Teiss Head of Training and Consulting, Jeremy Swinfen Green, wonders whether data subject access requests are set to become a real headache for UK PLC once GDPR comes into force next year.
Recent research from Deloitte (as reported by the Financial Times) shows that the UK government has doubled the requests it has made for data from websites such as Facebook and LinkedIn.
This is undoubtedly a burden for social media and telecommunications companies. But all organisations may be facing a similar burden under the requirements of the GDPR (due to come into force across the EU on 25 May 2018).
Under the GDPR, any organisation that holds personal data on an individual will be obliged to share that data with that individual on their request. This request is known as a Subject Access Request or SAR.
This isn’t so different to the current provision under the Data Protection Act (DPA), beyond the fact that the data controller has to provide a little more information. For instance, there will be a requirement to say how long the data will be held for.
Except that under the DPA you can generally make a charge of £10 to fulfil this request.
And under the GDPA you cannot. In fact under most circumstances charges are specifically ruled out. Information “shall be provided free of charge” (Article 12.5).
It was generally accepted that the £10 charge under the DPA acted as a barrier to frivolous requests. There are worries that the absence of a charge under GDPR may open the floodgates to SARs, overwhelming organisations with requests.
Requests that could be problematic when much personal information will be held in unstructured files (such as emails records) or held in offline archives and back-ups.
But will this flood of SARs really happen?
A (very unscientific) trawl of FOI requests on the web indicates that NHS Trusts seem to receive just a couple of SARs each day. And one might imagine that NHS trusts (along with other public authorities such as schools, local authorities and government departments) are rather more likely than most organisations to receive these requests.
Other organisations are likely to receive far fewer. Even without the disincentive of a £10 charge. After all, do most British people really care what information Amazon or John Lewis hold on me? Not really: life’s too short!
But let’s say there are enough paranoid narcissists out there to cause a problem for organisations. What can organisations do to guard against this?
On the surface, not a lot. Organisations will have some limited grounds for refusing to grant an access request. Where a request is “manifestly unfounded or excessive”, it can be refused.
However, organisations will need to have clear refusal policies and procedures in place, and demonstrate why any request they refuse meets these criteria.
And unfortunately “the controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.” This might be tricky except where the requests are repetitive in nature, an example of “manifestly unfounded or excessive” given in the GDPR.
So how else can organisations fight against the potential for overwhelming numbers of SARs?
There may be a way that the regulations themselves help organisations.
It is clear that the GDPR aims to protect personal data which by extension should only be disclosed to the “data subject”.
Yet how can organisations be sure that the data subject is who they say they are?
READ MORE: GDPR: the challenge to the public sector
Proving your identity
If I telephone an organisation or write to them they have no way of knowing that I am who I say I am. The same is true of email. There is no way that an organisation that received an email from firstname.lastname@example.org can know it is from me.
Not just because they have no way of linking an email address with an individual (anyone could have registered email@example.com as an email address). Also because an email that appears to come from firstname.lastname@example.org may well have been spoofed and have come from another address.
In these circumstances, they would be fully justified in asking for an identity document such as a passport or driving licence to be sent in as evidence of identity. (And it would have to be the original as photocopies don’t prove identity as they can easily be tampered with.)
This is emphasised where the Regulation states “where the controller has reasonable doubts concerning the identity of the natural person making the request …, the controller may request the provision of additional information necessary to confirm the identity of the data subject.”
Asking for a passport or driving licence is going to put people off making frivolous requests.
So it is unlikely that people will flood organisations with requests over the phone, post or email.
Organisations with websites that have a secure registration process may be in a different position. Here, when someone logs into a site there may be the ability to communicate directly with the site’s owners. In this case, would the site owner have to respond to an SAR?
I suppose it will depend on the registration process. A simple registration that involves picking a username and password could well be thought of as being insecure. As people often use the same password across different sites, and as those other sites may get hacked, it’s arguable that logging on in this way doesn’t prove your identity.
I’d certainly argue that a site that only asks for a password and login name isn’t proving anyone’s identity. Because failing to ask for a second form of authentication simply isn’t best practice.
Good sites though, especially banks and technology companies generally have an established method of identifying people properly. This is often through the use of a log in name, password and a second form of authentication.
Here you might be able to argue that logging on does prove identity. Although it only proves identity in so far as personal data linked to activity on that account is concerned. Other data (such as email exchanges) can’t be linked directly to that account.
The problem with SARs
It is here where the problem for organisations may lie. Log on securely and you have proved that you as an individual have submitted personal data and you have a right to see that data. However, the very fact that you have logged on means (or is very likely to mean) that the data associated with your account is kept in a structured file that can be accessed easily and discretely.
So in short, most organisations will be able to defend themselves against frivolous requests by asking, quite reasonably, that the person making the request proves their identity.
And where identity has been proved by a secure log on process, the data should be readily available in structured file.
I am sure that some organisations will suffer from burdensome requests. But as most people are unlikely to request this information, and as requesting it can in many cases be deterred by a request for proof of identity, I cannot see that SARs are likely to be a major problem for UK PLC.
But only time will tell!
Jeremy Swinfen Green is Head of Training and Consulting at Teiss. He has worked as a digital strategist for over 20 years. His latest book The weakest link (Bloomsbury Press, 2016) explains why employees are a threat to cyber security.
Follow him on Twitter @jswinfengreen