Parliamentarians will soon be debating the
merits of the Data Protection Bill, and I’m wondering whether much
consideration will be given to the implications of the proposal to gift
citizens with “free” Subject Access Requests.
What parliamentarian might oppose such a
measure? After all, what’s not to like about “free” stuff?
But hang on a minute. This stuff is not
“free”. Citizens will pay for it, in the end, through increased charges, as
business costs rise for data controllers.
That's obviously not really an issue if the
cost implications are marginal.
But a good number of the data controllers I
am in regular contact with have no real idea of the cost implications of free
subject access requests. I’m regularly asked about the contingencies other
organisations are making, as they are finding it very hard to make any plans
about what additional resources might be required to ensure that the new SAR
timescales are met, and that (potential) draconian fines for non-compliance
with the new standard are not imposed upon them by the regulator.
How many additional staff should be trained
on dealing with SARs? Where can expert
advice on SAR exemptions be obtained? Can professional advisors be held on
standby just in case the client needs access to specialist advice in a hurry?
If no one has an idea of the potential costs, who within the organisation will
approve the budget that may be required to deal with these contingencies? These
are the sorts of questions that I regularly hear being asked.
While many of the organisations I deal with
are currently facing relatively low levels of SARs currently, they really don’t
have a clue as to how “their” customers’ behaviour will change when the ability
to charge a £10 fee is removed.
And this is before citizens rights groups
encourage individuals to vent their frustration on an organisation through the
weapon of the SAR.
If I were Ryan Air, for example, I would be
seriously worried. That company has already managed to upset many thousands of
its customers through recent changes to its flight schedules, and a good few of
them might feel minded to give it a good administrative kicking by forcing it
to deal with a tsunami of SARs. Just for the hell of it. Don't get mad – get your SAR instead.
So what’s the solution?
If I were a cautions Parliamentarian, I
would amend the Bill by proposing a review mechanism, enabling the Secretary of
State to reintroduce SAR fees if, in the light of experience, data controllers
faced significant hardships in dealing with free SARs.
What does this mean?
It would enable the new Data Protection Act
to be amended in the light of empirical evidence about the implications of the
measure. No hard evidence currently exists as to the implications of “free”
SARs in the UK. So lets see what will happen over the next two years. Granted, data controllers in other EU countries that currently
have a “free” SAR regime experience relatively few difficulties in dealing with
SARs. But perhaps that's because the culture in those countries is that
citizens make relatively few SARs. This cannot be said to be the case in this
country – especially when the complaints logs published by the ICO so
frequently mention frustration with SARs as a key complaint area.
Would this proposal enrage the data
protection community?
To be frank, any proposal can enrage some
sections of the data protection community. The Privacy Taliban might well see this
as an outright attack on the fundamental rights of individuals, and therefore
something to fiercely oppose. But it
isn’t a fundamental human right to expect a free SAR. That’s why our data
protection laws have always provided for modest SAR fees. For those that
support the principle of “free” stuff, of course there will be opposition.
But the majority of the privacy community
might take stock and agree that it would be helpful to continue with the
practice of evidence-based policy making. And if the evidence, based on actual
outcomes, turned out to significantly different to what was expected, any
unwanted (and unforeseen) implications could be dealt with in due course.
Posts
