Ownership only exists under Records Management
Ownership is 9 tenths of the law? A few weeks ago I saw a query about Subject Access Requests. It was about whether you would give out documentation if belonged to someone else. Even I got my ropes taffled and nearly strangled myself, so I am writing this post to discuss the finer detail.
In record management terms, the ownership of documents is something that sounds wholly normal. As a rule, you are not required to keep documents that do not belong to you. Unless the transfer of ownership has occurred – and you’re told – you basically only have a copy of the original. It’s the original which has a retention period applied to it. This is why if you’re tackling your email inboxes always focus on sent items, not on the inbox itself. If you don’t need the documents you’re given you should use the action of ‘weeding’ to get rid of them. You should always be able to go back to the originator to get another copy if needed. That is unless you write on the bottom of it and ‘create’ a new record.
However, under Data Protection there isn’t a concept of ‘ownership’. You are responsible for the documents in your files regardless of who wrote them. Where does this apply to the scenario though? If you receive a Subject Access Request and you have documents that were written by another organisation, you will want to know if the person who wrote it thinks it should be released. Equally, I’m sure the other organisation would like to know if documents they originally wrote were being released.
Working with Organisations
In a previous life, I used to temporarily redact all of those records. I would then go out to the organisation to ask for their opinion (important note: not their consent). Sometimes I would wait for a definite opinion. Other times I gave a time frame for responding if I thought the content wasn’t of any particular harm. However, that is a risk you take as the Data Controller. An organisation may come back and says they don’t think you should release it. If you decide to go ahead, you are responsible for any resulting issues. Equally, if you choose not to release it, you need to give a specific reason why you didn’t. For example, because it would cause harm to the subject or someone else if released.
In recent weeks, I’ve seen many ‘I r baboon’ agreements flying around. Some of these ‘Me Data Controller; you Data Processor’ agreements even contain a clause stating that they need to know about any Subject Access Request for documentation. This can cause confusion if these records only form 1% of a much bigger file.
The point of this really is that you need to be aware of the differences between records management and data protection terminology. You cannot palm the requestor off to the original writer of the records. You cannot redact the records and refuse to give access to them. It’s important to work with the organisations and other bodies that have contributed records to your files. Document your rights procedures so you know what to do in the event of information requests. If you have lots of documents in your files from other organisations you have to make the decision on whether to release them.
For those who are reluctant to engage in this process because can no longer charge, unfortunately, it’s too bad. Subject Access Requests are free (unless it can be proven that they are excessive or unfounded – which is a completely different discussion!).
You need to have good relationships with organisations to enable a quick turnaround for requests. Give deadlines for them to respond and send chasers. Do whatever you have to do to uphold someone’s right of access. If it was your request for information, you’d want a swift response!
Like this blog post, please see other posts here.
If you enjoyed my content, please consider buying me a virtual G&T or three here.