Hi Samantha
When I worked for a previous organisation, I once tried using a central search to retrieve SAR material. The search generated a lot of "false positives" relating to other people with similar names. I was deeply uncomfortable with some of the irrelevant material drawn into the pool - job applications and quite personal information. Search capability has improved since then, but I would want to be very confident that my search would not generate false positives before I adopted that approach again.
Best wishes
Susan.
Susan Graham
Head of Information Governance & Data Protection Officer
University of Edinburgh
Old College
South Bridge
Edinburgh
EH8 9YL
Tel: 0131 6514 100
---------------------------------------------------------------------------------------------
Date: Mon, 7 Mar 2016 14:54:57 +0000
From: Samantha Hill <[log in to unmask]>
Subject: SAR protocols
I am returning to data protection work after having been diverted on to other matters recently, so am only just coming back to this list. Apologies, therefore, for my first email back asking a question but hopefully I'll be able to contribute to discussions as well soon.
Could I ask for brief details of how colleagues deal with SARs in their institutions? We currently ask members of staff to search through their own email accounts for any emails they might have about the data subject requesting their own data (with appropriate reminders that they have to provide everything they find) which has worked until recently when we have a) started to receive more and larger SARs and b) at least two have been run in conjunction with a staff grievance and the members of staff contacted to search for emails have been very reluctant to engage with the SAR process as the grievance process has been very wearing. Staff say they do not have the time to search properly and with the age old problem of people not managing their emails properly I am receiving very large, unfiltered returns the majority of which is not personal data.
In order to make the experience better for everyone involved, I am looking, for the future, at accessing individual staff email accounts centrally myself - with the prior agreement of the individual staff members - to search for emails directly in their own email accounts. However, I am aware that I will need to consult widely before this is a possibility. It would be helpful to me to know how others deal with SARs so I can consider
i) any issues colleagues have come across in searching for emails in this way and,
ii) other - possibly better - ways of doing it.
If its easier to contact me directly please do so either on [log in to unmask] or on my direct number of 02392 843642. I'll be more than happy to collate responses and pass on this information to others if you would find it helpful.
Samantha
Samantha Hill
Information Disclosure and Complaints Manager
University of Portsmouth
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
------------------------------
-------------------------------------------
DO YOU KNOW HOW TO HANDLE ENQUIRES ABOUT STUDENTS AND STAFF?
"I'm worried about my daughter, is she attending classes?" "I'm phoning from the UKBA, I need John Smith's details."
Information about students and staff, including the fact that an individual is or is not a member of the University community, must not be disclosed to a third party, except for a good duly considered reason and in-line with University policy. For further guidance, including how to handle this type of enquiry, visit http://www.ed.ac.uk/records-management.
-------------------------------------------
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|