Trevor
Schedule 2 (5c) and Schedule 3 (7c) processing condition permits the
processing of personal data where such processing is necessary for the
exercise of any functions of a government department. As definition of
processing is wide and includes disclosure this would appear to allow the
argument that any processing proven to be required by a function of a
government department will not be unfair in principle 1 terms.
So if I as a non government department controller am asked to make a
disclosure to a government department I simply have to prove
a) The requestor is a government department (How do I do that?)
b) That the data is necessary for the functions of that department (How do I
independently find out the limits here?)
I assume as a data controller I must place the onus on the requesting
department (recipient) to evidence to me they have a right to request. If
they cannot do this to my satisfaction I can choose to refuse to supply
under these specific processing conditions (statutory access being a
different processing argument Sch2 (5b) or Sch3 (7b))
I see a problem here in different organisations and individuals setting
different criteria of evidence on the government departments. This appears
to force a control process to be developed by all government departments to
introduce efficiency and consistency to access similar to the Police 29(3)
type requests.
However complying with Sch 2 and 3 processing conditions is only the start a
controller still has to consider fairness and the link to notifying the
potential uses and disclosures they are aware are going to happen when
collecting data.. e.g. I could choose to declare that I may disclose to any
requesting government department for their functions when collecting the
data from an individual customer.
As processes are constantly evolving with all organisations then there will
be situations where the controller has not foreseen the requested disclosure
sought by a government department. It appears reasonable to set an
obligation as a condition of the disclosure that the requesting department
notify the data subject that the data has been obtained. If this cannot be
agreed then it appears reasonable to refuse to supply in the interest of the
rights of the individual (who is my paying customer in many cases) By
taking such action I assume have ensured as far as practicable that the data
subject knows who is holding their data.
Id be interested in other thoughts on this analysis as it appears to be more
logical for private sector companies to refuse access given proving access
appears difficult and costly for the disclosing organisation.
David Wyatt
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]]On Behalf Of Trevor Field
Sent: 11 December 2000 11:27
To: [log in to unmask]
Subject: Government departments
Dear all,
One of the qualifications attaching to the DP Principles states that
disclosure
must be made (even without consent) for any "government department". I know
this may be deliberately vague - but has anyone come across any definition
of
what is "in" here, or indeed any case studies of borderline decisions.
I can well see, for example, that the Inland Revenue is such a department
for
these purposes. And when asked about the Immigration Service I guessed
yes -
on the assumption that a letter or other request will be accompanied by
formal
headed paper suggesting Home Office parentage. (Do any government
departments
have forms akin to Section 29 paperwork?)
Is there any perceived difficulty with a cut-off point here? Or is the
wording
of the legislation actually so clear that I am seeking problems where there
are
none?
----------------------
Trevor Field,
Senior Assistant Secretary,
University of Aberdeen
[log in to unmask]
tel: [+44] (0)1224 272077
|