Over the last few years I have been seriously troubled in determining an
appropriate level of security to apply to the responses to subject access
requests; Given that the data the responses very often contain is
'sensitive' both in the context of the DPA and organisationally. To store
the material with the original data, not only complicates the processes, but
also seems to leave the opportunity to allege breaches of principle 1 and 2,
and also compromises any effective defence to that allegation.
One conclusion I have arrived at is that the response material should be
boxed up (or placed in a sealed envelope, together with an audit trail
document for it), and filed away for the relevant period of time. Should it
need to be opened for any reason the audit trail document would need to be
completed and the contents re-sealed following that access.
I have two questions:-
1. Has anybody got a process which manages the security of subject access
response material which could be shown to meet the requirements of
principles 1, 2, 5 and 7?
2. Is anybody aware of any security envelopes/boxes/process which could
facilitate such a process. (The use if an external storage agency could be
one answer I suppose?)
Ian W
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|