing you for bad service, can be especially useful.

Getting to Work

With the individual’s mindset front and centre, let’s shift attention to some of considerations specific to being SAR-bombed. Time is of the essence and you need a systematic approach to establish whether you will deny, partially or fully comply with the request.

  • Get your arms around the situation – At a minimum, you need to identify each individual, extract the personal data (as needed to authenticate their identity and confirm the data exists within your organisation) and define the rights they wish to exercise. Conduct a quick test to see how much time is needed based on the total volume.

In our example, let’s say it takes you just 90 seconds to open one of emails, log the relevant details to your SARs system and archive the email. At 9,000 requests, you may need 225 hours to convert these SAR emails into requests that make sense within your organisation.

  • Create a structured dataset – The volume of SARs simply requires a repeatable process designed to convert the unstructured privacy email into a structured request that makes sense within your organisation. It may help to create a solution that can parse emails for relevant details and return data back to you in a structured format.

If your email platform supports it, consider exporting all the SAR emails into a Comma Separated Values or “CSV” file. Once in a CSV file, you can use your favourite spreadsheet program to make short work of your analysis and response.

  • Include key details within your structure dataset – Consider assigning a unique identifier specific to the request and sender to help you demonstrate the original request across the actions needed to address it. Pull forward the personal data related to the request in a way which reflects your existing SARs authentication and matching procedures.

You may also extract demographic information across specific columns; especially useful if the requests reference rights across different jurisdictions or laws. Denote the privacy right (or rights) for each request. Be sure to use terms your organisation understands to save time.

Consider assigning a reference to the jurisdiction (or law) applicable to the request; or the individual involved. For example, it may be useful to validate GDPR requests originating from Europeans differently from CCPA requests from Californians.

  • Questions relevant to developing your strategy

a. Do you have multiple requests for the same individual? Check if you have duplications i.e. the same individual requesting the same right.
b. Do you have requests that aren’t legally required? Check if those exercising a right are indeed subject to the right or law referenced. For example, is the individual a European (if referencing GDPR) or a Californian (if referencing CCPA)? Dependent on the volume and results of this analysis, you may need to address requests subject to the law first.
c. Can you act on the request as presented? Do you have evidence the third party has authority to act on the individual’s behalf? Are you able to verify their identity? If you need more information your response plan also needs to factor in developing and sending communications, and addressing the responses.

  • Creating records to demonstrate your reasonable efforts – Regardless of your specific response plan, be sure to keep records detailing what you did and the decisions you made. This may include:

1) details of your actions to assess the request
2) communications with the individual
3) actions taken internally to address the request
4) summary of results (for example whether you denied, partially or fully complied)
5) the timeframe taken to resolve

Adopting the approach above, my company, Harte Hanks, has addressed 9,254 email requests within just a few days. We identified that 96% of the requests delivered were simply duplicates.

The “sender” seems to have experienced a technical problem, delivering the same request on average at least 44 times and one over 1,600 times. Of the 326 “unique” requests delivered, 67 requests described rights under CCPA whereas the other 259 described rights under GDPR.

When considering the personal data delivered along with the request, we found all CCPA requests included personal details reasonably descriptive of a Californian whereas only 16 of the remaining “GDPR” request reasonably “described” a European.

Here’s to hoping you don’t ever experience such a deluge of requests at one time.

Further information

In the UK, the Information Commissioner’s Office addresses requests made via third party portals in its detailed Right of Access Guidance.

The ICO says to determine whether you need to comply with such a request you should consider whether you are able to verify the identity of the individual and are satisfied the third party portal is acting with the authority of and on behalf of the individual in question.

The regulator stresses you are not obliged to take proactive steps to discover that a SAR has been made. So, if you can’t view the SAR without paying a fee or signing up to a service, you have not ‘received’ a SAR and are not obliged to respond.

Furthermore, it’s the portal’s responsibility to provide evidence that it has appropriate authority to act on the individual’s behalf. In responding to a SAR you are not obliged to pay a fee or sign up to a third party service. If you are in this position the regulator’s advice is to provide the information to the individual directly.  The draft code states:

“If you have concerns that the individual has not authorised the information to be uploaded to the portal or may not understand what information would be disclosed to the portal, you should contact the individual to make them aware of your concerns.”

Subject Access Requests & Proof of ID

December 2019

When responding to a Right of Access request (commonly known as a Data Subject Access Request), we might be required to ask a person to prove their identity.

With that in mind, what constitutes a reasonable request for further information for verifying identity? And do you need to ask for additional information in all circumstances? We take a look at how organisations are tackling this.

Organisations need to take a balanced approach to this, considering factors such as;

  • The context of your relationship with the requester
  • The nature of personal data you will be providing
  • The risks to the organisation and to individuals of personal data being given to the wrong person
  • Ensuring identity verification is not too onerous for the individual
  • Securely protecting any additional information requested and not retaining it longer than necessary

Many organisations will have already taken a measured decision on this, others may still be considering what approach to take and some may be getting push-back on what they’re currently asking for – “I shouldn’t have to provide you with a copy of my passport!”

Being over-zealous can result in objections and could, in the worst-case scenario, result in penalties for putting unnecessary hurdles in the way of individuals exercising their rights. But not being careful enough carries its own risks too!

To provide an overview of how businesses are balancing these demands, I spoke with ten different organisations about what checks they’ve put in place.

What are the first steps to take?

  • Is it a SAR? If someone is asking where you got their details from or why you are sending them marketing, this is not a SAR and can be handled in a routine manner. A SAR is where an individual is specifically requesting the personal data you hold about them.
  • Acknowledge receipt, and
  • Ask for identification, if unsure of their identity
  • Ask for more information to clarify the request, if necessary
  • Log and report internally
  • Diarise the deadline for responding

So, how can you approach the issue of ensuring someone is who they say they are?

What does GDPR & the ICO say about identity verification?

Recital 64 of GDPR states;

“The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.”

[Update] In the ICO’s detailed Right of Access Guidance (published October 2020) it states;

“You can ask for enough information to judge whether the requester (or the person the request is made on behalf of) is the person that the data is about. The key point is that you must be reasonable and proportionate about what you ask for. You should not request more information if the requester’s identity is obvious to you. This is particularly the case when you have an ongoing relationship with the individual.”

It continues to say:

“You should also not request formal identification documents unless necessary. First you should think about other reasonable and proportionate ways you can verify an individual’s identity. You may already have verification measures in place which you can use, for example a username and password.

However, you should not assume that on every occasion the requester is who they say they are. In some cases, it is reasonable to ask the requester to verify their identity before sending them information.

How you receive the SAR might affect your decision about whether you need to confirm the requester’s identity.”

Neither GDPR, nor the ICO provide specific details on what would be considered reasonable and proportionate. This is left for organisations to judge.

What are the risks?

On the one hand you might consider the potential fine and/or reputational damage of getting it wrong, but most importantly what risk is there to the individual if you provide their personal data in error to someone else? Are you, for example, putting them at risk of fraud?

If you’re providing bank account details or medical records, the risk of getting it wrong is clearly higher than providing contact details with marketing preferences. The context here is important, based on the nature of your relationship with the requestor and the type of personal data you will be providing.

There’s evidence SARs are being used as phishing attempts. There also seems to have been a proliferation of companies (many based overseas) which submit requests on ‘behalf’ of individuals. You need to be sure they really are acting for the individual in question, and not trying to harvest data unscrupulously.

However, if you make it mandatory to provide specific proof of ID you could run the risk of alienating people who feel this is unreasonable. Should a complaint be escalated you could be found to have made it too burdensome for people to exercise their right.

If you feel it is justified to ask for a copy of a photographic ID (such as a driving licence or passport) you also need to consider how long you retain it for, how it’s protected and how it’s securely destroyed when you no longer require it. This additional information could pose a further risk.

What approach to take?

Some organisations take a case-by-case approach or adopt a fairly standardised method dependent on the context (e.g. an employee, a customer or request made by a third party).

If you’ll be providing individuals with sensitive personal information that might pose a risk to that person should it fall into the wrong hands, you’ll be able to justify robust processes for ID verification. One that is hopefully easy to explain to the requester in the context.

The following shows how the organisations I spoke to are approaching this problem across diverse sectors such as publishing, information technology and not-for-profit. Some receive approximately one SAR a month; others receive around a hundred. All have developed processes for handling SARs and balanced what ID checks they believe reasonable.

Employee or ex-employee requests

If an email arrives via your corporate email system from a member of staff requesting a SAR, all organisations were in agreement it would be unnecessary and disproportionate to ask for additional proof, as you already know who they are.

One organisation takes the step of asking for some proof of identification with ex-employees, a couple of points of reference such as asking for their staff ID number and National Insurance number.

No additional information requested

Based on the context of their relationship with the requester and the nature of personal data to be provided, some organisations don’t feel it is necessary or proportionate to request further proof of ID. Here are some examples;

  • Where someone has an online account and submits a SAR from an email address which is linked to their account, asking for it to be posted to an address currently held for them.
  • A request is received from a business email address, which matches the record held and the response will be given to the same email address.
  • Where the organisation is able to conduct sufficient internal checks to validate the request, based on information they already know about the individual.

Asking additional questions

Two organisations take the approach of asking the individual to answer a question (or two) to verify their identity. Essentially rather than ask for additional documents as proof they use the information they already know about the individual to do this. For example, can they confirm the nickname/username they used when setting up an account?

Additional information

Where they may have doubts about the identity of the individual, some of the organisations will request photo identification (e.g. a passport or driving licence) along with proof of address (such as a utility bill). One organisation specifically mentioned how they’re reluctant to hold this information for any longer than required, so log its receipt and then immediately and securely destroy it.

Requests made by third parties

All of the organisations approached took a robust approach when a third party submits a request on another’s behalf, be this for example a law firm or a relative. This would include asking for information such as evidence of Power of Attorney or a letter of authority. This approach is supported by the ICO’s new draft guidance which states:

“An individual may prefer a third party (e.g. a relative, friend or solicitor) to make a SAR on their behalf. The GDPR does not prevent this, however you need to be satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of this. This might be a written authority to make the request or a more general power of attorney.”

Some organisations have received requests from companies who offer a service of submitting requests on behalf of individuals – or so they claim. Often these companies are based overseas and the request may already include a proof of ID. A cautious approach is taken to such requests – one organisation will not respond unless it can contact the individual directly and ask them to confirm their request and reiterate their wish that the third party act on their behalf. Of course, they document any decision in each case.

The ICO’s new draft guidance makes specific reference to requests made by via a third party portal, and says you need to consider if you are able to verify identity and are satisfied the third party portal is acting with the authority and on behalf of the individual. It specifically states:

“You are not obliged to take proactive steps to discover that a SAR has been made. Therefore, if you cannot view a SAR without paying a fee or signing up to a service, you have not ‘received’ the SAR and are not obliged to respond. You should note that it is the portal’s responsibility to provide evidence that it has appropriate authority to act on the individual’s behalf. Mere reference to the terms and conditions of its service are unlikely to be sufficient for this purpose (see ‘Can a request be made on behalf of someone?’ above). The portal should provide this evidence when it makes the request (ie in the same way as other third parties). When responding to a SAR, you are also not obliged to pay a fee or sign up to any third party service. If you are in this position you should instead provide the information directly to the individual.”

In summary, it may not always be necessary to ask for additional documentation as proof of identity where you’ve no doubt the individual is who they say they are, or can verify this in another way.

Matthew Kay, Data Protection Officer EMEA at Thomson Reuters says, “It is clear from the review and outlined guidance provided that a balanced approach should be taken for right of access requests. This essentially means affording people their right of access but putting in sufficient safeguards to ensure information is only provided to those who are entitled to have access to it. It is worth noting that these safeguards shouldn’t hold up the process necessarily and this will often be achieved through organisations having a standardised approach. That being said organisations shouldn’t overlook the importance of handling requests on a case by case basis to ensure requestors are treated as individuals and receive the correct response.”

As we know, many individuals submitting SARs often do so because they’re already dissatisfied with your organisation – often complaint-driven. Don’t anger them further by putting unreasonable hurdles in their way but do request proof of ID where you believe it’s necessary to protect people.

If you’re in any doubt, and the individual can’t or won’t prove who they are, you may take the decision not to fulfil a request. Just make sure you document your decision – you can’t be blamed for having justified concerns, but could be if you can’t defend your decision-making in each case.

As ever, this issue is one of balance and proportionality – ensuring you have a robust process in place for handling SARs and retaining evidence to support your decisions is vital.

 

Need help with tricky Subject Access Requests? Our experience team can help –GET IN TOUCH

 

GDPR: The Right of Access

The right of access is nothing new, but there are some changes ushered in by the EU General Data Protection Regulation (GDPR). There’s also the anticipation that increased awareness (and the removal of the fee) will see the number of requests received rise.

It’s crucial that employees are aware of what a Data Subject Access Request (DSAR) is and the importance of immediately passing such requests to the Data Protection Officer or relevant member of staff/team. Time is of the essence!

What is a data subject access request?

A DSAR is a request from a data subject to be provided with a copy of the personal data being processed by a Controller and an explanation of the purposes for which personal data is being used.  A complaint or general query about how personal data is being used does not constitute a DSAR, for example a query about why marketing is being received or where you got someone’s name from. A DSAR is specifically when anyone asks to receive a copy of the personal data you may hold for them. A request does not need to be formerly called a “subject access request” or “access request” for it to constitute one, and they will rarely be entitled as such.

A request could be sent to any department and come from a variety of sources.  Individuals do not need to officially write a letter addressed to the Data Protection Office for it to be a valid request. They might be submitted by email or social media and may be addressed to the “wrong” department or person.

What are the changes under the GDPR?

Less time to respond: The timescale for responding to a DSAR has been reduced from 40 days to one calendar month, representing a challenge for many organisations.

No fee: Organisations can longer charge a £10 fee for a DSAR. However, where the request is deemed to be excessive or manifestly unfounded organisations can charge a “reasonable fee” to cover the administrative costs of complying with the request. There is also an ability to charge a “reasonable fee” if an individual requests further copies of their data. But, even if you suspect a request may be malicious this is very unlikely to be sufficient grounds for refusing to respond.

Article 15 of the GDPR sets out the the information that individuals have the right to be provided with. Broadly this covers providing information about:

  • What personal data it is being processed
  • The purposes for which the personal data is being
  • Who the personal data has or will be disclosed
  • The existence of any automated decision-making, including profiling. And, at least where this produces legal or similarly significant effects, what logic is being used for that purpose.
  • How long the data will be retained for (or at least the criteria used to determine this)

Initial Response

In order for a formal DSAR to be valid it must come from the individual themselves (or an authorised agent/parent/guardian) and needs to be accompanied by enough information to enable you to extract the personal data pertaining to the individual from your systems.

It is very important to establish that the individual asking for the information is who they say they are, to avoid the damage of inadvertently disclosing personal information to the wrong person. There have been several instances of fraudulent requests in order to aid identity theft.

If the information the individual has provided in their request is insufficient, you should ensure you have a standard initial response process so you can immediately ensure you have enough details to fulfil the request. For example you may need to:

  • request proof of ID (if the requester is an employee or ex employee this may not be necessary if it is obvious to you who they are)
  • request proof of relationship/authority (for example if information is requested about a child or by an agent)
  • ask if they are interested in specific information (if they request ALL personal data you cannot restrict this)
  • ask what their relationship is with your organisation
  • ask if they wish to see CCTV images of them (if relevant) and request a photograph, description of clothes worn, dates of visits etc.
  • ask if they require the information to be provided in writing or whether they will accept it in an electronic from

You have one calendar month to provide your formal response to the individual.

In limited circumstances this can be extended for up to a maximum of a further two months

Gathering the information

Ensure you have a standard process to efficiently check all relevant systems and liaise with other departments. A SAR covers most computerised personal data you hold (including archives and backups) and some paper records (where these are held in a systematic and structure format). Email systems will need to be checked for emails pertaining to the individual (where they are referenced by name or are identifiable).

[Update] Do you need to include deleted records? The ICO’s view in its detailed Right of Access Guidance (published Oct 2020)  is “Information is ‘deleted’ when you try to permanently discard it and you have no intention of ever trying to access it again. The ICO’s view is that, if you delete personal data you hold in electronic form by removing it (as far as possible) from your computer systems, the fact that expensive technical expertise might enable you to recreate it does not mean you must go to such efforts to respond to a SAR.”

Review the information

If no personal data is held about the individual they must be informed of this.

If the information you have gathered contains personal data relating to other individuals you need to carefully (on a case by case basis) consider whether/how to redact this or judge it to be reasonable to disclose. Such information can be disclosed with the consent of other parties. Where consent is not feasible you need to consider the privacy impact and/or how your duty of confidentiality to these other parties could be broken should you disclose this information. You should document any justification for disclosure of personal relating to other parties.

Your formal response

The information you provide must be in an “intelligible form”, in other words one in which the average person would be able to understand. Avoid using jargon or terms that people outside the business might not understand and explain any codes. Ensure the information you are providing covers the requirements under Article 15. When supplying the information use a traceable delivery system.  If agreed with the individual send it via secure electronic means.

And finally, keep a record of your response!