This is the response I got from one of the subscribers to this list and she
agreed I could type the contents of a letter she received from the Data
Protection Commissioner's Office:
"Thank you for your fax of 28 June 2000. Your query is rather involved but
I will attempt to advise you upon each of the points which you raise.
The effect of the Transitional Provisions:
Since I assume that the College has been processing personal data for
personnel purposes for some little time, it seems to me likely that the
transitional provisions in the Act are of relevance. The effect of these
will be to exempt data which are held in manual form (i.e. letters, reports,
etc) from the subject access provisions of the Act until 24 October 2001.
Any information held in this form need not, therefore, be disclosed.
Your fax also refers to informartion held in the form of e-mails. I am
afraid that is a rather complicated area. However, I enclose for your
information a copy of some guidance in this area which has very recently
been published by the commissioner. I hope you will find it of some
assistance in deciding what information held in the form of e-mails
potentially needs to be released.
Exemptions:
Having decided which information is caught by the Act, clearly you may also
wish to consider the effect of the exemptions. It does not seem to me that
any of the primary exemptions contained in Part IV are of relevance to you.
Of the exemptions set out in Schedule 7, I would refer you to para.5 which
contains an exemption relating to data which are processed for the purpose
of management forecasting or management planning to assist the data
controller in the conduct of any business or other activity. If to provide
a full response to a subject access request was to prejudice this purpose
then you may withhold that part of the data subject's record which would
prejudice this purpose.
Para 7 of the Schedule contains an exemption in relation to negotiations.
It specifies that "personal data which consists of records of the interntion
of the data controller in relation to any negotiations with the data subject
are exempt from the subject information provisions (including the right of
subject access) in any case to the extent to which the application of those
provisions would be likely to prejudice those negotiations".
Para 10 of the Schedule contains an exemption for data which are subject to
legal privilege. This is a somewhat technical exemption: it cannot be
assumed that all data are exempt simply because there are prospective legal
proceedings.
Finally, I would refer you to para 11 of the Schedule which specifies that a
person need not comply with a subject access request if, to do so would be
to expose him to the risk of proceedings for any offence other than a data
protection offence.
You will know better than I whether any of these exemptions are relevant to
your particular circumstances. For more information on the exemptions I
would refer you to the Commissioner's Introduction to the Data Protection
Act 1998 which may be downloaded from her website -
www.dataprotection.gov.uk. I would refer you in particular to Chapter 5
which discusses the exemptions.
Third Party Data:
Assuming that the data which you hold falls within the scope of the Act at
the present time, and that none of the exemptions are relevant, you must
also consider the approach to be taken towards information which would
identify a third aprty. Section 7 of the Act provides that information
which identifies a third party, whether directly or in combination with
other information likely to be in the possession of the data subject, need
not necessarily be disclosed. The point to note here is that it must be the
personal data which allows the identification of a third party or assists in
the identification of a third party. It would not be a ground for removing
the third party information simply because the data subject was able to
guess the identity of the third party even though the data themselves
provided no clue as to that person's identity.
The Act also specifies that in some circumstances it will be right to make a
disclosure of third party data even without the consent of those third
parties. In the first instance, however, an attempt should be made to
obtain consent. If this is not possible then you need to consider why it
was not possible to obtain consent (was consent consciously withheld or was
the person incapable of giving consent, perhaps because you were unable to
trace her/him?) The Act also specifies that you should consider a duty of
confidentiality owed to the other individual. The point to note here in
deciding whether or not ti disclose third party information without consent
is that none of these conditions are overriding and there may be some cases
where it is proper to disclose third party information against the express
wish of those third parties."
Whew ...this has helped me considerably.
Regards
Doreen Broom
Data Administrator
Scottish Borders Council
Council HQ
Newtown St.Boswells
Melrose
Borders TD6 0SA
Tel: 01835 824000
________________________________________________________________
This e-mail is privileged, confidential and subject to copyright.
Any unauthorised use or disclosure of its contents is prohibited.
The views expressed in this communication may not necessarily
be the views held by the Scottish Borders Council.
_________________________________________________________________
|