Hi ,Does anybody have experience with receiving DSARs via their party platforms like rightly.co.uk ?
We are starting to see a significant increase in requests this way.
We are not 100% comfortable sharing the documents via this format. Can we refuse due to the sensitivity of some of the personal data we hold?
Rightly.co.uk
Share
Stephen Lark
I am DPO for several small/mid size companies and this situation has arisen a few times. I’ve also commented on other questions relating to this issue.
We have a policy as part of the formal DSAR response process that prohibits the release of personal data to a business entity except in the case of legal representation.
We simply contact the data subject directly, ask if they requested the DSAR, why they are doing so, any info they are specifically looking for….and then release their data using the contact details we hold on file.
So far this has proved to be acceptable and has not been challenged.
Sue3003
We deal with a significant number of third party requests. We are fortunate in most of the business to use our own secure log in area so we require them to use ours rather than theirs. Where we cannot use this we try to check first with the individual that they have provided a valid LOA but if we are concerned about the recipient/their repository we will always send to the address we hold on file for the individual. Ultimately as the DC we remain responsible for the data until it reaches its destination.
Simon
As a general rule of thumb if a requestor would like the response via rightly.co.uk, and you’ve informed them of the risks having offered a more secure method (eg. encrypted file share) then that it their reasoned and informed choice.
I don’t think there would be a legal reason for failing to respond by the method the requester has chosen.
Dominga Leone
Yes I have dealt with a few requests and send the information to the registered email address that we have on record, rather than through the Rightly platform itself.
Dominga Leone
To add to Simon’s point, I agree that that there is no legal reason not respond via this service. However I have avoided using this service for various reasons:
– I am not sure their Privacy notice truly reflects their processing. They say the don’t process special categories but what if the SAR data includes special categories?
– I don’t want to sign into and utilise a tool that our own security teams have not validated as a secure method to transmit data and with whom our organisation has not done any due diligence and has no contractual agreement. I cannot be sure that interacting with their systems will not impact our wider security.
– I do not know enough about their diligence on identity verification to ensure it is the right data subject.
All of the above could be solved with some time and investigation, but whilst these requests remain low volume, it is not my priority to investigate and address my concerns. In time that may change, but for now, I will be responding using our current process.
Chris Roberts
Dominga, Like you until I am convinced any system for sharing the data is suitable for the data being shared then I will always defer to the system I know is secure.
Great list.