In my opinion, the best and only way for small/medium businesses to
limit the cost of subject access requests is to convince them to take
only what information they actually want/need instead of asking for
"everything they are entitled to". This is always an interesting
diplomatic battle, but one well worth engaging in!! My favourite tactic
is to invite the person concerned (70% of our DSARs come from staff
members) to have an entirely confidential one-to-one meeting to help me
fill in/sign a formal DSAR application. I talk through the nature of
their "dispute" with the organisation (because let's face it people
don't submit DSARs unless they're already very, very miffed for some
reason). I then advise them on how I think their aims can best be
achieved by giving them a list of various options eg. you could do an
e-mail search but back-ups only go back 12 months so might not be
appropriate for very old disputes. We can give you a copy of your
personnel file in full, but do you really want the CV you gave us when
you applied/your application form (most say no) etc. By the end of the
session, I have an agreed list of things I will provide for them, which
I offer to provide within a week or two. If they stick to their guns on
wanting "everything"; I say, fine, I'll get back to you in 40 calendar
days.
I had a member of staff submit a "give me everything I'm entitled to"
DSAR. I phoned them up, invited them into a private office. It
transpired that a line manager from three years earlier had threatened
to give a written warning over something or other, but not had not done
so. She had now applied for another job, and thought this would be
mentioned in any reference we gave about her. I showed her the
procedure for handling external references; took her to registry to view
her file which proved no record remained of the alleged incident, and
within 24 hours the matter had been dealt with, and not a photocopy had
been needed! She was happy, and I had saved myself 20-30 hours work.
It's a win-win situation,
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of J.S.M.Whitaker
Sent: 14 July 2006 11:39
To: [log in to unmask]
Subject: [data-protection] Best practice handling of SARs
I've just recently been handling an SAR for a small organisation. Quite
a time-consuming (and hence expensive) operation. Fortunately it does
not get many.
If anyone has available to share what they consider to be good practice
in how a small (300 staff) but fairly complex organisation ought to
organise itself to deal with these effectively but at minimum cost, I
would be most interested. (Installing organisation-wide EDRMS is not an
option.)
Key areas of concern:
Email handling (Exchange and pst file based) Good redaction tools (I
find the Microsoft add-in for Word OK but not
wonderful)
Training resources for HR staff.
Regards
Jim
========================================================================
=
-----Original Message-----
From: This list is for those interested in Data Protection issues [
<mailto:[log in to unmask]>
mailto:[log in to unmask]] On Behalf Of Tony Bowden
Sent: Friday, July 14, 2006 11:12 AM
. . .
To bring this slightly more back on track for this list, isn't there a
parallel here with DPA? Without good systems in place for dealing with
SARs, organisations can spend a lot of time, energy, and money dealing
with each request. A well co-ordinated series of SARs could act as a DoS
attack to many companies.
The best way to handle this of course is to have wonderful integrated
systems where each SaR requires just a single mouse click for the
information to be collated, printed, and sent automatically to the
requestor!
. . .
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list
owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This message is for the use of the intended recipient(s) only.
If you have received this message in error, please notify the sender and delete it.The British Council accepts no liability for loss or damage caused by software viruses and you are advised to carry out a virus check on any attachments contained in this message. Our purpose is to build mutually beneficial relationships between people in the UK and other countries and to increase appreciation of the UK's creative ideas and achievements. The British Council is registered in England as a charity.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|