Social Care Subject Access Request: A Case Study

Files relating to personal data

August 2021

How Aeonian Projects supported a social care provider to meet a

Subject Access Request deadline.

Our client is a Local Authority Trading Company (LATCo) that has around 400 staff. It provides adult social care services including day care, respite care and other assistance for adults with various support needs. It has a duty of care to its customers and data protection is high on its agenda. However, when an employee made a Subject Access Request to the organisation, data protection took on a whole new meaning.

 

Employee makes Subject Access Request

The individual (the ‘data subject’) requested the most recent five months data relating to them that our client, as their employer, held. This included their sickness absence record and any conversations referring to them recorded in writing.

Our client had little experience of handling an SAR of this nature before. Although the request was simple, execution was to prove difficult.

The client was not sufficiently prepared for the request and had no processes or procedures in place to retrieve data effectively.

Missing the statutory deadline of one calendar month could result in complaints from the subject as well as scrutiny from the ICO (Information Commissioner’s Office).

What is a Subject Access Request?

A Subject Access Request (SAR) occurs when an individual exercises their Right of Access. A fundamental right under UK and EU data protection legislation.

Any individual can request all or some of the information that an organisation holds on them. The individual who makes the request is known as the ‘data subject’.

All Subject Access Requests must be completed and returned to the subject within one calendar month. There are rare exceptions, but these require robust justification and should never be relied upon.

Social care provider contacts Aeonian Projects

Aeonian Projects was consulted for advice on processing the request. We identified their objectives as:

  • Determining whether the request was valid.
  • Retrieving all data held on the requester whilst remaining impartial and unbiased.
  • Assessing the information and redacting third party data.
  • Keeping the statutory deadline: ensuring the SAR was completed on time.

Objective retrieval of information

Objective retrieval of information for a SAR is critical. If retrieval is not objective, data could be accidentally omitted or deliberately withheld. The latter especially if the information is contentious to either party. 

 

Meeting the deadline

When the scale of the work became apparent to the client, Aeonian Projects became more heavily involved.

  • The client’s IT manager swiftly learnt how to objectively retrieve all relevant information from the organisation’s email and cloud-based storage This resulted in 31,000 emails and 4,000 documents.
  • After de-duplication and initial sorting, 200 emails and 300 documents remained for the DPO and Aeonian Projects to consider for redaction.
  • The client’s DPO, supported by Aeonian Projects, assessed the data and redacted third party information.
  • With substantial assistance from Aeonian Projects, our client completed the request within the statutory timeframe and a pack of information was sent to the requester both electronically and through the post.

Aeonian Projects kept in regular contact with the Data Protection Officer (DPO) throughout the process providing their expertise and support when needed.

What is redaction?

Redaction is the process of removing data and information from a document.

The requester is not permitted to see certain confidential information or particulars that relate to other individuals. Removal of such information is a vital part of the SAR process.

 The bigger picture

 The Subject Access Request, though small in scale in terms of the parameters, was both time consuming and expensive for the client.

  • Retrieval of information from the computer system slowed the speed of the IT manager’s computer who was less productive as a consequence.
  • Other projects were paused whilst the SAR was dealt with, resulting in multiple projects being delayed.
  • The internal DPO spent approximately 48 hours on the SAR assessing and redacting the information retrieved by the IT manager. The role of DPO is held as a secondary one to that of their main role in quality assurance. The individual worked overtime to ensure their primary role was not neglected.
  • Aeonian Projects dedicated 48 hours to supporting the client.
  • Although completed within the statuary timeframe, further queries were made by the requester to our client. At the time of writing, correspondence was still ongoing.

Learning Outcomes

  • IT manager: new knowledge of information retrieval within specific parameters from cloud-based storage and email systems.
  • DPO: new awareness of the processes, procedures and time required to complete an SAR within the statutory timeframe. Learning and development within the Data Protection role.
  • Organisation-wide: Policies and procedures quickly put in place. Future SARs will be easier to handle, less time consuming to staff and less costly to the business.

Conclusion

Aeonian Projects was swift to act and provided professional guidance and support throughout the whole. We were on hand to give advice when required and kept the project to target ensuring statutory requirements were met.

For confidentiality reasons Aeonian Projects cannot release the name of the social care provider involved in this SAR. Rest assured, however, that Aeonian Projects received the full permission and support of the client to undertake and publish this case study.

“Having Aeonian Projects support with the SAR was so helpful. Sam Linton is a GDPR expert and her support and guidance with the process was invaluable, ensuring the required information was provided within the ICO deadline.”– Chief Financial Officer

 Need advice or support? 

If you want to be prepared and be in the best position to respond to rights request, then contact us now – info@aeonianprojects.co.uk

Savvy Data support packages are designed to ensure you have the best of data protection knowledge, support and guidance at your fingertips, without having to employ an in-house DPO. 

Although the legislation is the same for everyone, for small- or micro-businesses, operational risks are often much lower. Savvy Data Pre-Paid Credits, will bring you all the support you need without a monthly commitment. 

For large-scale operations with a sizeable staff team or a big customer base, Savvy Data Monthly leaves you safe in our hands. 

Special rates are available for charities and not-for-profit organisations. See our website for further details.

 

Dr Sam Linton is an experienced Data Protection practitioner supporting businesses to successfully negotiate the world of Data Protection, GDPR and Privacy.

Get in touch to find out more:

Email – info@aeonianprojects.co.uk

Phone – +44 1482 762 392

Website – www.aeonianprojects.co.uk

LinkedIn – https://www.linkedin.com/in/drsamlinton

Twitter – @aeonianprojects