DATA PORTABILITY POLICY
[Organisation name] respects the Right to data portability in accordance with GDPR
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. It enables consumers to take advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits.
The right to data portability only applies:
to personal data an individual has provided to a controller
where the processing is based on the individuals consent or for the performance of a contract and
when processing is carried out by automated means.
[Organisation name] will respond to any request without undue delay, and within one month.
This can be extended by two months where the request is complex or [Organisation name] receive a number of requests. [Organisation name] will inform the individual within one month of the receipt of the request and explain why the extension is necessary.
Where [Organisation name] is not taking action in response to a request, [Organisation name] will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.
DATA PORTABILITY PROCEDURE
[Organisation name] will provide the personal data in a structured, commonly used and machine readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data.
The information must be provided free of charge.
[Organisation name] will use secure encryption and necessary authentication to ensure that data is private, safe and secure and only transmitted to the authorised person(s).
If the personal data concerns more than one individual, [Organisation name] will consider whether providing the information would prejudice the rights of any other individual.
SOME THOUGHTS ON ENCRYPTION
What follows is a discussion on data encryption, and notably encrypted email. This is not guidance, but hopefully may help inform your judgement and your decision about what is right for your data privacy, your organisation and peoples needs.
If I send you an email inviting you to the pub for a drink on Friday I personally think that can be in a plain text email. There is nothing secret or sensitive about that.
If I send you details of my bank account and sort-code, and perhaps a photo of my passport and driving licence then maybe I should password protect the document or put in a .PDF or .Zip file and password protect that.
The email can be plain text, but the attachment is in a protected file. However the password protection in word, excel and powerpoint are weak so whilst better than a plain text email this will not deter a serious hacker.
I could choose to use proper professional encryption like egress or galaxkey. Indeed, some government departments insist that you communicate with them using tools like these. There are certainly advantages. But there are disadvantages too.
There is no point in encrypting a message if the person at the other end cannot decrypt the message and using specialist tools may limit who you can send messages too. This can be a good thing!
Some proper professional encryption tools are expensive and confusing for some users.
In some cases, you can send a link to a file or record and require the person to log-in to see it. This allows you to control who can login and see data.
Sending special category data in a plain text email is high risk. Consider carefully what is the best approach in your circumstances. Use a Data Processing Impact Assessment DPIA to guide and record your decision.
FORM
| HEADING | CONTENT |
| CONFIRMED ADDRESEE The person to whom the data is being sent must be authorised and validated (eg photo-ID or similar) | |
| CONFIRMED DESTINATION The email address, postal address to which the data is being sent must be authorised and validated (eg registered office address) | |
| CONFIRMED DATA The data must be correct without error or omission, or inclusion of other data (eg other peoples data) Unless the person to whom the data is being sent specifically asks in writing- for it to be unencrypted any electronic data should be in encrypted format with the password sent be different means. |
| HEADING | CONTENT |
| DELETION OR DESTRUCTION Where data is being moved there may be a requirement to delete the data once the data-subject has their copy. Deletion outside of normal retention policies should only happen when the person to whom the data is being sent specifically confirms in writing- that they have received their data and that it is OK to delete. |
Signed
Data Protection Officer or Equivalent
Signed
Director or Equivalent
