Strategic Board
Design Division
Transition Division
Operations Division
Improvement Division


ITIL-V3 Bookcase
Table of Contents
Close this Page

Portfolio Director
Demand Director
Finance Director
Supplier Director
Personnel Director
Architect Director



Strategic Board

ITIL 2.7.3.2 Subject Access Request (SAR)

2.7 Security Manager:
    2.7.1 Security Strategy  
    2.7.2 Sign In Authentication  
    2.7.3 Security Lessons  
      2.7.3.1 Experience  
  2.7.3.2 Subject Access Request  
      2.7.3.3 Safe Harbour  
      2.7.3.4 Negligence Breach  
    2.7.4 Cookie Directive  
    2.7.5 Privileged User Management  
    2.7.6 Security Management  
      2.7.6.1 Security Pentest  
      2.7.6.2 Security Pentest  
      2.7.6.3 Security Internal  
      2.7.6.4 Security Testing  
      2.7.6.5 Security External  
      2.7.6.6 Security Internal  
    2.7.7 Distributed Denial of Service (DDOS)  

Freedom Of Information (FOI):
Government bodies are obliged to handle FOI requests in a similar way to SAR.   The key difference is that no personally identifiable data must be provided - only generalities and statistics.   In practice, a dashboard of Key Performance Indicators (KPI) could place such data in the public domain and minimise FOI administration costs.   A dashboard of Service Level Agreement (SLA) actual results could also be put in the public domain to minimise FOI costs.

  
Subject Access Request (SAR):
Every person (in the UK) has the right to request a copy of all data pertaining to them to be provided by any company within 40 days.   A nominal ten pounds fee may be charged to cover the costs of coping all data and providing it to the person.
Failure for a UK company to comply is subject to fines by the UK Information Commissioners Office.   This is all covered by the European Data Protection regulations and can be expected to be very similar in all parts of Europe.

SAR Administration:
A HRM SAR registration service is provided where each SAR is formally documented and an invoice sent for payment of the ten pounds in advance of any work being approved.   A key factor is the formal identification of the person involved - people can only request data about themselves and not about others.   Once payment is cleared, the person is informed that the SAR work has started and will be completed within 40 days.   Where data is coded, an explanation of the codes must be provided in a human readable format.

SAR Deployment:
SAR costs can be dramatically reduced by simply providing people with on-line sign-in rights so they can see their own data details and can correct errors.   Sign-in rights give the impression that nothing is hidden, everything is transparent and SAR delays are avoided.   The relationship with each person who checks their own data from time-to-time is improved.   Every time a person signs-in is recorded so abuse can be avoided - people could be charged ten pounds to sign in to see their own data if they abuse the privilege.

Data Protection Act (DPA):
The DPA demands that every field stored must have a documented business purpose and that purpose must match the persons expectations for providing that data.   This means that data such as gender, religion, ethnic group and even age must only be stored when a real business purpose has been documented.
For example; a person won damages from a corporation when applying for a job and being asked their gender.   The only business purpose to collect a persons gender is to discriminate against them based on gender or the data is captured for no business purpose and that is illegal.
By simply documenting the business purpose that each field is stored is protection against such claims of discrimination.   The business purpose of each field should be included with an SAR reply to prove DPA compliance and avoid a claim for damages.