Quote: "A data controller is not obliged to comply with a request under this
section unless he is supplied with such information as he may reasonably
require in order to satisfy himself as to the identity of the person making
the request and to locate the information which that person seeks."
Be careful that you don't ignore the words "reasonably require" in relation
to these requests. If you simply refuse a request for subject access on the
basis that (in your opinion) the individual has not supplied enough
information about what is asked for, you can still be in breach of the
regulations. For example, if yours is an integrated system with a core
database and linked sub-records, then a simple request from a person giving
you their name (and if necessary a reference number) saying "everything you
have on me" would be sufficient information to locate ALL the centrally-held
data.
E-mails containing details of the person can be located by using the same
monitoring software you use for checking e-mail content to ensure compliance
with your usage policy. Just use the person's name as the search criteria.
Obviously further investigation may be necessary if there are other people
with the same name.
In terms of the distributed data, perhaps existing in different departments
or on different systems, sufficient "reasonable" identifiers may be a
reference number issued by yourselves, a status indicator (e.g. I was
employed by you from xx/xx/xx to xx/xx/xx) or a written statement as to why
the person feels you have their data. You cannot force them to fill in your
specially-designed form, although most data subjects will be happy to do so.
If you are unaware of files held in your organisation then that is your
problem and a data subject should not suffer just because you do not know
that departmental managers are keeping (e.g.) "unofficial" staff files in
their desk drawers.
Ian Buckland
MD
Keep IT Legal Ltd
Please Note: The information contained in this document does not replace or
negate the need for proper legal advice and/or representation. It is
essential that you do not rely upon any advice given without contacting your
solicitor. If you need further explanation of any points raised please
contact Keep I.T. Legal Ltd at the address below:
55 Curbar Curve
Inkersall, Chesterfield
Derbyshire S43 3HP
(Reg 3822335)
Tel: 01246 473999
Fax: 01246 470742
E-mail: [log in to unmask]
Website: www.keepitlegal.co.uk
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|