In our last post on data privacy, we discussed the current state of data privacy legislation in Europe and the US. Recent data privacy legislation has impacted organizations across the board in terms of how they handle the data of individual data subjects and data privacy has made a significant impact on eDiscovery workflows that support litigation and other use cases. It’s even creating brand new workflows that didn’t previously exist to support requests from individual data subjects.
Use of “Attorneys Eyes Only” Designations and Protective Orders in Litigation
Data privacy considerations have caused an increase of protective orders and “Attorneys Eyes Only” (AEO) designations in litigation to protect the personal data of individual data subjects. These safeguards have been necessary to ensure the ability to proportionally discover relevant ESI in litigation, while protecting the privacy rights of individuals.
Importantly, there has been considerable debate regarding whether privacy can even be considered a “burden” under the proportionality analysis required by Federal Rule of Civil Procedure Rule 26(b). Two essay articles recently published in Judicature by the Bolch Judicial Institute of Duke Law School provided a point/counterpoint on the topic, with Robert Keeling and Ray Mangum of Sidley Austin LLP, arguing in this article that privacy should be considered a burden under Rule 26(b), while Chief Judge Lee H. Rosenthal of the Southern District of Texas and Professor Steven S. Gensler of the University of Oklahoma College of Law argued in this article that Rule 26(c), which governs the use of protective orders, is best suited to protect privacy in discovery. We should anticipate more debate within the legal community about privacy and proportionality and more case law as well as this remains a divided topic.
Reduction of Data Generated During eDiscovery Workflows
One of the biggest challenges in eDiscovery is the duplicate copies of ESI that is generated during a typical eDiscovery workflow – copies can be generated during collection, processing, review, production, and preservation. This leads to multiple potential areas of vulnerability for personal data within the process and greater risk of inadvertent disclosure of personal data. Those concerns have been one factor to cause eDiscovery teams to push more of the culling and filtering further left within the EDRM model so that less data is pushed downstream, reducing data privacy risk.
Identifying PII in Data Collections
As recently as seven years ago, panelists at an education session at Georgetown Law School’s Advanced eDiscovery Institute discussed issues associated with privacy in eDiscovery and it was evident that many considered privacy as an after-thought. That’s not the case today. eDiscovery workflows now commonly include leveraging technology to identify Personally Identifiable Information (PII).
Approaches to PII can be as simple as pattern matching through regular expressions to locating personal data such as social security numbers, phone numbers, credit card numbers and more. The use of machine learning and AI technologies can also be utilized to train algorithms to locate more complex personal data, such as Protected Health Information (PHI), ethnic origin, political opinions, religious beliefs and more. The requirement to identify PII is so common these days that many of these mechanisms are automated and can identify and highlight PII in a matter of minutes. Once identified, steps are taken to protect individuals’ PII, including redaction and/or encrypting productions.
Data Subject Access Requests
Data privacy considerations have even created entirely new discovery workflows to support increased demand for requests for the return of personal information in organizations’ systems. Data Subject Access Requests (DSARs) are the mechanism by which individuals can request information about the way companies handle their personal information. They’re also commonly referred to as Subject Access Requests (SAR), Data Subject Requests (DSR), or Subject Right Requests (SRR). DSARs typically include:
- Contact information of the data subject (including name, email address, and phone number).
- The type of request, which typically falls into one of the following categories: 1) Identify the information you collect on customers, 2) Identify the information you collect on me, 3) Delete my information, or 4) Take my data elsewhere.
- An open description field where the data subject can provide additional description to their request.
A DSAR can be submitted at any time by any individual for whom data is being tracked by the organization. Even though the information produced is much more targeted than it is for a typical litigation case, it still requires the ability to leverage the same technology and similar workflows used in litigation. Essentially, any organization today storing data about individuals has a need to support discovery, whether they have a litigation portfolio or not.
Data privacy considerations have been a significant driver for change in eDiscovery and litigation resulting in new workflows to protect personal data and to respond to requests for its return or deletion. You can’t address discovery of ESI anymore without also addressing protection of personal data that may be included in that ESI. Next time, we will dive into some of the impacts that data privacy is driving in the information governance arena. Stay tuned!
For more regarding Cimplifi support for DSARs & small matter workflows, click here.