Hi All,
A quick sense check if I may... We've received our first SAR sent from the organisation 'Rightly' (https://www.rightly.co.uk/). From review of their privacy notice it appears they have a business model of charging individuals to make SARs or exercising their other data protection rights - something I'm not a personal fan of when it is meant to be free, but I appreciate this may allow for multiple requests to be made at one time.
I wanted to check if anyone on list has received, or responded, to any requests via 'Rightly' and how they proceeded with them. My initial challenge will be for them to demonstrate to me that they have the authority to make the request on behalf of the requestor; which is not detailed in their email. They also have a few links in their covering email to other documentation including passport details which brings up its own data security issues. I like the touch that they provide the email address of the requestor but state that it is not to be used for correspondence when I may wish to use that to verify the request! Finally they have a purported we can respond through their "secure" link (provided in the email); I'm not keen to use a site I have no control over to provide a response even if it is https; but, if authorisation has been provided by the subject, is the data security risk then placed on the requestor because they have decided to use this method of making the request- even if they are unlikely to have considered the security implications?
I also get the impression this process might lead to individuals making requests to organisations they have had no contact with at any point; as if you are paying for service you might as well ask everyone; unless their model included a per request fee.
Thanks in advance for any input either on or off list.
Cheers
Mark
Mark Knight
Information Governance Officer
Corporate Governance & Performance
[email logo.bmp]
www.ucas.com<http://www.ucas.com/>
Rosehill | New Barn Lane | Cheltenham | GL52 3LZ
[SNAGHTMLad0e36][SNAGHTMLad27ed][SNAGHTMLacd4de][SNAGHTMLabd480][linkedin-logo-email.jpg][linkedin-logo-email.jpg]
[cid:image008.jpg@01D2199B.6FE3A1A0]
Registered office as above. Registered company No 2839815.
Registered charity No. (England and Wales) 1024741 and (Scotland) SC038598.
This email and any attachments may contain confidential material and are solely for the use of the intended recipient(s). If you have received this email in error, please notify the sender immediately and delete this email. If you are not the intended recipient(s), you must not use, retain or disclose any information contained in this email. Emails are susceptible to interference and UCAS accepts neither responsibility for information, errors or omissions in this email nor for its use or misuse or any act committed or omitted in connection with this communication.
No employee or agent is authorised to conclude any agreement binding on the UCAS group of companies without a UCAS Purchase Order or a correctly authorised contract
UCAS reserves the right to monitor and intercept communications for lawful business purposes.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
