Mary
Some thoughts which may assist analyse of the problem
The issue here seems to be based on obligations of confidentiality that an
employer may owe to its employees.
My understanding from seminars I have attended, where employment lawyers
have presented, was that all empoyers have a strict duty of confidentiality
on records held in connection with the purpose of employment. The DPA
purposes of staff admin could I believe be argued as defining the limits of
an employment purpose.
Where records are subject to a strict duty of confidentiality I understood
the controller needs clear express consents from individuals to disclose for
any other activity.
The fact you may have advised you will share with others as per your DPA
notification as a data controller for a non-employment purpose may not be
sufficient to satisfy your obligations regards strict confidentiality and
consent requirements.
You may need legal advice on that one. I recall case law being quoted on the
seminars I attended regards this type of data sharing by employers but am
unable to quote any specific case to aid your research.
Many of our staff are also our clients but my understanding is that we
cannot, without clear consents being in evidence, pass the address given by
the staff member for employment purposes to the retail division who may wish
to use for their retail activity in contacting the individual as a customer,
possibly to recover outstanding debts.
A possible solution may be for the personnel division to forward the invoice
for you avoiding any disclosure of address data from their records. If the
employer and the invoicing area are in fact two seperate data controllers
then it is arguable that personal data is in fact being traded across data
controllers so this activity may also need consents.
You appear to have a data matching hurdle to jump also. How do you
accurately match a record across the two database as there are likely to be
cases of multiple same names on both the personnel and invoice databases.
David Wyatt
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]]On Behalf Of Thomson, Mary
> Sent: 28 June 2001 16:31
> To: [log in to unmask]
> Subject: Disclosure of information internally
>
>
> Could anyone offer any advice regarding the following:-
>
> We have staff members whom LIS need to invoice for outstanding
> library fees
> etc. LIS do not hold the staff home addresses and have asked personnel to
> disclose this information to them. Personnel have refused
> stating that they
> cannot do so.
>
> My query is that when we compiled our staff record the DAP declaration
> stated that information would be held on the personnel record
> system and may
> be disclosed in accordance with he University's registration under the DAP
> Act. Under purpose 1 of the DAP registration is it OK to disclose this
> information internally for the purpose of compliance with policy (i.e.
> university regs regarding lending of library books)
>
> Apologies if this is long winded missive but guidance would be
> appreciated
> to a novice such as me.
>
> Mary Thomson
> Legal Executive, University of Teesside
> Tel: 342028
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
> all commands go to [log in to unmask] not the list please!
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|