Moving personal data between organisations will soon be much easier for local citizens. On the first anniversary of the Bailiwick’s new data protection legislation the ‘right to data portability’ comes into effect.
From 25 May, this legal right allows Islanders to request an organisation that holds their data to transport it to another organisation. This must be provided in a format that is easy to download, transfer between systems and be machine readable.
This could include moving medical records from one doctor’s surgery to another, transferring insurance policy information or retrieving a contact list from a web application. It is expected that the type of local organisations receiving data portability requests will include insurance companies, banks, travel agents, along with medical practices such as doctors’ surgeries and dentists.
Under the legislation, citizens can make requests verbally or in writing. The organisation is required to respond within one month of receipt and supply the client’s personal data in a machine readable format such as CSV or XML so that it can be easily transported and entered into another organisation’s IT systems. For complex requests, this can be extended by a further two months, but an initial response must still be given within a month. In most cases there is no fee chargeable to the individual making the request.
Emma Martins, Guernsey’s Data Protection Commissioner, confirmed that this aspect of The Data Protection (Bailiwick of Guernsey) Law, 2017 will make it easier for individuals to transfer their information and ensure companies recognise the importance of looking after their clients’ data.
‘Data portability means it will be simpler for Islanders to move their personal details from one organisation to another. Organisations themselves will be required to respond to such requests without undue delay and show they respect the legal rights of the people the data relates to.’
‘What we are seeing is when data protection is done well, it helps build and maintain trust between organisations and the individuals whose data they hold.’
The difference between data portability and the more commonly recognised ‘subject access request’ is that data portability relates to the personal data supplied or generated by the individual and not details organisations have created themselves. It also only applies to data processed electronically. When responding to a data portability request, the data must be provided in a machine readable format and not necessarily provided in a format understandable by a person.
Mrs Martins explained why organisations were given an extra 12 months commencing 25 May 2018 in which to comply with this aspect of the law.
‘As there is not one universal way that personal data is recorded and stored across all organisations it was recognised that more time was needed to prepare, so the one year transition period, which expires 25 May 2019, was granted.’