A new section, member tasks → subject access request, provides automation for gathering together data to fulfil a GDPR subject access request. We keep the data as a formal record of the request.

Background

A subject access request is the usual term for a request for information under Article 15 of GDPR for personal information an organisation holds about them. They are entitled to a copy of that information, usually within a month. You should probably ask for identification before supplying data.

Previously, this was a laborious, time-consuming process. For the information held in Cameo, it is now automatic.

Export the data

In member tasks → subject access request:

  • select the membership to export data for (Fig 1: 1)
  • press the download data button (Fig 1: 2)

Only administrators may do this.

Except for file attachments, we export data as YAML. These records are readable by both human and machine.

Where a record refers to more than one membership record (for example, certain letters and notifications), we include a placeholder instead. If they insist on receiving these, it will be necessary to
locate a copy manually and redact the information not pertinent to the person making the request.

We retain Subject Access Requests produced in this way until you delete the membership. Find previous requests both here and in the change history for the membership.

Personal data may also be present in other systems. For example, accounting and manual email. Sometimes these duplicate the information in Cameo, in which case you do not need to trawl for it or supply it. But where unique emails exist elsewhere and the request asks for these, you must undertake a search.

Personal data includes things like notes added to the record. You should always assume anything you write is discoverable. Keep it polite!

Data included

The file includes the following data:

  • membership record
  • change history
  • member attachments (and metadata)
  • bank transactions (the type and amount of each attribution and the date and description of the transaction)
  • event bookings
  • emails sent to them, and attachments
  • letters (including metadata), but redacted if other memberships included
  • invoices, purchase orders and quotations (trading documents) and attachments
  • notifications, but redacted if these also concern other people
  • pending renewals (though these are transient, so will only rarely appear)
  • questionnaire responses

The section also lists any previous subject access requests made by that person (Fig 1: 3). This also ensures you have a formal record of having produced it.

Fig 1: making a subject access request