Been away from the list for a few days.
Here with a late, long summary of responses, as requested. Because of the
variety of views provided, often by example, I have depersonalised (good DP
practice, I hope!!) the responses leaving the examples as they stand.
Classic link is witness data. I would not supply any data to the data
subject which allows the identity of a witness to be known by the data
subject unless I was certain from my records they already knew the identity
e.g. Case has been to court or in the press. If I was certain they knew this
persons identity I am applying 7(4)b as it is pointless to seek consent. If
I was not certain the identity is known I would first go to 7(5)and edit and
if that did not work I would go to 7(4)a - can I get consent. If this not
possible I would decline supply 7(4)
Joint contracts another example where both parties have an interest. It is
reasonable to assume each knows the others identity given it is a joint
contract therefore do not need to seek consent to disclose the other parties
name or contract factors each knows. Again Im relying on 7(4)b when
supplying.
In practice advices are always try to remove names of anyone other than the
data subject or own staff before supply but the context, as you know, may
lead them to identify another individual. In such cases we try to remove as
much as possible keeping as evidence a copy of the the original position pre
edit with the data subject request file to enable the position to be
scrutinised as 'fair' should a challenge occur through the commissioner.
Here we are applying 7(5)
35(2) is about disclosure!! Look at Sched 7, para 10
Schedule 7, paragraph 10 refers to "claims" of privilige
Lawyers say that this claim has to be assessed on a case by case basis. For
example, I might seek legal advice
with respect to a report which is also personal data. The privilige relates
to the advice from the lawyer; I was told that it does not extend to the
report so I think it could be rather narrow exemption.
I would take the view that if a Data Subject applies for access through a
solicitor (who you recognise as a solicitor), then treat it as a normal
Subjetc Access request. What you can do is involve your legal people before
release of the personal data to the Data Subject. This will also give you
"protection" - just in case someone says "You should not have given him
that".
I think you are in the same position as the NHS. Where negligence is a
possibility, Subject Access is used to look at the medical files to assess
the claim.
I still feel that a data controller is on weaker ground arguing witholding
CCTV images simply because the data subject may be suggesting they are to
use in subsequent legal proceedings. Again context is everything and without
knowing the basis of the legal proceedings intended and whether others on
the tape can be implicated it difficult to see why the controller has any
obligation to consider the matter. The Act clearly allows the controller to
make the choice on whether to supply or not.
If the other individuals in the video wished to have a 'pop' at the data
controller releasing their image. They would have to prove their image was
personal data in the hands of that data controller. Can they do that I
wonder? Depends on the whether the CCTV is monitoring the data controllers
own staff or the public at large. Example being a football club with crowd
pictures. Club unlikely to identify all data subjects in a video but might
manage to identify a club steward and some known banned members of public.
Police more likely to identify a larger subset of individuals in the video
from their access to records in their possession which hold details of
potential offenders, but this would be unlikely to identify the steward.
When you get to data used in court, others areas of research such as Legal
professional privilege Schedule 7 Section 10 may play a part although
relationship of parties would have a bearing on its application.
I also wonder whether self incrimination exemption in Schedule 7 Section
11(2) gives you comfort.
Section 35(2) and its non-disclosure associations in my mind relates to
exemptions as defined in 27(4). 6th principle concerning right of access is
not one. So I would believe this sections application is out of context on
the issue as discussed.
Hope they are of value.
Ian W.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|