The Data Protection (Jersey) Law 2018 (DPJL) provides individuals with a number of rights and the one most commonly used is the Right of Subject Access, also known as a Subject Access Request or ‘SAR’.
The Jersey Office of the Information Commissioner (JOIC) is mindful the Right of Access process can be resource intensive and sometimes overwhelming depending on the complexity of the request and wants to have an open dialogue with organisations during its Right of Access awareness campaign which is running for the next two weeks.
The JOIC wants to learn more about the challenges organisations are facing in this sphere and find out if there are any areas of its guidance that could be improved.
Adrian Hayes, JOIC’s Compliance and Enforcement Manager, said: “When handling a Right of Access request, a lack of communication can impede progress, undermine trust and lead to frustration for data subjects (individuals).
“Our office is urging organisations to communicate with data subjects and keep them informed throughout the Right of Access process, managing their expectations. A focus on staff training is a key part of this process. Organisations must be able to recognise when a Right of Access request is submitted and they must also be aware time limits apply for responses to them”.
The JOIC has guidance to help organisations understand their obligations as well as promote good practice.
The guidance can be found by clicking here and searching ‘Right of Access’. Other tips for handling Right of Access requests include consideration of the following:
- The Right of Access topic should form a key part of an organisation’s data protection regime.
- Team members should have sufficient training so they can recognise a valid Right of Access request.
- Staff should be made aware a Right of Access request can take any format and not necessarily mention ‘subject access request’ or the Data Protection (Jersey) Law 2018.
- The Right of Access is part of a broad suite of information rights available to individuals.
- Communication is key. Before responding to a Right of Access request, the data controller is entitled to ask for information to find the personal data covered by the request.
- Organisations should have in place a Data Protection Policy and Right of Access Request Guide.
All organisations are invited to attend the JOIC’s virtual talk titled ‘The Right of Access – Recognising and responding to a Subject Access Request’ on Friday 11 September, 13:00 – 14:00. To register click here.
Organisations with suggestions for additional guidance that could be helpful to them (separate to that stated above) are asked to contact the JOIC Communications team at [email protected].
For further information regarding obligations contact [email protected] or call the JOIC office on 01534 716530.