Subject Access Requests, The Right to be Forgotten and the problems with Unstructured Data

Transcription

1 Subject Access Requests, The Right to be Forgotten and the problems with Unstructured Data SUMMARY: EU Data Protection Legislation Impact on businesses Subject Access Requests Right to be Forgotten Developments in the UK Unstructured Electronic Information Access Data ediscovery solution directly applicable in all Member States ; and, a draft Directive (binding but leaving discretion in the choice of form and method to national authorities) with the aim of protecting personal data processed for the purpose of prevention, detection, investigation or prosecution of criminal offences. The Regulation is expected to come into force in 2015, replacing the 1995 Data Protection Directive (95/46/EC), which is implemented into UK law by the current Data Protection Act 1998 (DPA). The Directive would repeal and replace the existing Data Protection Framework Decision, which was negotiated in EU Data Protection Legislation A whistle-stop tour!! A lot has changed in the world since the EU Data Protection Directive was first introduced in The internet was still in its infancy and much less data was stored and transferred electronically than today. It is no surprise then that the legislation is continually being updated to meet the challenges of how global business is conducted in the 21st century. On 25 January 2012, the Directorate General for Justice at the European Commission announced its legislative proposals for the protection of individuals with regard to the processing and use of personal data. The proposed framework consists of two EU documents: a draft Regulation legislating for general data protection that is binding in its entirety and What does it mean for your business? Following the Commission s publication of the new data protection legislative proposals and ensuing Impact Assessment, the Ministry of Justice (MoJ) launched a Call for Evidence that ran from 7th February to 6th March This consultation

2 sought information on the expected impact of the draft Regulation and Directive directly from affected stakeholders in the UK. In light of the responses received, the MoJ carried out its own Impact Assessment with the aim of presenting a fuller summary of the costs and benefits of the proposals and their wide ranging impacts on affected sectors of society in the UK. The MoJ study draws specific cost figures from a variety of sources (including the EC impact assessment, the Call for Evidence, surveys and other studies) and weights them to reflect the UK business demography, so as to deliver overall cost and benefit ranges. According to the MoJ study, the Regulation is expected to lead to a net cost to business of between 80 million and 320 million per year. Narrowing the focus Subject Access Requests The Data Protection Act of 1998 followed the EU Directive and one of the key rights for individuals was to give them access to their personal data on request. By making a subject access request any individual can request all personal data held about them to check the accuracy. The current Act states that the data controller can charge a fee of up to 10 when supplying individuals with a copy of their personal data. The 10 fee does not cover the cost of collating and supplying the information but does, at least, act as a small check to discourage frivolous or vexatious requests. locations. You have live data that might be online and backup archives in various formats. Much of this data in the past would normally have been in a structured format such as a database. This made searching the data simpler. Now data controllers have to deal with unstructured electronic data, e.g. s, with no indexing and have to try to identify which data refers to the individual and therefore falls within the definition of personal data. Consider an organisations records. One person might be referenced in these s by many different names. Not only that but these s also might refer to other records stored in other formats i.e. paper files. On the positive side, the proposed Draft Regulation does allow the data controller to provide the personal information asked for in a subject access request to the data subject in electronic format, if the information is held electronically and the data subject agrees. This makes perfect sense and would save a lot of unnecessary printing of information which, when received by the data subject, may be then transferred back into electronic format. Under the new proposed EU Data Protection Regulation, organisations would have to supply this information free of charge. If we consider that the volume of data held by organisations now is significantly greater than when the original Directive was passed in 1995 and the fact that collating all the personal data relating to an individual is more difficult now than it ever has been, then removing the charge for a subject access request would seem to be the exact opposite of what is required. Some organisations hold a vast amount of personal data in many different formats and in many Are all Subject Access Requests the same? The use and effect of subject access requests (SARs) varies from jurisdiction to jurisdiction. In some European jurisdictions these rights have not caused significant problems. SARs are either rare or not interpreted in a way that requires extensive searching of unstructured electronic data (for example, in Sweden it is not necessary to search

3 unstructured electronic data in response to SARs under the so-called Unstructured Material Rule). However, in other jurisdictions, such as the United Kingdom, these rights are used frequently and strictly enforced by the regulator. There is anecdotal evidence that some data controllers in the UK have received over one million subject access requests in a single year. Rights of the Data Subject The practical and financial challenges that have sparked the most discussion by stakeholders are those that relate to provisions that strengthen the rights of data subjects. Notably: Art. 12: abolishment of the fee for subject access requests; Art. 17: the Right to be Forgotten and to erasure; and, Art. 18: the right to data portability. Some stakeholders are concerned that these measures may have the unintended effect of distorting consumer behaviour. In the case of fee abolishment, there is the concern that this will lead to an increase in frivolous and/or vexatious requests, putting strain on resources and budgets. Similarly, business respondents feel that the provision on data portability may induce consumers to swamp companies with requests to have their personal data made available to them in an agreed format for reuse, putting severe strain on their resources (particularly in the case of SMEs). According to the MOJ s Impact Assessment, the additional cost to business of removing fees for data subjects to access their data depends solely on the cost of responding to a SAR and on the increase in number of SARs. The loss in income from the fee itself is more than offset by the removed cost of administering the fee. The MoJ estimates that removing the 10 fee will increase the number of SARs by 25 40%. The estimated cost of responding to a SAR ranges between per request (though respondents to the MoJ s Call for Evidence from the financial services sector reported costs of per request). The European Commission proposed in 2012 that people should have the "Right to be Forgotten" on the Internet. This was watered down by the European Parliament last year in favour of a "right to erasure" of specific information. The proposal needs the blessing of the 28 European Union governments before it can become law. Google, Facebook and other Internet companies have lobbied against such plans, worried about the extra costs. The issues of privacy and data protection in Europe have become all the more sensitive since a former U.S. intelligence contractor, Edward Snowden, leaked details last year of U.S. surveillance programmes monitoring vast quantities of s and phone records worldwide. The Court of Justice of the European Union (ECJ) upheld the complaint of a Spanish man who objected to the fact that Google searches on his name threw up links to a 1998 newspaper article about the repossession of his home. The case highlighted the struggle in cyberspace between free speech advocates and supporters of privacy rights who say people should have the "Right to be Forgotten" - meaning that they should be able to remove their digital traces from the Internet. The requirement creates technical challenges as well as potential extra costs for companies given they will be required to remove data that are "inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they

4 were processed and in the light of the time that has elapsed. European Justice Commissioner Viviane Reding said that the court ruling vindicated EU efforts to toughen up privacy rules. "Companies can no longer hide behind their servers being based in California or anywhere else in the world," she said. Developments in the United Kingdom The problems with SARs for unstructured electronic data fit uncomfortably with the legislative framework in the United Kingdom. There is no explicit relief in the UK Data Protection Act 1998 for data controllers facing unreasonably broad SARs. Instead, data controllers faced with a subject access request demanding all the personal data held about an individual have tended to rely on other provisions. For example, the data controller can ask the individual for further information necessary to locate the information they seek (section 7(3) of the Act) and need not provide copies of personal data if it would involve disproportionate effort (section 8(2) of the Act). In Ezsias v Welsh Ministers [2007] All ER (D) 65 the High Court decided that it was only necessary to conduct a "reasonable and proportionate" search in response to that subject access request. However, guidance from the Information Commissioner issued at the start of this year suggested that it is still necessary to use extensive efforts to search for personal data but having used those efforts it is not necessary to leave no stone unturned. The guidance also suggests it is necessary to conduct a reasonable search of archived ( non-live ) data, particularly where the individual has provided details of the information they are seeking to locate, but it is not necessary to reconstitute deleted data even if it might be technically possible to do so. Unstructured Electronic Information Whilst the subject access right sounds straightforward, it can be difficult to comply with in practice. Data controllers have had to contend with the growth of unstructured electronic data e.g. s. Responding to broad requests from individuals for all personal data held about them in an unstructured format can be very difficult, if not impossible. There are a number of reasons for this: This normally manifests itself through the selection of appropriate search parameters such as limiting searches to particular systems or mail boxes and using key words or data ranges to further narrow the scope of the search. Ideally, these parameters are agreed with the individual but, if not, the extent to which searches can be limited is controversial. Volume. Some unstructured data sets are huge. Large organisations are likely to have hundreds of millions, if not billions, of s. Searching across such large data sets presents significant logistical challenges. This problem is aggravated by the fact that this data is likely to be stored in a number of different formats (for example, live data, back-ups and archived data). Recovering and restoring backed-up or archived data can be very costly. Lack of indexation. Another common problem with unstructured data is the difficulty of quickly and accurately identifying information about a particular individual. In a traditional structured relational database each individual will normally have a unique identifier allowing rapid location and extraction of information about them. In contrast, individuals in unstructured data can be referred to in a number of ambiguous and

5 duplicate ways. For example, s about John Smith might refer to him as John, JS, Mr Smith etc. Moreover, not every reference to Mr Smith will be to John Smith. Locating and extracting information about a particular individual from unstructured data will normally require an expensive and time consuming manual review. Mixture of information. Finally, unstructured data normally contains a mixture of different types of information. s might contain information on a number of different topics or about a number of different individuals. This again adds to the difficulty of responding to SARs given the need to manually redact irrelevant information from any response (not least to protect the privacy of other individuals identified in that data). Key issues A lack of understanding about the provisions in the EC s proposed general data protection Regulation persists across business. Uncertainty is pervasive across the provisions of the proposed regulation and affects more abstract and unsettled aspects, such as the obligations of data controllers under the socalled Right to be Forgotten, as well as seemingly straightforward changes e.g. those regarding administrative fines and the appointment of Data Protection Officers. The majority of businesses are unable to quantify their current spending in relation to data protection responsibilities under existing law and this persists in relation to estimates for expected future spending under the new proposals. This uncertainty indicates that existing evidence on the financial impact of the regulation is difficult to corroborate. Further research is required to clarify some important issues, e.g. the role of privacy and data protection in determining the level and intensity of consumer participation in online markets. The lack of understanding strongly indicates that there is a key role to play in educating and supporting businesses to increase their awareness and understanding of the forthcoming changes. The priorities for supporting business in implementing the new Regulation should focus on providing guidance on the areas of the new provisions which are shown to be misunderstood for example the Right to be Forgotten, but also the new rules on fines, the appointment of Data Protection Officers, SARs and data portability. Access Data ediscovery The proposed legislation is certain to cause many a sleepless night and require a significant rethink as to how businesses currently manage their data. If it s not given appropriate consideration the costs of meeting these new obligations are likely to spiral and reputational risk increase disproportionately. The key challenge is how a business can ensure that it has unequivocal access to all of the data it requires in a format that can easily be accessed and subsequently manipulated to meet business and regulatory requirements. AD ediscovery provides a fully integrated platform for enterprise-wide search, collection, systemized preservation, processing, data assessment and complete review. It provides robust processing capability which, in-turn, provides a comprehensive and unequivocal response to today s data privacy requirements. It provides Enterprise Collection ; namely it finds and collects needed data from the broadest range of structured and unstructured data sources of any single platform on the market. Using workflow-driven templates, AD ediscovery performs agentless collections from e.g. Google Docs, Gmail Corporate/Administrator, Microsoft Exchange,

6 Microsoft Sharepoint, Oracle, Cloud and Web-Based (IMAP & POP) etc. Relationships are easily mapped between data sources and can schedule collection and processing jobs to begin at your convenience. If any source of data disconnects during a collection, ediscovery automatically picks back up where it left off, eliminating the annoyance and delay of starting over again. This will significantly reduce processing time and you can assign secure web access to AD ediscovery to teams in any location for unlimited collaboration in the processing, culling and analysing of information. With multiple forensic image and native file support of over 700 formats, as well as advanced search, filtering and clustering technology built into the single application, AD ediscovery offers unprecedented, complete coverage and control of your data. KSC and PerformIT working in conjunction with Access Data ediscovery, has developed a unique solution that enables businesses to produce a comprehensive view of their data estate. This will subsequently enable businesses to clearly interpret their respective legal, regulatory and business requirements and consolidate this information into a single reporting repository. There are, of course, numerous associated benefits of doing so and in addition to the peace of mind that your data is under some semblance of control, we have proven that we can dramatically reduce the associated costs of processing SARs and addressing the requirement of Right to be Forgotten. How can we help you? To learn more about how we can assist you, please feel free to contact Mark Child Partner, Technology Risk Management. Tel: +44 (0) mchild@kscllp.co.uk About Kingston Smith Consulting LLP Kingston Smith Consulting (KSC) is the specialist consulting practice of the top 20 accountancy firm Kingston Smith LLP. Established in 2009, KSC provides services in all aspects of Technology Risk Management, Governance and Controls Assurance and Legal and Regulatory Compliance. In addition, we have a team skilled at specialist services such as due diligence, supplier selection and third party management. We maintain strong relationships with allied service providers in order to be your one stop consulting solution. Kingston Smith Consulting LLP Devonshire House, 60 Goswell Road, London EC1M 7AD, UK Telephone +44 (0) Fax +44 (0) info@kscllp.co.uk A list of partners is available for inspection at the above address. Registered in England and Wales as a Limited Liability Partnership: No OC Registered office: Devonshire House, 60 Goswell Road, London EC1M 7AD, UK About PerformIT PerformIT is an IT services company that provides IT Support & Forensic ediscovery services. PerformIT helps companies understand their data landscape and how best to manage it in the face of a changing regulatory landscape. PerformIT 54 Clarendon Road, Watford, Hertfordshire WD17 1DU, UK Telephone +44 (0) info@performit.uk.com Registered in England and Wales: No Registered office: 17 Cosgrove Road, Old Stratford, Milton Keynes MK19 6AG, UK