Control measure: Information is provided to the requestor in a suitable format.
Risk: People may not be able to access or understand information provided in an unsuitable format, resulting in a complaint or delays. This may breach UK GDPR articles 15 and 32.
Ways to meet our expectations:
- Provide information in a commonly used electronic format, or another format, if requested.
- Ask what format the requestor prefers the information in, before fulfilling the request.
- Provide information in a secure way.
- Assess whether it is appropriate to provide original copies of documents containing personal information, or a transcript or extract with the personal information.
Options to consider:
- Check storage limits on outgoing emails.
- Encourage the requestor to provide a named email account for you to send the information to, not a shared business or family mailbox.
- Send information with read and delivery receipts, or use tracked signed-for delivery, if posting.
- Mark information clearly as confidential and for the named recipient only.
- Use secure passwords and separately send these passwords directly to the requestor for them to use to open the information.
Control measure: Information is provided to help people understand the response.
Risk: If people do not understand the information or feel their request is not answered, they may be dissatisfied or complain, potentially causing reputational damage. This may breach UK GDPR Articles 12 and 15.
Ways to meet our expectations:
- Send a cover note or letter with the response, explaining clearly what searches you have completed and an overview of the information that you have provided.
- Explain any information that people may not understand (eg codes, handwritten notes, or acronyms).
- Explain the purposes of the processing.
- Use clear, plain, non-technical language when providing explanations.
- Have a clear formal process for people to complain or appeal about decisions you’ve made about their request.
Options to consider:
- Include a paragraph at the end of the response inviting requestors to raise concerns if they are unable to understand any part of the response, or it isn’t clear.
- Use examples of anonymised feedback to help train staff in delivering clear and transparent information.
Control measure: Decisions to withhold information from responses are explained clearly to requestors.
Risk: If people believe information has been withheld unlawfully, they may be dissatisfied or complain, potentially causing reputational damage. This may breach UK GDPR article 15.
Ways to meet our expectations:
- Send a cover note or letter with the response, explaining clearly what information you have withheld and why.
- Use clear, plain, non-technical language when providing explanations.
- Have a clear formal process for people to complain or appeal about decisions you’ve made about their request.
Options to consider:
- Produce template text that staff can use to explain redactions or exemptions.
- Test template text with a non-technical audience to ensure it is easy to understand.
Control measure: People are given direct access to their information, if requested or required.
Risk: If direct access is not provided, people may be dissatisfied or complain to the ICO. This may breach UK GDPR article 15.
Ways to meet our expectations:
- Allow people to view information in person on site if they request this.
- Allow people to view information using a secure online portal they can easily access.
Options to consider:
- Have a designated screen or area that staff can use to allow people to have direct access, where required.
- Have a named staff member to accompany people on site, who can explain information to them.
- Check people’s identity on their arrival on site.
- Issue people with a code to access the online portal easily and securely.
Control measure: Access to information provided is tracked to identify the source of any further disclosures.
Risk: Without tracking, it may be unclear if information provided has been subject to a personal data breach. This may breach UK GDPR articles 30 and 32.
Ways to meet our expectations:
- Address responses and information clearly with the person’s name.
- Keep the contact information you hold up-to-date.
- Keep a log of who has had access to the information you’ve disclosed and regularly review access controls.
- Keep an accurate and up-to-date record of processing activities.
Options to consider:
- Mark information clearly as confidential and for the named recipient only.
- Apply a watermark to the information you provide (eg ‘recipients copy’), so you can clearly identify the source of further disclosures.