davidwyatt on 25 October 2002 at 00:25 said:
> A section 29(1) relates to information provision on a data subject under
> investigation. The form by its nature must contain sensitive data
(alledged
> offender) so how such requests are to be managed by any controller has to
be
> considered. e.g. Can the data subject obtain a copy of this form from the
> disclosee using SAR.
> I suggest the only way this can be prevented is if it is kept in paper
form
> and filed in date order away from any records linked to the individual.(A
> Data controllers processes must prevent any potential match with other
> records in their possession). 29(1) request forms should be handled by a
> properly empowered Data Protection Officer who should only make these
forms
> available to the OIC or the courts should the need arise not to any member
> of staff of the controller (this including all senior management)."
Using the caveat that a section 29(1) exemption should properly only exist
for a finite time.
e.g. once the investigation is completed, or no prejudice to the
investigation would be caused by disclosure of the SAR, it may be disclosed.
I understand that parts of the financial industry work on a time delay for
SAR request disclosures which may have initially attracted 29(1), to save
having to re-contact the investigators. That strategy contains its own
inherent risks.
Ian W
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]]On Behalf Of davidwyatt
Sent: 25 October 2002 00:25
To: [log in to unmask]
Subject: Re: Disclosure query
Some thoughts / observations
Id recommend rejecting request unless a 29(1) authorised by the Insurer
themselves supports it.
Its useful to examine the legal relationships here of the parties to unravel
potential informtion flows and points of responsibility.
[CLIP]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|