[MyData & Open Data] Tool for subject access requests - would it work in the UK?

Phil Booth phil at einsteinsattic.com
Thu Jun 18 14:59:05 UTC 2015

Hi Aleksi,

I guess I'm one of the "various others" who Reuben refers to - though he may
not necessarily know. I looked into this quite a bit during the last couple
of years when I was coordinating NO2ID (post-HMRC Child Benefit discgate,
2008-2010ish) as part of investigating the possibility of 'mapping the
database state' - so public, not private sector focussed. But the problems
are largely similar.

Reuben is correct, I think, that in the UK there is very little chance that
anyone hosting such a service would not be considered a data controller -
unless they took extreme measures, such as organisations like Mydex
(www.mydex.org - declaration of interest: I have provided them with
independent advice) have taken; essentially using crypto & contract to
ensure that the individual him/herself (the data subject) is deemed the data

The conclusion I arrived at in 2010 was that SAR could be useful for the
purpose I was looking into, but only as a process where 'vanguard'
individuals were supported on a potentially quite long, frustrating and
costly journey. 'Fully automated SAR' didn't look viable in our
legal/regulatory regime. Maybe some sort of automated 'hand-holding' type
support would be?

N.B. with medConfidential, we are taking a somewhat different approach:
'Data Usage Reports', i.e. on-demand (free) releases to the individual
concerned about who's had access to their data, and for what purpose(s).
Effectively a 'statement' of data use/data sharing. This has now been
incorporated into the 5-year plan for the NHS' Information Strategy, and we
are exploring its wider applications.

It turns out that a copy of your data - while useful for spotting errors,
etc. - actually isn't that useful for a bunch of other things that people
really care about. And, at a tenner a time, unless you have a really good
reason for checking exactly what personal data a bunch of entities think
they hold about you, it could quite quickly become very expensive.



-----Original Message-----
From: mydata-open-data [mailto:mydata-open-data-bounces at lists.okfn.org] On
Behalf Of Reuben Binns
Sent: 18 June 2015 14:27
To: aleksi.knuutila at gmail.com
Cc: mydata-open-data at lists.okfn.org
Subject: Re: [MyData & Open Data] Tool for subject access requests - would
it work in the UK?

Dear Aleksi,

This is something I and various others have been thinking about doing for a
while. The first group to do this as far as I know is the Dutch digital
rights group Bits of Freedom - see https://pim.bof.nl/

We began working on a UK version at the last Open Rights Group hack day but
didn't get very far.


The main difficulty is that if you host such a service, you will probably
become a data controller. If you're up for that and the responsibilities it
involves, I'd say go for it!


On Thu, 2015-06-18 at 12:00 +0000,
mydata-open-data-request at lists.okfn.org wrote:
> Send mydata-open-data mailing list submissions to
> 	mydata-open-data at lists.okfn.org
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.okfn.org/mailman/listinfo/mydata-open-data
> or, via email, send a message with subject or body 'help' to
> 	mydata-open-data-request at lists.okfn.org
> You can reach the person managing the list at
> 	mydata-open-data-owner at lists.okfn.org
> When replying, please edit your Subject line so it is more specific 
> than "Re: Contents of mydata-open-data digest..."
> Today's Topics:
>    1. Tool for subject access requests - would it	work in the UK?
>       (Aleksi Knuutila)
> ----------------------------------------------------------------------
> Message: 1
> Date: Thu, 18 Jun 2015 00:02:42 +0100
> From: Aleksi Knuutila <aleksi.knuutila at gmail.com>
> To: mydata-open-data at lists.okfn.org
> Subject: [MyData & Open Data] Tool for subject access requests - would
> 	it	work in the UK?
> Message-ID:
> 	<CANMi9UUgepgcYaW19KH_Nh9tffxp+m2HsJrcM-vjUbqc_SQ+Ug at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> Dear all,
> I've been inspired by a service that exists in Germany for making 
> requests for personal data from public and private organisations, 
> namely selbstauskunft.net, which appears to have made a significant 
> impact. The same rights to data exist throughout the EU, and as I'm 
> sure you know in the UK it goes by the name of subject access 
> requests. Does anyone know whether there has been an attempt to create 
> a good tool for making the process easier in the UK, or whether there 
> is a substantial reason it wouldn't work here? Germany has the benefit 
> that one request per year is free, while most organisations in the UK 
> want cheques. I know there have been some calls for such a service before,
for instance here:
> http://ideas.okfn.org/ideas/358/give-me-my-data-online-crowd-sourcing-
> platform/
> Very best wishes,
> Aleksi
> -------------- next part -------------- An HTML attachment was 
> scrubbed...
> URL: 
> <http://lists.okfn.org/pipermail/mydata-open-data/attachments/20150618
> /6db5a06e/attachment-0001.html>
> ------------------------------
> Subject: Digest Footer
> _______________________________________________
> mydata-open-data mailing list
> mydata-open-data at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/mydata-open-data
> ------------------------------
> End of mydata-open-data Digest, Vol 28, Issue 4
> ***********************************************

mydata-open-data mailing list
mydata-open-data at lists.okfn.org

No virus found in this message.
Checked by AVG - www.avg.com
Version: 2015.0.5961 / Virus Database: 4365/10045 - Release Date: 06/18/15

More information about the mydata-open-data mailing list