Whilst the results from the latest UK Data Protection Index, published in June, indicated that the number of Data SubjectAn individual who can be identified or is identifiable from data. Access Requests (DSARs) companies received each month declined for the first time since the Index began, across our client base we have noticed that, of those still being received, more and more DSARs (and right to erasureA qualified right under GDPR allowing for data subjects to request that their personal data be erased (subject to exemptions) requests) are coming not from individuals themselves but instead through third party portals.
Third party portals, like Mine, Rightly and TapMyData, are becoming ever more popular with the public, enabling them to submit rights requests to a whole host of organisations, sometimes, quite literally, at the click of a button.
To individuals, many of these portals market themselves as a time-saving tool to help exercise users’ rights. To organisations, they claim to reduce not just the time but also the cost involved in responding to rights requests, whilst also helping to boost consumer trust. Sounds like a win-win, but in reality, it is not so simple…
How do they work?
In short, third party portals enable individuals to submit multiple rights requests at once, saving them the hassle of going through the rigmarole of submitting a request and verifying their identity each time they want to exercise their right of access with a different organisation.
Individuals can upload their personal details, and even proof of their identity, to these portals which will then send requests on their behalf to the selected organisations. Some portals allow you to choose which organisations you would like to submit a request to, whilst others will make suggestions on which organisations will likely hold your personal dataInformation which relates to an identified or identifiable natural person. by scanning your inbox.
After the requests have been submitted, different third parties offer varying levels of support to their users. Some, such as Mine, merely submit the request on behalf of their users, leaving the individual to communicate with the organisation themselves if ID is required, and to receive the DSAR outputs directly.
Others, such as TapMyData and Rightly, provide a full end-to-end service. These portals provide organisations with a bespoke link within each email request, enabling them to access the individual’s personal details, verify their ID, and upload the requested information to the portal itself, which can then be viewed and downloaded by the individual at their leisure.
On the surface, using a third party portal seems like a good option.
From an individual’s perspective, portals enable them to manage their requests from one single website/app, making it quicker to send multiple requests and easier to manage the information received in DSAR responses. More importantly, however, portals can empower vulnerable individuals to exercise their data protection rights by providing them with a simple method by which to do so.
From an organisation’s perspective, again portals can offer a simpler way of dealing with rights requests in one place. Also, most claim that their portals provide a more secure way of sharing personal data than over email which, if true, is certainly a bonus.
Although portals do present a quick and easy way for individuals to submit rights requests, there are several requirements that must be met by a third party portal request for it to be considered valid.
Like with any other request being made on behalf of an individual, you must be satisfied that the third party has the legal authority to act on the individual’s behalf before you can action the request. This normally requires a signed letter or some other evidence of agreement. The Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.) has made it clear that this evidence should be provided when the request is made and that simply pointing you to the portal’s terms of service, which is what the majority do, is not sufficient to satisfy this requirement.
Another key consideration is the ability to verify the requester’s identity. Several portals enable requesters to upload proof of their identity (usually in the form of a photo of a driver’s licence or passport); but, this section is often left blank. If you are unable to verify the requester’s ID from the information provided in the portal, you should contact the individual directly to ask for the required information. If no contact details are provided, the ICO recommends contacting the third party portal to inform them of the documentation required.
Finally, it should be noted that organisations are not required to take proactive steps to discover that a rights request has been made. If a third party portal therefore requires you to create an account and login to see the details of a request, you are not obliged to do so. Similarly, if a portal requires you to pay a fee in order to access the request, you are under no obligation to comply.
The ICO has made it clear that if there is no clear authority to act on the requester’s behalf; there is insufficient information to verify the requester’s identity; or you are required to create an account or pay a fee to respond to the request, the request will not be valid and, as such, you are not obligated to respond. Therefore, although beneficial in theory, third party portals do not always work so well in practice.
Whilst the points above mean that often there are grounds not to respond to requests made through third party portals, you should be wary of refusing to respond to all portal requests. Each portal is different and so a thorough review of each should be conducted before setting any blanket rules. In addition, you should weigh up the costs (both time and financial) of responding to third party portal requests with the potential harm to consumer trust and satisfaction that not responding to these requests may cause.
If you are hesitant about using portals to respond to data subjects, contacting the data subject directly when you receive a portal request could be your best option. However, if you do choose to respond to DSARs by uploading the files to a third party portal, make sure you do your due diligence and ensure that any personal data transferred has the appropriate protections.
If you require further assistance, please use the contact form below.
Fill in your details below and we’ll get back to you as soon as possible