The 'non-disclosure provisions' are quite straight forward. They make up the
first five Principles in the Act and section 10. Basically,if you want to
disclose for a 'crime and taxation' reason but the first five principles or
section 10 is stopping you, then you can claim an exemption from the
non-disclosure provisions (apart from still complying with schedules 2,3)
and can therefore disclose.
Nic Drew
DPO
Cardiff & Vale NHS Trust
-----Original Message-----
From: Dave Wyatt [mailto:[log in to unmask]]
Sent: 13 September 2001 02:44
To: [log in to unmask]
Subject: Re: Section 35
Re section 35(2)
I believe the Acts drafting is very poor as 'non-disclosure provisions' are
an exemption. Section 35(2) refers to being 'exempt from the non-disclosures
provisions'.
Does this not read therefore as being exempt from an exemption?. If no
correction has been made to the Act in this respect the clause appears a
nonsense. It appears that it should state 'Personal data are subject to
(not exempt from) the non-disclosure provisions ......'
I can't see how a data controller can have any confidence in using this
clause to defend their disclosures as being inconsistent with sections a to
c in 27(4) given the way 35(2) is drafted. .
The OIC comment does appear suspect when read against the definition of
non-disclosure provisions in 27(3). This states that the exemptions from
principles specified, only apply where they are inconsistent with the
disclosure in question. It all depends on how you interpret this phrase. The
OIC appears to be giving it a wide interpreatation favouring the data
controllers position. Good news dependant on which hat you wear.
The emphasis however is that the recipient must be undertaking one of the
functions (they may even be a service provider to a data controller) as
defined in 35(2). e.g disclosures to the third parties lawyers before
formal court proceedings. However 35(2) is not a mandate to force a
disclosure and the 'necessary' phrase does requires some decision making to
assess the disclosures to ensure they are indeed necessary in the context of
the allowed uses.
Under the Act data subjects do not appear to have any direct rights to stop
disclosures other than via arguing principle 1 and 2 breaches but if a
controller can apply section 35(2) there are no breaches under these
principles.
Anyone else want to try to rationalise 35(2) and 27(3-4). I personally feel
these clauses leave something to be desired in the manner drafted but must
admit, in wearing a data controller hat, to be pleased with the content of
the OIC response. However I would not be suprised to see the directive being
scanned for interpretation answers given the drafting of the Act.
David Wyatt
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]]On Behalf Of J F Hitches
Sent: 11 September 2001 16:44
To: [log in to unmask]
Subject: Section 35
You may recall that I recently raised a query on this list in relation to
SEction 35 of the DPA. I have now received the following, surprising
response, from the OIC which confounds the general view expressed by
respondents to my original query:
Thank you for your email of 5 September. You ask about Section 35(2) of
the DPA 1998 and whether the exemption (disclosure) relates only to legal
proceedings in which the data controller is involved. You indicate a
misconduct case, involving a statutory professional body.
The exemption is not restricted to cases involving data controllers but to
anyone who requires the information
For the purpose of obtaining legal advice, or is otherwise necessary for
the purposes of establishing, exercising, or defending legal rights.
For these purposes, I would consider proceedings involving the statutory
professional body as having the same weight as actual court appearance."
I have asked to the OIC to give further thought to their response. Their
interpretation seems to indicate that I can ask a data controller to provide
personal data of someone I just think may be a witness to my alleged
speeding offence so that I can obtain legal advice, and that the provision
of data would be acceptable.
This seems to provide a wonderful loophole for fishing trips and to be
against the spirit of so much of the Act.
John Hitches
J F Hitches
Data Protection Officer and
Information Security Officer
Kingston University
River House
53-57 High Street, Kingston upon Thames
Surrey, KT1 1LQ
Telephone/Fax: 020 8547 7768
E-mail: [log in to unmask]
The views expressed are those of the individual and
not necessarily those of the university.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|