Review data for a subject rights request

After you create a subject rights request (learn more) in Microsoft Priva, the Subject Rights Requests solution will use your inputs to look for matches about your data subject in your organization’s Microsoft 365 environment. Once this data has been compiled, you can review the findings, make choices about what to include, and redact information as necessary. These steps can be collaborated on by multiple users via the Priva interface.

Step 1: Review request details and monitor progress

To see the initial results of your search, go to the Priva area of the Microsoft Purview compliance portal and open Subject rights requests. A list of all open subject rights requests can be found on this main page.

Select your request in the list to see request details. Here you can learn more about the request’s properties, the search results, and the request’s status. This page will become your hub to work and collaborate on managing the files found, creating reports and exports, and completing the request.

The Overview tab of your request details page provides details about the request, a progress indicator showing your current step, and key information about the data found. The tiles on this page include the following:

Details

The Details card displays basic information to orient you to the request, such as it's deadline, the creation date, the description, and privacy regulation related to the request.

Progress

The Progress card list each step in the process: Data estimate, Retrieve data, Review data, Generate reports, and Close the request. A filled-in blue circle next to the step indicates the step you're currently on. A checkmark inside the blue circle means the step is complete, and the un-filled circle means the step hasn't started yet.

Total number of items found

Stats about your current progress stage. This tile may show information like a data estimate summary, how many items were found in your search and their locations in Microsoft 365, or the status of your exports.

Priority items to review

The Priority items to review tile shows items that you may want to prioritize as you start your review. The tile displays a count of items that belong to the following categories:

  • Confidential: These are items that have a Microsoft sensitivity label applied to them. For example, a Word document with a "Highly Confidential" label.
  • Multi-person data: These items contain the personal data of more than one person. If you want to include these items as part of the final data package, you'll need to redact the irrelevant data in the files. See Step 3: Review data below for details. Note that in order for Priva to identify items with multi-person data, your organization needs to set up data matching for subject rights requests.

How to locate your priority items:

First, ensure you've enabled your view of them in your Data collected table of items by following the steps below:

  • On the Data collected tab, select Customize columns at the top of the list of items.
  • On the Edit columns flyout pane, place a check next to Priority types.
  • Select Apply. Your list of items will now have a Priority types column.

Now you can identify the priority items and find them by sorting the Priority type column to group similar types.

Understand progress stages

Subject rights requests go through multiple stages. Some states progress automatically and other stages advance when subject rights request administrators and contributors complete essential steps like reviewing files.

Since requests may need to be worked on over time or by multiple contributors, Priva gives continual updates on status and guidance about the next steps to take. These updates can be viewed on the Overview tab of a subject rights request’s details page.

Data estimate

Once you create a request, Priva immediately begins looking for potential matches to the data subject in your Microsoft 365 environment. Once we've identified all the items we think match your criteria, you'll see the estimate in the Data estimate summary card on the request's Overview page. The amount of data within the scope of your search will affect the length of time it'll take to complete the estimate.

Your request will move automatically to the next stage of data retrieval, where all the content items are gathered together so that stakeholders can collaborate on data review. In some instances we'll pause the data estimate before moving onto retrieval and notify you of next steps to take before continuing.

You can also choose to automatically pause at the data estimate stage when you first create a subject rights request. During the creation process, select the Get an estimate first option during the Search settings step. Review details about the search settings step.

Pause in data estimate for large search results

Priva will notice if your data estimate is projected to return a large number of items to review (over 10K items). The estimate will pause so that you can preview the results and decide whether to edit your search query to target more specific locations or conditions, or continue to retrieve the identified items. We'll show you on screen the number of items and volume of data that match your search. You'll have one or both of the following options in a message bar at the top of your screen:

  • An Edit search query button will take you directly into the request's search settings to set stricter parameters and generate a new estimate.
  • As long as your search query isn't over 300K items, you'll also see an option to Retrieve data. This allows you to choose not to edit your search and to continue gathering the data.

Retrieve data

The data retrieval stage is when all the files, emails, chats, images, and other content items containing the data subject's personal data are retrieved and put together in an Azure blob storage container for review. Data retrieval may take a few minutes or significantly longer depending on the volume of data. When this stage is complete, the request moves automatically to the next stage of Review data.

Review data

At this stage, your contributors should review the findings under the Data collected tab and perform all applicable tasks like redaction, applying tags, and adding notes. When you’re done with the review, select Complete review.

Generate reports

Your reports are being generated at this stage. When complete, these can be found under the Reports tab. Your finished files can be exported for final review and delivery to the data subject who made the request.

Close the request

A closed request indicates that all work has been completed to fulfill this subject rights request. All data collected and reports will be retained according to your data retention settings.

Step 2 (optional): View and edit search queries

To see detailed information about the data search behind a subject rights request, select View search query details. This opens a pane summarizing the query and showing further details about what was found.

You have the option here to Preview search results to see what type of content will be returned for this query. If you would like to change the properties of this search, and you haven't begun the Retrieve Data phase, you can use the Edit search query option.

The edit search query guided process lets you change or add properties for data subject identification, your search filters and conditions, and the locations in which to look for data (including Exchange, SharePoint, OneDrive, and/or Teams). Use these options to reach your desired level of specificity. You can review the final version of your new query before hitting Save.

When you finish editing your search query, a new search will run to replace your previous search results. This resets your status in the Progress section to the first step, Data estimate. The new search may take up to 60 minutes to complete. Once it’s done, you’ll see updated results on the request’s details page.

Step 3: Review data

At this stage, your contributors should review the findings under the Data collected tab. A Teams channel will automatically be set up to facilitate content review by all stakeholders. See Collaborate on data review for more details. The essential tasks for the data review step are outlined below.

Mark items as Include or Exclude and add notes

Review the list of identified items returned by your search. If you decide that the item should be included as part of the final report back to the data subject, select Include on the command bar across the top of the list of items. You can also select the blue Include button in the content review area to the right of the list of items. When you select Include, a flyout pane appears with an option to add notes. When you're done, select Submit to save the item's review status as Include.

If the item doesn't belong as part of the request, select Exclude on the command bar or the Exclude button in the content review area. Excluding an item means it won't be included in the final reports that are generated for the data subject.

Note

If you mark an item as Exclude, you're required to add a note as justification for why it doesn't pertain to the subject rights request. Notes are for internal purposes and aren't included in final reports.

If the content appears to be a false positive, select Not a match and on the flyout pane, select Confirm. This action will exclude the file from your final reports and flag the item as something that shouldn't have been detected in the search.

Apply tags

Tags can be used to help you identify items that need further attention. Priva provides three default tags -- Follow-up, Delete, and Update -- for which you can set a description. Priva also provides two custom tags that you can name and describe.

For example, if you determine during data review that a content item doesn't need to be kept by your organization, you can apply the Delete tag, then export a list of all the tagged files so that you can go back and delete the identified items when you're done with the request.

The five tags that you manage in Settings apply to all of your subject rights requests.

To add or remove tags:

  • Select the item from the list on the Data collected tab of the request.
  • In the item preview area to the right of the list, select the Apply tags button on the bottom row. You can also select the three dots to the right of the item name and select the Apply tags option.
  • A flyout pane appears with the list of tags. Check the box next to any of the tags you want to apply to the item. Un-checking a checked box will remove the tag.
  • When you're done select Save, which saves your tag selections and closes the flyout pane.

To add custom tags or update tag descriptions:

  • From the Subject Rights Requests page, select Settings in the upper right corner of your screen to get to your Priva settings.
  • Go to the Data review tags page, and select the tag to input a description and, for the custom tags, a name. Learn more about tag settings.

To export a list of tagged items:

  • Go to the Data collected page in a subject rights request.
  • Above the list of items, select the down arrow icon which says Export when you hover over it.
  • An Excel file will download which shows the properties for all the items collected by the search for the request. Find the Tags column to identify and sort the items by tag.

Use the Annotate command to redact text

The Annotate command in the content review area lets you create inline mark-ups and redact data within a content item. For example, if you need to include a file for an individual that also contains the personal information of a different data subject, you can use Area redaction under the Drawing button in the command bar to black out all information that doesn't pertain to the person who made the request. When your edits are complete, select Include to add the redacted file to the request. Annotation creates a copy of the file, which is stored in your Azure blob. The original file remains unaltered and stored in its original location.

Enter notes about a file

To add or review notes on an item, select the item from its row and go to the File Notes tab in the content review area to the right. You can also use the Add file note option to create a new comment. To review or add notes at an overall case level, go to the main Notes tab above and use Add case note. These notes will be visible to users working on the request, but won't be included in the final report or otherwise shared with the data subject.

Complete the review

When all items have been reviewed and you've set their status as Include, Exclude, or Not a match, it's time to close out the review step by selecting the Complete review button in the upper right corner within the request. A flyout pane will show a summary of the data and add any related notes. These notes are for internal record keeping and aren’t shared with the data subject.

Select Complete review on the flyout pane to finish the review step. Summaries of your decisions will be provided later under the Reports tab.

Collaborate on data review

Priva supports collaboration through Microsoft Teams to allow your group to work together on subject rights requests. When you create a new request, a Teams channel is automatically created and associated with your request by default. Here you can discuss the request and safely share input and contributions. To join the conversation, open your request and use the Chat with collaborators option. This will open Microsoft Teams and place you within the General channel for your subject rights request's Team site.

To review the list of active collaborators that can view and contribute to your Team site, within your subject rights request open the Collaborators tab. To add additional users to collaborate on this request, select the option to Add a collaborator.

To change the default behavior of generating Teams sites when creating a subject rights request, go to Settings in the top nav and select Teams collaboration to modify the setting.

You can also use the Share option in the upper right within a subject right request to loop people in via Teams or email, or to copy the link to the page in Priva. Sharing via Teams allows you to select an existing Teams site and channel available to your account, where it will post a link to this case along with any message you supply.

Step 4: Close the request

When you have performed all the necessary actions to resolve your subject rights request, select Close the request. This creates the final report, which can be found on the Reports tab. Completion might take a while depending on the number of files in the request.

Next steps

To learn more about working with reports and completing subject rights requests, see Generate reports and fulfill a subject rights request.

Microsoft Priva legal disclaimer