Nigel Parker of Allen & Overy LLP explains the thinking behind the firm's new data protection application, Access Assist.
Allen & Overy has recently launched what is believed to be the first data protection application, or "app", of its kind: Access Assist, which is designed to help organisations manage the costly and time-consuming task of responding to data subject access requests.
The right of individuals to access information about themselves is at the heart of data protection legislation. The Data Protection Act 1998 (DPA) gives individuals the right to be told what personal data an organisation is processing about them and to receive a copy of that information. A request for this information is generally referred to as a "data subject access request" (see box "Subject access requests").
Dealing with data subject access requests can be challenging. Some key issues faced by organisations in receipt of a request include the following:
Employees may not recognise a subject access request. This can arise due to inadequate training, lack of awareness or lack of appropriate policies. If the recipient of a request fails to take appropriate action (usually, to refer the request to an appropriate person within the organisation), this could lead to a failure to comply with the requirements of the DPA or, alternatively, to the provision of information to which an individual is not entitled.
Risks associated with compliance. The provision of confidential or sensitive information could inadvertently lead to leakage of valuable proprietary information, which could have a financial impact on a business. It could also potentially lead to breaches of obligations of confidentiality owed to third parties. The provision of information, whether confidential or not, could fuel litigation against the organisation or expose it to negative publicity.
The cost of compliance. The process of searching for information requested by a subject, providing copies of that information, and considering the application of exemptions under the DPA, can require substantial resources and can result in significant internal and out-of-pocket costs. This review process can often entail searching archives of millions of emails and certain hard copy records, as well as reviewing, and then copying and redacting (where appropriate), large numbers of documents.
Risks associated with non-compliance. Non-compliance can potentially, in the most serious cases, lead to fines by the Information Commissioner or claims by data subjects through the courts, seeking to recover for any damage and distress caused by an organisation's failure to comply. It could also lead to other enforcement action by the Information Commissioner's Office (ICO). A complaint to the ICO, which is the most likely immediate consequence of failure to comply, can result in legal costs and administrative costs, as well as damage to reputation.
Requests are often received in connection with employee disputes, customer complaints or litigation with the data subjects. The subject access request process can also can be abused by some, whether as a tactic to fish for information to fuel claims, to cause inconvenience and costs to data controllers or to apply pressure to settle disputes.
The development of Access Assist follows the success of the "Little Red App", which was launched in 2011 by Allen & Overy's employment team, together with a perceived increase in the use of data subject access requests as a tool in litigation.
A decision was taken to develop Access Assist for iPads, due to the portability of the device (lending the app to use outside the office) and the volume of content (which is better suited to a larger screen). The content of the app was created internally by members of the firm's London data protection team who worked closely with an external design and software development agency. During the development process, the prototypes were tested by several clients and also demonstrated to the ICO.
The response from businesses using the app has been very positive. The ICO has also welcomed the app. The Deputy Commissioner with responsibility for data protection, David Smith, said: "We congratulate Allen & Overy on the development of this app. The right of subject access is at the heart of the Data Protection Act. Any tool that makes it easier for businesses to understand and meet their obligations to those individuals they hold information about can only be welcomed."
The app is designed to help companies address some of the challenges that organisations face in relation to the DPA (see "The legislation" above).
It aims to assist users in determining:
Whether a request for information is a legitimate data subject access request.
Whether, and to what extent, the organisation has an obligation to respond under the DPA.
The necessary steps to take in order to comply with the DPA.
Using a novel Q&A system, the app guides users through a dynamic series of questions (with "yes" or "no" answers) to help to determine if action needs to be taken. It provides handy access to case law, legislation, ICO guidance and Allen & Overy views, which is presented alongside the relevant questions in the tool as well as through a conventional index.
Nigel Parker is a senior associate in the data protection team at Allen & Overy LLP in London. The Access Assist app can be downloaded for free from the Apple App Store.
Section 7 of the Data Protection Act 1998 (DPA), implementing Article 12 of the Data Protection Directive (95/46/EC), gives individuals the right to be told what personal data an organisation is processing about them and to receive a copy of that information by making a data subject access request.
In the UK, a data controller must respond to a valid subject access request promptly, and in any event within 40 calendar days of receiving it. A nominal fee of only £10 can be charged in relation to most subject access requests.
Failure to deal with a subject access request will typically lead to a complaint to the Information Commissioner, who has the power to take enforcement action or to issue a fine in the case of serious breach of the DPA.