I read today that the BBC is in trouble for “lack of transparency” after it apparently rejected 17.9% of requests for information under the Freedom of Information (FOI) Act, and answered fully only 35% of FOI requests.
Bad press causes rise in volume of FOI requests
Much more interesting to me is the information that the number of FOI requests received by the BBC rose by almost a quarter to just under 2,000 during the 2-year period from 2011 and 2013. The timing of the rise directly coincides with various scandals including the Jimmy Savile investigation, the profligate spending of £100 million on the disastrous digital archive project and the uproar over the extravagant pay-outs to departed senior executives. Not, I think, a coincidence.
All publicity is good publicity …
Some claim that all publicity is good publicity. This is simply untrue. Take data breaches for example. The frequency of data compliance and security breaches is leading to growing press interest and coverage, which in turn is rapidly educating the general population – ie the data subjects (and that’s you and me). And when huge players like eBay and Morrisons are affected – well, breaches of that magnitude become a dripping joint to the media. The news spreads like wildfire, causing further lack of confidence that big companies have any respect for our privacy or personal data.
So as data subjects, we are more likely than ever to demand that organisations account for the way in which they handle and use our personal data; and to take steps to understand the data held about us and how it is used. Subject access requests are a case in point, and a well-publicised data security or compliance breach inevitably results in increased subject access requests.
Worse yet, many businesses still don’t know what their legal obligations are once a subject access request is received – which means they run the risk of a further potential breach.
Subject Access Requests (SARs)
Individuals are perfectly entitled to request a copy of the personal data an organisation holds on them. Once an SAR is received, generally the organisation has a maximum of 40 days to respond and provide the information. Most business can charge a fee of up to £10 for provision of the data – more complex requests, such as those received by schools and the NHS use a sliding scale up to a maximum of £50. Every company should have a documented Subject Access Request policy, and keep records of SARs received, and the way – and timescale – in which they have been handled.
If you have any concerns about SARs specifically, or your data governance, data compliance or data security in general, we’ll be happy to have a chat or answer your queries. Just call us or email firstname.lastname@example.org