Doctor! Doctor! I have a SAR – How Long is the Waiting List?

 

A First-Hand Account of the Problematic Role of SARs Processing.

It’s widely known that resources within the NHS are stretched. So what happens when an institution that is already buckling under the pressure receives a consistently large volume of SARs with tight delivery deadlines? Now that they’re free of charge for the public to request following the introduction of the GDPR mandate in May, it’s not just the NHS who are struggling to manage the pressure of the increased quantity of SARs. Even large organisations with chunkier department budgets are struggling to maintain their current pace of responding to SARs. However, at Exonar, we believe we have a solution that will dramatically reduce human effort in processing SARs, easing the pressure on admin staff across the globe, in any sector.


To highlight the need for more system automation, we spoke to a former NHS employee who shared their insights in regards to processing requests in a recent exclusive interview with Exonar’s Head of Marketing, Dan Welberry. The following points were discussed during the interview;

  • Why do the public need access to their data?
  • The SAR process
  • Privacy and sensitivity of data handled
  • Issues of processing SARs within the NHS
  • Size and scale of requests
  • Turnaround deadlines
  • What would make SARs handling easier?

 

Why Do the Public Need Access to their Data?

‘Within the NHS, a subject access request is usually raised for one of two main reasons;

  • A patient who requires proof of a case for funding purposes.
  • A family member trying to bring probate to conclusion on behalf of the deceased.’

The Process:

‘Before any request for information is considered, the following steps must be taken:

Image source: Black Country Partnership NHS Trust; Subject Access Request Procedure

http://www.bcpft.nhs.uk/documents/policies/i/1623-information-sharing-sop-03-subject-access-request/file

 

Since the GDPR mandate was introduced on May 25th, there are now no fees charged to the public for processing SARs.


Privacy, Confidentiality and Sensitivity of Data Handled
Whenever assessing a case, the privacy of the individual has always been the most important thing to me. If there was any information required that couldn’t be provided, the request would be declined and I would want to be sure that all the right documents were in place before any records were retrieved. There was always a need to also consider the content with discretion too. There may well be a case where the requested content could contain very private information – information that actually might not be helpful or upsetting to the family and therefore could perhaps be withheld or redacted. Where historical records were requested, there was also a case for reviewing the language used. What might have been appropriate to say a number of years ago may not now be so politically correct today – this too would have to be reviewed.’

 

Issues With Processing SARs Within the NHS

  • Lack of system automation: One of the biggest issues faced was the amount of manual work required to fulfil a request. I believe this is a huge challenge for the NHS going forward as they simply don’t have the capacity to cope now, let alone handle the anticipated increase after the introduction of the GDPR in May, 2018. Where redaction was required to hide any information, this would be done manually using a black felt tip pen which was massively time-consuming in itself.’
  • Paper to Digital: ‘Prior to 2007, all records held by the NHS were on paper and from 2007 to date it’s probably around 50/50 – paper/electronic. All paper records were therefore required to be scanned. Any Post-It Notes or other attached notes would also need to be scanned without obscuring any content underneath’.  
  • Illegible Doctors’ Handwriting: ‘Covering notes present their own set of challenges, particularly when trying to decipher a Doctor’s handwriting!’
  • Single Sided Responses: ‘Any documents sent out as part of a response couldn’t be double-sided, so single pages only added to the amount of documentation to be issued.’

 

SAR Size and Scale

‘To give you an idea of the scale of typical requests, I believe the following to be a fair assessment:

 

Turnaround Deadlines:

When considering the delivery time, you have to take into account a number of factors. Firstly, an FOI must be completed in 20 working days and a SAR will be one month to collate after GDPR is introduced on May 25th (previously 40 days). Crucially, a SAR demanding one month lead time means that all weekends and public holidays are included in the time allowance. Whilst the work is being undertaken, all cases must remain on the premises and locked away when not being reviewed. This can result in a fair amount of late nights which of course can be counterproductive when you really need to be very alert.

It’s my opinion that the ICO (Information Commissioner’s Office) provide very little support other than the information provided on their website. This in itself can be challenging as it’s written in a very ‘legal’ way, so it can often feel like taking guidance rather than knowing confidently that you are delivering what’s required. I recall when I started that very little training was given other than a quick run-through of some legislation. This worried me as I soon realised how forceful lawyers and the general public can be!’

 

What Would Make the SAR Process Easier Within the NHS?

During my time at the NHS, I often thought about how much easier the whole process would be with technology. I accept that the manual process of scanning would still be required, but the reading and redaction process could be completed in a fraction of the time. Consider these further issues once the collation process is complete – all impacting further on time and resources:

  • The office printer being out-of-use or out of ink due to the amount of pages being printed and delaying colleagues.
  • The need to use courier services to deliver vast amounts of paperwork.
  • The need to package up various parcels to be sent via recorded delivery.
  • The need to compress files where documents can be sent via email.
  • The need to send out multiple emails due to the amount of data being sent.
  • Formats and file types that can be read by the user as well as platform compatibility ie Mac v PC.
  • Secondment of staff to achieve delivery deadlines.
  • FOI requests delayed whilst SARs take priority.

 

Having watched a product demo, it’s my belief that the NHS and central government would benefit hugely from the Exonar software. I know that from my experience, it would have made my life in SARs delivery so much easier! The initial outlay to install the platform in Trusts across the UK would save the NHS an untold fortune, and it’s here where I believe that Exonar would provide the most value. If SARs can be produced in minutes, not days, this will significantly speed up processes, release some of the burden currently weighing heavily on the NHS and centralise patient documents, allowing for better data security. I can’t think of a single reason why the NHS shouldn’t invest in Exonar – to me, a former data handler on the front line, it’s a no-brainer!’

 

Do you work in an industry that is buckling under the pressure of SAR requests? We’d love to hear from you. Please reTweet this blog using #SARWars and tell us all about your Subject Access Request woes!

 

 

 

CCPA – How Will New Privacy Law Impact Trade With America

 

CCPA – How Will New Privacy Law Impact Trade With America?

You wait years for data privacy regulations to catch up with current data processing requirements and then, like buses, two arrive at the same time.

Many UK organisations may well feel like they have been hit by a bus, given the dramatic impact that the General Data Protection Regulation (GDPR) has had since its implementation in May. Following closely behind is the California Consumer Privacy Act (CCPA) 2018 (AB 375), passed in June, which will come into force in 2020.

In a nutshell, it’s California’s answer to the GDPR. But don’t be fooled. It may look similar to the GDPR but there are nuances organisations need to understand to comply and stay on the right side of the regulations. Especially as it’s widely accepted that CCPA will set the bar for privacy rules across other US states.

California holds a key role, especially when it comes to trade with the UK. For example, the California Chamber of Commerce notes that the UK is California’s 10th largest export destination, with over $5 billion in exports.

 

CCPA versus GDPR

What do UK businesses need to be aware of? Well, the overlap between several of the CCPA rights and the GDPR include the right to information and the right of access. But the obvious difference is that that the CCPA rights only apply to persons that reside in California, whereas the GDPR applies to processing of EU citizen data by organisations regardless of whether they are located within the EU or not.

To view an easily searchable text version of the CCPA, click here.

 

Understanding the Differences

Firstly, let’s take a step back and understand the organisations that each regulation will apply to. GDPR is relatively straight forward; it applied to any organisation holding personal data on EU citizens.

CCPA on the other hand will apply to for-profit organisations that process personal data of Californian residents and either take $24 million in annual revenue, hold the personal data of 50,000 people, households, or devices or take at least half of their revenue in the sale of personal data.

Another of the key differences between GDPR and CCPA is that obtaining consent under California’s law differs from the methods required under the GDPR. In Europe, consumers must opt in and give consent for their data to be stored and used. With CCPA, consumers can opt out of the sale of their personal information.

 

What does CCPA mean for the rights of the individual?

One of the main aims of the GDPR is to give individuals better visibility and control over their data, and as such it offers better access to data, right to erasure, correction and objection to automated processing. It also includes the right to notification in the event of a data breach.

The CCPA aims to improve the right of access to data being held, and the right to know how personal data is being used and who data has been provided to. It enforces the right to disclosure and objection relating to who data is being sold to and guarantees no discrimination if an individual objects to their data being sold.

The financial penalties also differ between the GDPR and CCPA. Under GDPR, organisations can be fined 4% of global turnover or €20m, whichever is greater. The CCPA imposes penalties of $750 per consumer per incident or actual damages, whichever is greater. As for penalties assessed against businesses, the highest amount is $7,500 per violation, notwithstanding penalties under California’s Unfair Business Practices Act.

For a breakdown of the similarities and differences between the GDPR and CCPA, click here.

 

Becoming and remaining CCPA compliant

Preparation for CCPA will share many characteristics with actions undertaken for GDPR compliance. Coordination is vital, including executive sponsors and stakeholders from legal, compliance and data privacy teams, people with oversight of technology and its security and representatives from the key personal data owners in an organisation (e.g. HR, sales, marketing, customer service).

The key is starting with data inventory. Prioritise information stores likely to contain personal data and those with poor governance. Be practical and don’t rely on your corporation’s answers to questionnaires for your data inventory, or you will get an idealistic view of your risk (a head of marketing is likely to say the personal data they process is in the marketing system, forgetting that it got there via email and has been exported into spreadsheets, for example).

The aim is to find all relevant data within your organisation. In fact, “identifying what data you hold” was listed as a key step by the UK’s ICO as well as other national authorities in the run up to GDPR. Given how rapidly data is collected, created and stored by organisations, it would be very difficult to find this out manually.

What is correct at the beginning of this year could be wildly different in 6 months’ time, and attempting to complete tasks manually will result in a catalogue of where people think data is held and processed (usually the systems designed to hold the data, like a CRM system) rather than where data is actually held (such as in a spreadsheet extracted from the CRM system to run a regular report).

But the task of creating a data inventory does not need to be arduous, there are tools available that use Big Data and Machine Learning principles as part of an eDiscovery and data mapping process, giving you the ability to rapidly find and categorise data and continue to do so on an on-going basis – ensuring continual compliance for your business rather than just at a single point in time.

 

Technology to simplify compliance

It’s clear that the tasks above are the first steps in what will be an on-going process. But these steps are crucial for any organisation that wants to get it right first time.

To simplify the compliance process, Exonar’s Privacy Dashboard can provide an easily digestible top-down view of the of all of the information a business holds in relation to the GDPR and the CCPA.

Exonar’s solution achieves this by indexing files in any format from sources like cloud, file shares and mail servers, and locating passwords, customer information, credit card numbers, salaries and company confidential records.

This means all of your data, from databases to documents, is mapped and classified and able to be searched instantly – even with advanced queries. This allows users to find any information held in seconds or create visualisations to help understand data. When you understand your data, it’s easy to make decisions about what data to keep or delete and what needs to be done in order to stay compliant with regulations relevant to your business.

To find out more about the CCPA and Exonar’s solutions, visit https://www.exonar.com/ccpa/