Subject Access Requests,
The Right to be Forgotten
and the problems with Unstructured Data
EU Data Protection Legislation – A
whistle-stop tour!!
A lot has changed in the world since the EU Data Protection Directive was first introduced in 1995. The internet was still in its infancy and much less data was stored and transferred electronically than today. It is no surprise then that the legislation is continually being updated to meet the challenges of how global business is conducted in the 21st century.
On 25 January 2012, the Directorate General for Justice at the European Commission announced its legislative proposals for the protection of individuals with regard to the processing and use of personal data. The proposed framework consists of two EU documents: a draft Regulation legislating for general data protection that is “binding in its entirety and
directly applicable in all Member States”; and, a draft Directive (binding but leaving discretion in the choice of form and method to national authorities) with the aim of protecting personal data processed for the purpose of prevention, detection,
investigation or prosecution of criminal offences. The Regulation is expected to come into force in 2015, replacing the 1995 Data Protection Directive (95/46/EC), which is implemented into UK law by the current Data Protection Act 1998 (DPA). The Directive would repeal and replace the existing Data Protection Framework Decision, which was
negotiated in 2008.
What does it mean for your business?
Following the Commission’s publication of the new data protection legislative proposals and ensuing Impact Assessment, the Ministry of Justice (MoJ) launched a ‘Call for Evidence’ that ran from 7th February to 6th March 2012. This consultation
SUMMARY:
EU Data Protection Legislation
Impact on businesses
Subject Access Requests
“Right to be Forgotten”
Developments in the UK
Unstructured Electronic Information
sought information on the expected impact of the draft Regulation and Directive directly from affected stakeholders in the UK. In light of the responses received, the MoJ carried out its own Impact Assessment with the aim of presenting a “fuller summary of the costs and benefits of the proposals and their wide‐ranging impacts on affected sectors of society in the UK.
The MoJ study draws specific cost figures from a variety of sources (including the EC impact
assessment, the Call for Evidence, surveys and other studies) and weights them to reflect the UK business demography, so as to deliver overall cost and benefit ranges. According to the MoJ study, the Regulation is expected to lead to a net cost to business of
between £80 million and £320 million per year.
Narrowing the focus – Subject Access
Requests
The Data Protection Act of 1998 followed the EU Directive and one of the key rights for individuals was to give them access to their personal data on request. By making a “subject access request” any individual can request all personal data held about them to check the accuracy. The current Act states that the data controller can charge a fee of up to £10 when supplying individuals with a copy of their personal data. The £10 fee does not cover the cost of collating and supplying the information but does, at least, act as a small check to discourage frivolous or vexatious requests.
Under the new proposed EU Data Protection Regulation, organisations would have to supply this
information free of charge. If we consider that the volume of data held by organisations now is significantly greater than when the original Directive was passed in 1995 and the fact that collating all the personal data relating to an individual is more difficult now than it ever has been, then removing the charge for a subject access request would seem to be the exact opposite of what is required.
Some organisations hold a vast amount of personal data in many different formats and in many
locations. You have live data that might be online and backup archives in various formats. Much of this data in the past would normally have been in a structured format such as a database. This made searching the data simpler. Now data controllers have to deal with unstructured electronic data, e.g. emails, with no indexing and have to try to identify which data refers to the individual and therefore falls within the definition of personal data.
Consider an organisations’ email records. One person might be referenced in these emails by many
different names. Not only that but these emails also might refer to other records stored in other formats
i.e. paper files.
On the positive side, the proposed Draft Regulation does allow the data controller to provide the personal information asked for in a subject access request to the data subject in electronic format, if the information is held electronically and the data subject agrees. This makes perfect sense and would save a lot of unnecessary printing of information which, when received by the data subject, may be then transferred back into electronic format.
Are all Subject Access Requests the
same?
The use and effect of subject access requests (SARs) varies from jurisdiction to jurisdiction. In some European jurisdictions these rights have not caused significant problems. SARs are either rare or not interpreted in a way that requires extensive searching of unstructured electronic data (for example, in Sweden it is not necessary to search
unstructured electronic data in response to SARs under the so-called Unstructured Material Rule). However, in other jurisdictions, such as the United Kingdom, these rights are used frequently and strictly enforced by the regulator.
There is anecdotal evidence that some data controllers in the UK have received over one million
subject access requests in a single year.
Rights of the Data Subject
The practical and financial challenges that have sparked the most discussion by stakeholders are those that relate to provisions that strengthen the rights of data subjects. Notably:
Art. 12: abolishment of the fee for subject access requests;
Art. 17: the Right to be Forgotten and to erasure; and,
Art. 18: the right to data portability. Some stakeholders are concerned that these measures may have the unintended effect of distorting consumer behaviour. In the case of fee abolishment, there is the concern that this will lead to an increase in frivolous and/or vexatious
requests, putting strain on resources and budgets. Similarly, business respondents feel that the provision on data portability may induce consumers to swamp companies with requests to have their personal data made available to them in an agreed format for reuse, putting severe strain on their resources (particularly in the case of SMEs). According to the MOJ’s Impact Assessment, the additional cost to business of removing fees for data subjects to access their data depends solely on the cost of responding to a SAR and on the increase in number of SARs. The loss in income from the fee itself is more than offset by the removed cost of administering the fee. The MoJ estimates that removing the £10 fee will increase the number of SARs by 25‐40%.
The estimated cost of responding to a SAR ranges between £50‐£100 per request (though
respondents to the MoJ’s Call for Evidence from the
financial services sector reported costs of £550‐ £650 per request).
The European Commission proposed in 2012 that people should have the "Right to be Forgotten" on the Internet. This was watered down by the
European Parliament last year in favour of a "right to erasure" of specific information. The proposal needs the blessing of the 28 European Union governments before it can become law. Google, Facebook and other Internet companies have lobbied against such plans, worried about the extra costs.
The issues of privacy and data protection in Europe have become all the more sensitive since a former U.S. intelligence contractor, Edward Snowden, leaked details last year of U.S. surveillance programmes monitoring vast quantities of emails and phone records worldwide.
The Court of Justice of the European Union (ECJ) upheld the complaint of a Spanish man who objected to the fact that Google searches on his name threw up links to a 1998 newspaper article about the repossession of his home. The case highlighted the struggle in cyberspace between free speech advocates and supporters of privacy rights who say people should have the "Right to be Forgotten" - meaning that they should be able to remove their digital traces from the Internet.
The requirement creates technical challenges as well as potential extra costs for companies given they will be required to remove data that are "inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they
were processed and in the light of the time that has elapsed”.
European Justice Commissioner Viviane Reding said that the court ruling vindicated EU efforts to toughen up privacy rules. "Companies can no longer hide behind their servers being based in California or anywhere else in the world," she said.
Developments in the United Kingdom
The problems with SARs for unstructured electronic data fit uncomfortably with the legislative framework in the United Kingdom. There is no explicit relief in the UK Data Protection Act 1998 for data controllers facing unreasonably broad SARs.
Instead, data controllers faced with a subject access request demanding “all” the personal data held about an individual have tended to rely on other provisions. For example, the data controller can ask the individual for further information necessary to locate the information they seek (section 7(3) of the Act) and need not provide copies of personal data if it would involve disproportionate effort (section 8(2) of the Act).
This normally manifests itself through the selection of appropriate search parameters such as limiting searches to particular systems or mail boxes and using key words or data ranges to further narrow the scope of the search. Ideally, these parameters are agreed with the individual but, if not, the extent to which searches can be limited is controversial.
In Ezsias v Welsh Ministers [2007] All ER (D) 65 the High Court decided that it was only necessary to conduct a "reasonable and proportionate" search in
response to that subject access request. However, guidance from the Information Commissioner issued at the start of this year suggested that it is still necessary to use “extensive efforts” to search for personal data but having used those efforts it is not necessary to “leave no stone unturned”. The guidance also suggests it is necessary to conduct a “reasonable” search of archived (“non-live”) data, particularly where the individual has provided details of the information they are seeking to locate, but it is not necessary to reconstitute deleted data even if it might be
technically possible to do so.
Unstructured Electronic Information
Whilst the subject access right sounds
straightforward, it can be difficult to comply with in practice. Data controllers have had to contend with the growth of unstructured electronic data e.g. emails. Responding to broad requests from
individuals for “all” personal data held about them in an unstructured format can be very difficult, if not impossible. There are a number of reasons for this: Volume. Some unstructured data sets are huge. Large organisations are likely to have hundreds of millions, if not billions, of emails. Searching across such large data sets presents significant logistical challenges. This problem is aggravated by the fact that this data is likely to be stored in a number of different formats (for example, “live” data, back-ups and archived data). Recovering and restoring backed-up or archived data can be very costly.
Lack of indexation. Another common problem with unstructured data is the difficulty of quickly and accurately identifying information about a particular individual. In a traditional structured relational database each individual will normally have a unique identifier allowing rapid location and extraction of information about them. In contrast, individuals in unstructured data can be referred to in a number of ambiguous and
duplicate ways. For example, emails about “John Smith” might refer to him as “John”, “JS”, “Mr Smith” etc. Moreover, not every reference to “Mr Smith” will be to John Smith. Locating and extracting information about a particular individual from unstructured data will normally require an expensive and time consuming manual review.
Mixture of information. Finally, unstructured data normally contains a mixture of different types of information. Emails might contain information on a number of different topics or about a number of different individuals. This again adds to the difficulty of responding to SARs given the need to manually redact irrelevant information from any response (not least to protect the privacy of other individuals identified in that data).
Key issues
A lack of understanding about the provisions in the EC’s proposed general data protection Regulation persists across business. Uncertainty is pervasive across the provisions of the proposed regulation and affects more abstract and unsettled aspects, such as the obligations of data controllers under the so‐ called ‘Right to be Forgotten’, as well as seemingly straightforward changes e.g. those regarding administrative fines and the appointment of Data Protection Officers.
The majority of businesses are unable to quantify their current spending in relation to data protection responsibilities under existing law – and this persists in relation to estimates for expected future spending under the new proposals. This uncertainty indicates that existing evidence on the financial impact of the regulation is difficult to corroborate. Further research is required to clarify some important issues, e.g. the role of privacy and data protection in determining the level and intensity of consumer participation in online markets.
The lack of understanding strongly indicates that there is a key role to play in educating and
supporting businesses to increase their awareness and understanding of the forthcoming changes. The priorities for supporting business in implementing
the new Regulation should focus on providing guidance on the areas of the new provisions which are shown to be misunderstood – for example the ‘Right to be Forgotten’, but also the new rules on fines, the appointment of Data Protection Officers, SARs and data portability.
Access Data eDiscovery
The proposed legislation is certain to cause many a sleepless night and require a significant rethink as to how businesses currently manage their data. If it’s not given appropriate consideration the costs of meeting these new obligations are likely to spiral and reputational risk increase disproportionately.
The key challenge is how a business can ensure that it has unequivocal access to all of the data it requires in a format that can easily be accessed and
subsequently manipulated to meet business and regulatory requirements.
AD eDiscovery provides a fully integrated platform for enterprise-wide search, collection, systemized preservation, processing, data assessment and complete review. It provides robust processing capability which, in-turn, provides a comprehensive and unequivocal response to today’s data privacy requirements.
It provides “Enterprise Collection”; namely it finds and collects needed data from the broadest range of structured and unstructured data sources of any single platform on the market. Using workflow-driven templates, AD eDiscovery performs “agentless” collections from e.g. Google Docs, Gmail Corporate/Administrator, Microsoft Exchange,
Microsoft Sharepoint, Oracle, Cloud and Web-Based Email (IMAP & POP) etc.
Relationships are easily mapped between data sources and can schedule collection and processing jobs to begin at your convenience. If any source of data disconnects during a collection, eDiscovery automatically picks back up where it left off,
eliminating the annoyance and delay of starting over again.
This will significantly reduce processing time and you can assign secure web access to AD eDiscovery to teams in any location for unlimited collaboration in the processing, culling and analysing of information. With multiple forensic image and native file support of over 700 formats, as well as advanced search, filtering and clustering technology built into the single application, AD eDiscovery offers
unprecedented, complete coverage and control of your data.
KSC and PerformIT working in conjunction with Access Data eDiscovery, has developed a unique solution that enables businesses to produce a comprehensive view of their “data estate”. This will
subsequently enable businesses to clearly interpret their respective legal, regulatory and business requirements and consolidate this information into a single reporting repository. There are, of course, numerous associated benefits of doing so and in addition to the peace of mind that your data is under some semblance of control, we have proven that we can dramatically reduce the associated costs of processing SARs and addressing the requirement of “Right to be Forgotten”.
How can we help you?
To learn more about how we can assist you, please feel free to contact Mark Child – Partner, Technology Risk Management.
Tel: +44 (0)20 7566 3731 Email: [email protected]
About Kingston Smith Consulting LLP
Kingston Smith Consulting (KSC) is the specialist consulting practice of the top 20 accountancy firm Kingston Smith LLP.
Established in 2009, KSC provides services in all aspects of Technology Risk Management, Governance and Controls Assurance and Legal and Regulatory Compliance. In addition, we have a team skilled at specialist services such as due diligence, supplier selection and third party management. We maintain strong relationships with allied service providers in order to be your “one stop” consulting solution.
Kingston Smith Consulting LLP
Devonshire House, 60 Goswell Road, London EC1M 7AD, UK Telephone +44 (0)20 7566 3732 Fax +44 (0)20 7566 4010
A list of partners is available for inspection at the above address.
Registered in England and Wales as a Limited Liability Partnership: No OC341786 Registered office: Devonshire House, 60 Goswell Road, London EC1M 7AD, UK
About PerformIT
PerformIT is an IT services company that provides IT Support & Forensic eDiscovery services. PerformIT helps companies understand their data landscape and how best to manage it in the face of a changing regulatory landscape.
PerformIT
54 Clarendon Road, Watford, Hertfordshire WD17 1DU, UK Telephone +44 (0)844 815 7255
