Internacionales

Understanding your data rights

Data subjects have eight data rights (European Council 2016). The study has shown no correlation between the number of data subjects at a provider compared with the number of data subject requests received. During interviews, Data Protection Officers state the requests they receive are not because of the introduction of the General Data Protection Regulation but, instead because people are angry or upset with something (participant 3). This view was shared by current Further Education students during focus groups, with students stating they were more likely to be interested in how their data is used if they know it has been mistreated or a data breach occurred. Only one of the students who participated stated they requested data purely out of interest to see what was held.

Interview participants stated there is a perception people are more aware of their rights post- GDPR. This cannot be linked to any one source however, it is acknowledged the media have played a key part in this. Data Protection Officers find people quicker to reference GDPR but find they do not always understand how GDPR links to the request they are making. Fake news, focusing on marketing and miss-truths around consent are partially to blame (Strawbridge 2018; Hern 2018; Salsbury 2017; Field 2017). Organisations are having to myth bust, re-educate staff and students on what data protection really means.

The foundations of good information governance will mean organisations can demonstrate how the systems and processes they have in place enable them to understand the data they hold and how it flows through their organisation. Good information governance helps ensure compliance with data protection legislation, including the ability to respond to data subject right requests within the statutory timeframes.

Right of access

Right of access gives data subjects the right to know whether a controller holds their personal data and if this is the case, to obtain a copy of that data (European Council 2016). Of the 246 providers who responded to the questions on data subject rights, 64 providers stated they have not received any right of access requests between 25 May 2018 and 25 May 2019. While not impossible, it would be fair to assume someone might request their data within this timeframe. This could indicate poor record keeping or highlight a gap in staff training to be able to identify and escalate right of access requests to their Data Protection Officer. More optimistically, it may suggest some organisations are better at being transparent in the way they use personal data with the systems in place to make personal information readily available to the data subject. Only 138 providers recorded the number of data requests received from law enforcement and official authorities, restricting the value of any data analysis. Where this data is recorded several

providers stored this across multiple systems depending on who responded and therefore could not efficiently provide a figure for the number of requests received. This highlights that providers can do more to improve their record keeping and understand what data they have shared with third parties.

Right of erasure

Right of erasure, also referred to as the right to be forgotten, enables a data subject to have their personal data deleted when certain criteria are met (European Council 2016). Right of erasure requests are less common that right of access with 193 providers having not received a request in the first year from 25 May 2018.

Request response time

The General Data Protection Regulation reduces the amount of time providers have to comply with data right requests from 40 working days to one calendar month. 98.4% of the providers who responded stating they had received right of access requests had fulfilled all the requests within the statutory one month response timeframe. Providers who had to extend this timeframe highlighted the root cause as complexities in the requests made rather than a failing in process. In comparison 87.3% of the 55 providers who received a right of erasure request fulfilled the requests within the statutory one month response timeframe.

The vast quantities of personal data held within the Further Education sector, often held across a variety of independent databases and manual systems is a contributing factor to the resource involved in complying with requests. From a governance viewpoint the provider must have an accurate data map to know where the data is held. This is one of the biggest challenges for providers. Once they have located the data there are technical considerations of whether historic applications will have the tools built in to export the data. Providers without a dedicated Data Protection Officer, may be presented with the challenge of allocating someone with the time and knowledge to collate, apply exemptions, redact and respond to the request within the statutory timeframe.

Chapter Summary

Data right requests existed under the previous legislation but there is now greater demands on providers to recognise and comply with these requests in a timely manner (European Council 1995; European Council 2016). Where requests have been received, the majority have been returned inline with statutory timeframes. However, providers must ensure they have the processes and resources to return all requests. Staff must have sufficient training to be able to identify and escalate data right requests, particularly within the 64 providers who claim to have never received a request.