Thanks Antoinette
Yes, I always used to work that way with students and would certainly expect
the sensible discussion route to have been followed, but in the cases I am
dealing with there are likely to be trade unions/solicitors/Industrial
Tribunals in the background before we get to an SAR.
Regards
Jim
=============================================================
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Carter, Antoinette
(MCS)
Sent: Friday, July 14, 2006 12:13 PM
To: [log in to unmask]
Subject: Re: [data-protection] Best practice handling of SARs
In my opinion, the best and only way for small/medium businesses to limit
the cost of subject access requests is to convince them to take only what
information they actually want/need instead of asking for "everything they
are entitled to". This is always an interesting diplomatic battle, but one
well worth engaging in!! My favourite tactic is to invite the person
concerned (70% of our DSARs come from staff
members) to have an entirely confidential one-to-one meeting to help me fill
in/sign a formal DSAR application. I talk through the nature of their
"dispute" with the organisation (because let's face it people don't submit
DSARs unless they're already very, very miffed for some reason). I then
advise them on how I think their aims can best be achieved by giving them a
list of various options eg. you could do an e-mail search but back-ups only
go back 12 months so might not be appropriate for very old disputes. We can
give you a copy of your personnel file in full, but do you really want the
CV you gave us when you applied/your application form (most say no) etc. By
the end of the session, I have an agreed list of things I will provide for
them, which I offer to provide within a week or two. If they stick to their
guns on wanting "everything"; I say, fine, I'll get back to you in 40
calendar days.
I had a member of staff submit a "give me everything I'm entitled to"
DSAR. I phoned them up, invited them into a private office. It transpired
that a line manager from three years earlier had threatened to give a
written warning over something or other, but not had not done so. She had
now applied for another job, and thought this would be mentioned in any
reference we gave about her. I showed her the procedure for handling
external references; took her to registry to view her file which proved no
record remained of the alleged incident, and within 24 hours the matter had
been dealt with, and not a photocopy had been needed! She was happy, and I
had saved myself 20-30 hours work.
It's a win-win situation,
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of J.S.M.Whitaker
Sent: 14 July 2006 11:39
To: [log in to unmask]
Subject: [data-protection] Best practice handling of SARs
I've just recently been handling an SAR for a small organisation. Quite a
time-consuming (and hence expensive) operation. Fortunately it does not get
many.
If anyone has available to share what they consider to be good practice in
how a small (300 staff) but fairly complex organisation ought to organise
itself to deal with these effectively but at minimum cost, I would be most
interested. (Installing organisation-wide EDRMS is not an
option.)
Key areas of concern:
Email handling (Exchange and pst file based) Good redaction tools (I find
the Microsoft add-in for Word OK but not
wonderful)
Training resources for HR staff.
Regards
Jim
=======================================================================
=
-----Original Message-----
From: This list is for those interested in Data Protection issues [
<mailto:[log in to unmask]>
mailto:[log in to unmask]] On Behalf Of Tony Bowden
Sent: Friday, July 14, 2006 11:12 AM
. . .
To bring this slightly more back on track for this list, isn't there a
parallel here with DPA? Without good systems in place for dealing with SARs,
organisations can spend a lot of time, energy, and money dealing with each
request. A well co-ordinated series of SARs could act as a DoS attack to
many companies.
The best way to handle this of course is to have wonderful integrated
systems where each SaR requires just a single mouse click for the
information to be collated, printed, and sent automatically to the
requestor!
. . .
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This message is for the use of the intended recipient(s) only.
If you have received this message in error, please notify the sender and
delete it.The British Council accepts no liability for loss or damage caused
by software viruses and you are advised to carry out a virus check on any
attachments contained in this message. Our purpose is to build mutually
beneficial relationships between people in the UK and other countries and to
increase appreciation of the UK's creative ideas and achievements. The
British Council is registered in England as a charity.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|