FOIMan examines a new right to access information about yourself that will become law next year, and considers what organisations will be obliged to do to comply with it.

Summary

We’re constantly submitting information about ourselves to companies and other organisations. Everytime we sign up for a new energy deal, we have to input our details. The same if we want to move bank, or credit card. Even if we want to be able to listen to music or watch films from a streaming service. And  everytime we have to re-input those details, even though they’re more or less the same. Imagine if you could just get Apple to transfer the details you gave them to Spotify. Or ask your credit card provider to give your transaction history to their rival so you can find out if you can get a better deal.

Well…from next year you will be able to. The General Data Protection Regulation (GDPR) introduces a new “right to portability” (not potability, as it’s often misspelled – it’s not a right to your own personal drinking water). What does it involve?

What does it do?

It gives data subjects (individuals) a right to be provided with information they have provided to data controllers (businesses and other organisations) in a machine-readable and re-usable format. If the data subject prefers, data controllers will have to transfer their data directly to another data controller.

What does it cover?

Data provided by the data subject that is being processed by automated means (i.e. this won’t apply to data held in paper files) where the data controller relies on consent or a contract with the data subject to justify collection and use of the data (from the list of conditions at Article 6).

According to the Article 29 Working Party (A29WP), data which the data subject has “provided” will include both the information supplied directly by the data subject, but also raw data collected from observation such as smart meter data, activity logs, web usage or search history. It won’t cover any data that results from analysis of the observed data.

Some facts about portability

• you’re expected to remind people of this right whenever you collect data directly from them, and also tell them if you start collecting data by “observation” within a month
• requests for data to be “ported” will have to be processed “without undue delay”, and normally no later than a month after receipt of the request
• fees can only be charged where a request is “manifestly unfounded or excessive”; the A29WP comment that this is going to be rare with portability requests as the data should be relatively easy to extract, prepare and disclose given that the right only applies to automated data
• data must be disclosed “in a structured, commonly used and machine-readable format”; the A29WP interprets this as a format supporting re-use and suggests commonly used open formats should be used for release such as CSV, XML or JSON
• where there are reasonable doubts about the identity of a requester, proof of ID can be requested; this is perhaps less likely to be an issue with portability requests than with, say, subject access requests, as in most cases there will be existing methods to authenticate a person’s identity (e.g. username and password)
• when a data controller complies with a request to transfer data, they are responsible for its security during transfer – for example, by using end-to-end encryption. Once it gets to its destination however, the recipient is responsible for it – whether that be the data subject or another data controller to which the data has been transferred
• generally data being ported is still subject to the data protection principles and other GDPR rules; e.g. data subjects should be able to restrict what data is transferred and data controllers in receipt of data should not process more of it than they need
• contracts with other companies that process data on the data controller’s behalf (i.e. data processors) should specify requirements to facilitate portability requests
• Article 20 specifies that the right to portability shall not adversely affect the rights of others; third parties have rights too.
  • This doesn’t mean that, for example, where someone crops up in the data subject’s bank account as a payee, a bank would have to redact their details before transferring the data.
  • However, in certain cases (A29WP cite social networks as an example) it will be appropriate to seek third parties’ consent at any point where they transact with the data controller (e.g. Facebook’s privacy permissions might indicate that a “friend” could seek to export their account data including data about their friends; the privacy permissions portal might allow individuals to indicate that they don’t want their data to be included in such exports).
  • Where data is transferred to another data controller, that organisation won’t be able to extract the details of third parties from the data and, for example, send them marketing using those details.
• it’s worth noting that many companies already provide facilities to “port” data; a government initiative in the UK called “MiData” has been working towards developing an industry standard here for some years. If you’ve ever downloaded your bank statement as a spreadsheet, you’ve effectively made a data portability request. GDPR, though, now makes this a right, and potentially there will be many businesses in particular who haven’t worried about this that will now have to prepare for the possibility of receiving such a request.

Further reading

The above are just my notes and thoughts on how portability will work. For further (and more authoritative) information, consult the following:

• Regulation (EU) 2016/679 (GDPR) Article 20 (data portability) and Article 12 (general rules covering rights of individuals)
• Guidelines on the Right to Data Portability, Article 29 Data Protection Working Party, 16/EN, WP 242 Rev.01, 5 April 2017

Note: I’ll be delivering a webinar on the portability right for Act Now Training on 23 June 2017. Visit their website for further details.