The Requests page is where Data Request Managers manage all outstanding subject rights requests and view information about completed requests.

This page contains a list of all requests submitted to your company along with the following details:

  • Request ID - A generated unique id for the request.
  • Requestor Email - The email address of the person making the request.
  • Due - The due date and time for the request.
  • Form Name - The name of the form the requestor used to submit the request.
  • Organizations - The organizations associated with the form used to submit the request.
  • Created - The date the request populated within the Osano Web App.
  • Last Updated - The last date the request was updated.
  • Status - The current status of the request. Text will appear in red when the request is past due and has not been rejected or completed. List of possible statuses:
    • Pending Identity Verification - Awaiting on a Data Requests Manager to verify or reject the requestor’s identity.
    • 0/0 Action Items Complete - Awaiting on a Data Requests Manager to manually determine a course of action as no created data stores contain fields classified as containing personal data. This status generally indicates a form was exposed to subject rights requestors prior to completing the necessary data store set up.  
    • 0/n Action Items Complete - Awaiting on Datastore Owners to complete action items.
    • n/n Action Items Complete - Awaiting on a Data Requests Manager to review the request and mark it rejected or complete.
    • Rejected - Request was rejected and an email was sent to the original requestor informing them of the rejection and rationale.
    • Completed - Request was completed and an email was sent to the original requestor with details relevant to their request.

Clicking anywhere on a request row will open the Request Details page for the request:

In the Request Information section you can see all the information the subject rights requestor submitted through the hosted web form along with the Request ID, Due Date, and Updated date.

In the Notes section, you can enter any notes relevant to the request and click the floppy disk icon to save these notes. These notes are for internal use only and are never shared with the requestor.

To the right of the Notes section will appear either the Awaiting Email Verification section, the Verify Identity section, or the Assigned Action Items section depending on how far the request is in the Subject rights (DSAR) workflow.

When the requestor has submitted their request but not yet responded to the email to verify they are a human the Awaiting Email Verification section will appear.

When the requestor has responded to this email but the Data Requests Manager has not yet validated the requestor’s identity, the Verify Identity section will appear containing any attachment the requestor has sent along with the initial request as proof of their identity. 

Once the requestor’s identity has been validated, the Assigned Action Items section will appear containing a list of assigned action items for the request. Each action item contains the name of the data store the action item is for, a list of assignees to that action item as well as a Status for the action item which is either Assigned or Completed

In some cases below this information an action item will display 'No data was found. Review for accuracy.’ This indicates that an automated scan was performed at this data source and personal data was not found for the requestor. This does not necessarily indicate an issue but may be worth investigating depending on the context i.e. if data would normally be expected at that data store for this type of requestor

In the Message Portal section you can communicate directly with the requestor via a Secure Messaging Portal to establish their identity, clarify their request, or give them a status update. Security at the portal is established by encrypting the data in transit and at rest.

Requestors will be invited to use the portal when they receive the email to verify their email after submitting a subject rights request. They will also be given a link to the portal in every request completion and request rejection email. They will be asked to verify their email and set a password to use the portal. Once logged in, they will see any requests they have made with that email. Upon clicking a request, they can see and send messages for that request.

When sending notifications to your end-users, they will receive an email notification alerting them to the fact that they have received a new message but at this time there are no in-app notifications indicating that a requester has sent a message through the portal.

Once a request is rejected or completed, any attachments made on portal messages will be deleted after 120 days. At that point, they will no longer be accessible by you or the end-user. Message content does not get deleted, but remains in an encrypted state. Supported files for attachments include: .ppt, .pptx, .odp, .key, .doc, .docx, .pdf, .odt, .rtf, .txt, .xls, .xlsx, .ods, .xlsm, .csv, .jpg, .jpeg, .png, .svg. Text must be included in the message to send the attachment. 

At the bottom of the Request Details page appears the Status section. Just above it are the Rejection and Completion buttons. The status section contains each status the request has passed through along with the user responsible for the update (except when the system makes the update) and the date the status change occurred.

The Rejection and Completion buttons are used by the Data Requests Manager to move the status of the request forward when validating a requestor’s identity and when completing or rejecting the overall request.

Return to the Subject Rights (DSAR) Workflow.