Excellent checklist, Ian.
One small point. You talk about "a responsible, high-ranking
officer". Dangerous stuff. Just because some is described so, it does
not imply that he is being fair or lawful. Whoever makes the decisions
MUST do so fairly and lawfully, whoever he is. If he is a council
official, he must be empowered to do so, and must follow appropriate
procedures. Even Ministers of the Crown get it wrong sometimes (remember
one Mr Howard, Home Secretary of recent memory).
Regards
David
At 04:11 23/11/00 -0500, [log in to unmask] wrote:
>Dear Nicola/Fiona/All
>
>Suggested PVP marker/database system, with references to Principles or
>legislation (sorry it's in a nutshell):
>
>Your policy to have such a database should be considered at a high level and
>approved by the data controller (P7) and procedures should be in writing
>(general).
>
>You should ensure the purpose for the database is properly notified to the
>ODPC (legal requirement, P2).
>
>Reports from staff or third parties about a person's violent tendancies or
>actual threats should be in writing (P1). There may be other risks, such as
>aggressive family members, dogs, sexual threats, etc - the report should
>clearly spell out the actual risks to staff visiting or coming into contact
>with this person (P4). Opinion and circumstancial evidence should be avoided
>if possible but if recorded these opinions should be marked as such, e.g. "X
>felt threatened, although no actual attack or threat took place" (P4). The
>report writer should be informed that they may be asked to justify their
>evidence in court (P4).
>
>Any witnesses should be asked to support the accusations in writing (P4).
>
>Any CCTV cameras in place for staff security should be clearly signed as to
>the identity of the data controller and the purposes for data collection,
>e.g. "CCTV in operation for security purposes" (P1).
>
>Where it would not be likely to cause harm to any individual, the data
>subject should be contacted to allow them to put their side of the story (P1,
>P4, HRA).
>
>The decision on whether to add the person to the database should be made by a
>responsible, high-ranking officer who should make the based on all the
>information available (P1, P3, P7).
>
>If the decision is made that the person is to be added to the database the
>data subject should be informed unless there is a substantial risk to any
>person in doing this (P1, P6). The reasons for inclusion should be recorded
>(P4, P6, HRA).
>
>An independent appeals procedure should exist to challenge this decision (P6,
>HRA).
>
>The database should only be accessible on a case by case basis when an
>officer is making a home visit or the data subject is making a visit (P7).
>
>If you need to protect staff on front desks against all attacks (not just
>those on a database) then other methods should be used (screens, CCTV,
>security staff, etc). It may also be an idea to have a sign up saying that
>as a responsible employer you will assist any staff to prosecute their
>attackers (H&S).
>
>All accesses of the database should be properly authorised (by the nominated
>officer) in advance (P2, P7) and the access should be properly logged (audit
>trails, written reasons for access) (P2, P7).
>
>There should be sufficient information on the record for the officer to make
>a reasoned judgement on the risk involved and not too much information for
>the particular purpose (P3).
>
>The database should be regularly updated to reflect any changes in the data
>accuracy such as address changes, decision to remove after apology, further
>evidence of violence, etc (P4).
>
>There should be a review procedure and each record should have a review date
>when an assessment should be made as to whether the risk from this individual
>is still present (P4, P5, P6). If the risk is not there the entry should be
>removed from the database by the authorised officer (P5, P6, P7).
>
>The data should never need to be transferred outside the EEA but if it is you
>should ensure the recipient country has adequate DP law or you should have
>the person's informed consent (P8).
>
>There may be more to this issue but the above should give you a start.
>
>Ian B
>MD
>Keep IT Legal Ltd
>
>Please Note: The information contained in this document does not replace or
>negate the need for proper legal advice and/or representation. It is
>essential that you do not rely upon any advice given without contacting your
>solicitor. If you need further explanation of any points raised please
>contact Keep I.T. Legal Ltd at the address below:
>
>55 Curbar Curve
>Inkersall, Chesterfield
>Derbyshire S43 3HP
>(Reg 3822335)
>Tel: 01246 473999
>Fax: 01246 470742
>E-mail: [log in to unmask]
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|