By Robin Wilton, Technical Outreach for Identity and Privacy, The Internet Society
Subject Access Requests
What is the data controller’s perspective on subject access requests (SARs)? The bottom line is that, for data controllers, responding to subject access requests requires preparation, investment and effort.
Finding the right data to respond can be non-trivial; application silos, missing metadata/keywords/indexing, constantly-increasing volumes of data: all increase the cost of servicing SARs. Data may need redaction for 3rd party names or confidential information; this requires subjective judgement.
These factors make SAR responses increasingly hard to automate without raising the risk of privacy and compliance problems.
Three themes to address
First: the shift from identifiers to ‘big data’ and attributes. Traditionally, identity is “what you get by being issued with a credential by a trusted source”. The “modern” model of identity is “what can be inferred from attributes and metadata”, even if those come from less trusted sources.
Linkability in large datasets depends less and less on ‘traditional” identifiers, and more on attribute and inference data.
Second: “friction” in online service provision. Service providers make it easy to sign up, but hard to unsubscribe. Even if a user unsubscribes, service providers may retain data about that user.
There’s no financial incentive for service providers to encourage disengagement; the benefit of retaining user data is considered to outweigh the potential cost of remaining responsible as a data controller.
Third: monetization of personal data is a complex ecosystem with several “food chains”, mostly invisible to the user. With each step, users’ awareness of and ability to control data about them decreases, with corresponding privacy risk.
Users have little ability to control what is done with data that has an actual or potential impact on them. With big data, the impact on an individual’s privacy and self-determination is increasingly likely to originate in data about others, and inferences drawn from it.
It is no longer necessary for you to display a pattern of consumer behaviour, provided you reveal some piece of data which places you in a particular consumer category. The behaviour of others is enough to produce an impact on you.
If we only consider subject access to those entities the data subject knows about, we will miss many of the cases that result in privacy impact on the individual.