[MyData & Open Data] Tool for subject access requests - would it work in the UK?
phil at einsteinsattic.com
Thu Jun 18 14:59:05 UTC 2015
I guess I'm one of the "various others" who Reuben refers to - though he may
not necessarily know. I looked into this quite a bit during the last couple
of years when I was coordinating NO2ID (post-HMRC Child Benefit discgate,
2008-2010ish) as part of investigating the possibility of 'mapping the
database state' - so public, not private sector focussed. But the problems
are largely similar.
Reuben is correct, I think, that in the UK there is very little chance that
anyone hosting such a service would not be considered a data controller -
unless they took extreme measures, such as organisations like Mydex
(www.mydex.org - declaration of interest: I have provided them with
independent advice) have taken; essentially using crypto & contract to
ensure that the individual him/herself (the data subject) is deemed the data
The conclusion I arrived at in 2010 was that SAR could be useful for the
purpose I was looking into, but only as a process where 'vanguard'
individuals were supported on a potentially quite long, frustrating and
costly journey. 'Fully automated SAR' didn't look viable in our
legal/regulatory regime. Maybe some sort of automated 'hand-holding' type
support would be?
N.B. with medConfidential, we are taking a somewhat different approach:
'Data Usage Reports', i.e. on-demand (free) releases to the individual
concerned about who's had access to their data, and for what purpose(s).
Effectively a 'statement' of data use/data sharing. This has now been
incorporated into the 5-year plan for the NHS' Information Strategy, and we
are exploring its wider applications.
It turns out that a copy of your data - while useful for spotting errors,
etc. - actually isn't that useful for a bunch of other things that people
really care about. And, at a tenner a time, unless you have a really good
reason for checking exactly what personal data a bunch of entities think
they hold about you, it could quite quickly become very expensive.
From: mydata-open-data [mailto:mydata-open-data-bounces at lists.okfn.org] On
Behalf Of Reuben Binns
Sent: 18 June 2015 14:27
To: aleksi.knuutila at gmail.com
Cc: mydata-open-data at lists.okfn.org
Subject: Re: [MyData & Open Data] Tool for subject access requests - would
it work in the UK?
This is something I and various others have been thinking about doing for a
while. The first group to do this as far as I know is the Dutch digital
rights group Bits of Freedom - see https://pim.bof.nl/
We began working on a UK version at the last Open Rights Group hack day but
didn't get very far.
The main difficulty is that if you host such a service, you will probably
become a data controller. If you're up for that and the responsibilities it
involves, I'd say go for it!
On Thu, 2015-06-18 at 12:00 +0000,
mydata-open-data-request at lists.okfn.org wrote:
> Send mydata-open-data mailing list submissions to
> mydata-open-data at lists.okfn.org
> To subscribe or unsubscribe via the World Wide Web, visit
> or, via email, send a message with subject or body 'help' to
> mydata-open-data-request at lists.okfn.org
> You can reach the person managing the list at
> mydata-open-data-owner at lists.okfn.org
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of mydata-open-data digest..."
> Today's Topics:
> 1. Tool for subject access requests - would it work in the UK?
> (Aleksi Knuutila)
> Message: 1
> Date: Thu, 18 Jun 2015 00:02:42 +0100
> From: Aleksi Knuutila <aleksi.knuutila at gmail.com>
> To: mydata-open-data at lists.okfn.org
> Subject: [MyData & Open Data] Tool for subject access requests - would
> it work in the UK?
> <CANMi9UUgepgcYaW19KH_Nh9tffxp+m2HsJrcM-vjUbqc_SQ+Ug at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> Dear all,
> I've been inspired by a service that exists in Germany for making
> requests for personal data from public and private organisations,
> namely selbstauskunft.net, which appears to have made a significant
> impact. The same rights to data exist throughout the EU, and as I'm
> sure you know in the UK it goes by the name of subject access
> requests. Does anyone know whether there has been an attempt to create
> a good tool for making the process easier in the UK, or whether there
> is a substantial reason it wouldn't work here? Germany has the benefit
> that one request per year is free, while most organisations in the UK
> want cheques. I know there have been some calls for such a service before,
for instance here:
> Very best wishes,
> -------------- next part -------------- An HTML attachment was
> Subject: Digest Footer
> mydata-open-data mailing list
> mydata-open-data at lists.okfn.org
> End of mydata-open-data Digest, Vol 28, Issue 4
mydata-open-data mailing list
mydata-open-data at lists.okfn.org
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2015.0.5961 / Virus Database: 4365/10045 - Release Date: 06/18/15
More information about the mydata-open-data