Doreen wrote:
>Thanks for that Paul ...it has confirmed my reasons for withholding third
party information relating to my SAR. As we all know the Act is there to be tested!
I'm not convinced that's right.
The first question where there is third party data involved and a refusal to disclose by that 3rd party is whether it is "reasonable in all the circumstances to comply with the request without the consent of the other individual". This presumably follows from the purposes for which it is processed, so we need to be clear about them. The data controller in any case has a duty to release "so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise". A duty of confidentiality is only one of the factors in deciding 'reasonableness', and apparent caution may turn out to be rash!
Doreen started this by referring to disciplinary action in an employment context - "they are all employees with disciplinary/grievances and therefore you have to take into account confidentiality as to the third party as well as the data subject's rights". (I think we've been here before, by the way.) In this context you're probably going to have a strong obligation to release the identity of the witness anyway in order to treat the (data) subject (of allegations) fairly unless you reasonably think the witness is seriously likely to come to harm as a result. Accused people are entitled to know the charges and evidence against them and it would therefore be "reasonable in all the circumstances" although, as pointed out before, an SAR might not be a sensible mechanism. If you think the allegations are trivial/spurious, then perhaps you would not act against the data subject on the basis of them. But perhaps you should then act against the third party!
A public authority acting as such (e.g. a local authority considering a dispute between neighbouring tenants, an institution of higher education, perhaps even a student union or a charity when carrying out what are effectively devolved public functions) has obligations under administrative law and the Human Rights Act Article 6(1) to decide issues of rights in a fair and open manner even where there are competing rights at issue ("everyone is entitled to a fair and public hearing within a reasonable time by an independent and impartial tribunal established by law"). It is unlikely to be reasonable to refuse to disclose data if it's likely to lead to the breach of another act to withhold it!
The duty of confidentiality of an adviser, counsellor or similar towards a client is something specifically recognised in the DPA and associated regulations. That might well apply in the circumstances Susan was talking about. That's not at all the same as promising confidentiality to someone making allegations which might be justified or unjustified, honest or malicious, if they will have an effect on how you treat the data subject.
In respect of Ian's last message, if you have a file relating to someone and you deliberately omit some information from it so you don't have to reveal you've got it, that could get you into trouble if comes out later because it lacks the appearance of fairness (for example in HRA or employment law terms, or discrimination law), and I wonder whether you can fairly process the data you do hold if you make such choices!
Paul Hubert
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|