Hi All,

 

A quick sense check if I may… We’ve received our first SAR sent from the organisation ‘Rightly’ (https://www.rightly.co.uk/). From review of their privacy notice it appears they have a business model of charging individuals to make SARs or exercising their other data protection rights - something I’m not a personal fan of when it is meant to be free, but I appreciate this may allow for multiple requests to be made at one time.

 

I wanted to check if anyone on list has received, or responded, to any requests via ‘Rightly’ and how they proceeded with them. My initial challenge will be for them to demonstrate to me that they have the authority to make the request on behalf of the requestor; which is not detailed in their email. They also have a few links in their covering email to other documentation including passport details which brings up its own data security issues. I like the touch that they provide the email address of the requestor but state that it is not to be used for correspondence when I may wish to use that to verify the request! Finally they have a purported we can respond through their “secure” link (provided in the email); I’m not keen to use a site I have no control over to provide a response even if it is https; but, if authorisation has been provided by the subject, is the data security risk then placed on the requestor because they have decided to use this method of making the request- even if they are unlikely to have considered the security implications?

 

I also get the impression this process might lead to individuals making requests to organisations they have had no contact with at any point; as if you are paying for service you might as well ask everyone; unless their model included a per request fee.

 

Thanks in advance for any input either on or off list.

 

Cheers

 

Mark

 

Mark Knight

Information Governance Officer

Corporate Governance & Performance

email logo.bmp

www.ucas.com

Rosehill | New Barn Lane | Cheltenham | GL52 3LZ

 

SNAGHTMLad0e36SNAGHTMLad27edSNAGHTMLacd4deSNAGHTMLabd480linkedin-logo-email.jpglinkedin-logo-email.jpg

cid:image008.jpg@01D2199B.6FE3A1A0

 

Registered office as above.  Registered company No 2839815.

Registered charity No. (England and Wales) 1024741 and (Scotland) SC038598.

 


This email and any attachments may contain confidential material and are solely for the use of the intended recipient(s). If you have received this email in error, please notify the sender immediately and delete this email. If you are not the intended recipient(s), you must not use, retain or disclose any information contained in this email. Emails are susceptible to interference and UCAS accepts neither responsibility for information, errors or omissions in this email nor for its use or misuse or any act committed or omitted in connection with this communication.

No employee or agent is authorised to conclude any agreement binding on the UCAS group of companies without a UCAS Purchase Order or a correctly authorised contract

UCAS reserves the right to monitor and intercept communications for lawful business purposes.

All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html and are sent in the body of an otherwise blank email to [log in to unmask]

Any queries about sending or receiving messages please send to the list owner [log in to unmask]

(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)