Introduction:
In this blog we will look at what steps organisations can take to better manage the influx of Data Subject Access Requests that they receive.
Handling Data Subject Access Requests has become a huge issue for many organisations across the UK in recent years. Since Covid, many councils have reported a significant increase in care leavers requesting a copy of their case file from their time in the social care system.
Since people are more aware of their rights as a data subject, HR SARs are also becoming more and more frequent for organisations. Especially where there are redundancies, grievances, performance management issues, and more. The influx could be attributed to a number of factors, public awareness because of the GDPR, and awareness from social media channels such as tiktok.
Here is some advice that we would give to an organisation to help them manage SARs more effectively:
Provide training to staff:
Training your staff that deal with SARs is a really quick win for organisations. If staff understand the term ‘personal data’, which is defined within the Law, then they know what information they must release and what can be held back. This is extremely prevalent with HR SARs when most business data can be redacted.
Training your staff on redaction top tips can also speed up the time taken to deal with requests. Each platform used for redacting documents (Adobe, Nitro etc) has shortcuts, there are tasks that a team member should do before commencing, i.e sanitising a document. The guidance from the ICO stipulates that specialised roles should have additional training, as such, those that are handling and redacting SARs should have specific and relevant training. We would advise the training includes content such as our data regular subject access requests training sessions.
Conduct a review of current processes:
The first step in addressing the issue of high SAR volume would be to conduct a review of the local authority’s current processes for handling SARs. This review should consider factors such as response times, staff workload, and the types of information being requested. It should also analyse the time taken to perform redactions on various different SARs, for example, Social Care files, Housing, and HR.
Ask the data subject for clarification:
Have an open and honest approach to SARs with the data subject. Are they looking for some information in particular? Are they hoping to achieve something out of the SAR? Are they looking to only include emails between certain members of staff? Are they happy to only have information pertaining to certain date ranges?
Remember, if they say no, then you are legally obliged to provide all of the information.
Implement an online request system:
Implementing an online request system can streamline the SAR process and make it easier for individuals to make requests. This can also enable the organisation to keep track of all requests in a central location and allow for more efficient processing. You must be aware though, SARs are still valid if requested in other methods.
Use redaction software
Procuring a piece of software that uses AI technology to search for names, addresses, signatures etc may help to reduce the SAR to a more manageable output, with fewer pages, which can then be redacted.
However, be wary, software cannot read context, so it must have a human input at the final stage.
Redaction software also allows organisations to see an overview of requests, and how the requests are progressing through the redaction process.
Outsource:
If the organisation is unable to handle the high volume of requests in-house, or do not have the skills to complete the request, it may be necessary to outsource some of the workload to a third-party provider. This can help to ensure that all requests are processed in a timely and compliant manner. You are also assured as an organisation that the SAR has been redacted in the correct manner, and all other non relevant data removed. At DPAS we have a dedicated SAR team who support organisations with demanding backlogs of SARs. See more here https://www.dataprivacyadvisory.com/dpas-compliance/outsourcedsarprocessingredaction/
Review and revise your retention policy:
Reviewing and revising the retention periods can help the organisation to identify and dispose of any unnecessary data. This can help to reduce the scope of the request. As an example, an organisation may have an email retention period of 3 years. If a member of staff submits a SAR, then those 3 years of emails, unless they give you a specific time frame to search, would need to be read, and redacted, which can be extremely time consuming. The task of going through and removing third party data, would be significantly less onerous if the retention period was 1 year for example.
In conclusion, the organisation could conduct a review of their current processes, using the steps above and make changes to the current processes to manage SARs in a more efficient manner.
The team at DPAS can offer a service that helps to build internal capacity, so the existing in-house team can develop its knowledge and expertise, underpinned by standardised policies, and procedures.
Tasks could include:
- A review of your existing end-to-end processes to identify risks, gaps, bottlenecks etc.
- Production of revised policies, and procedures, including quality thresholds, and improved use of technology where required.
- Produce ‘how-to guides’ for team members to use to redact SARs.
- Roll out and embed new processes. To include delivery of bespoke training to the core processing team.
- End to end SAR management and redaction.
If you are interested in any of the above, get in touch with DPAS today on 0203 3013384 or info@dataprivacyadvisory.com