If you need HELP, SUPPORT or just have a GDPR question please call +44 (0) 208 133 2545 or email us at email@example.com.
Alternatively please visit our contact page
FREE GDPR Helpline
Call +44 (0) 208 133 2545
The Information Commissioner’s Office has tightened up the code of practice on subject access requests (SAR), meaning that staff who use their own devices for work purposes might have to let their bosses search those devices to comply with the law.
Under the Data Protection Act people have a right to obtain a copy of the personal data organisations hold on them by filing a SAR, which must be compiled with within 40 days.
Details include information about the type of personal data they hold, what it is used for and details of the third parties which have access.
The ICO’s new code is especially relevant to organisations that embrace a so-called “bring your own device” (BYOD) strategy.
“If you permit staff to hold personal data on their own devices, they may be processing that data on your behalf, in which case it would be within the scope of a SAR you receive,” the ICO said. “The purpose for which the information is held, and its context, is likely to be relevant in this regard. We would not expect you to instruct staff to search their private emails or personal devices in response to a SAR unless you have a good reason to believe they are holding relevant personal data.”
Under GDPR organisations will have to respond to SARs “without undue delay and at the latest within one month”.
This article and any associated images were originally published here: http://www.dataiq.co.uk/news/ico-updates-subject-access-request-code-practice