In my mind the Act itself is clear enough as it clearly entitles a
controller to seek sufficient information as is reasonable to locate the
data being sought. Section 7(3). What is reasonable will be judged case by
case should a data subject choose to escalate an issue further seeking OIC
assessments. Very few do this and for those that do the OIC tend to do their
homework.
Full assessments processes and enforcements are not issued lightly given the
resources required of the OIC themselves.
What is disappointing is however consistency in advices. This comes down to
training. I strongly believe that every DPA advisor whether within the OIC
or data controllers themselves should be qualified to give that advice
possibly using the ISEB Data Protection Certificate as a minimum competency
standard before a person is allowed 'give advice' on the subject. This
should be a legislative standard. It is clear the subject is complex.
Unfortunately the DPA gets little positive support by government and this
leads to poor training and commitment. Look at today's Guardian where the
Government get caught by the legislation so their reported response is lets
try to repeal or modify. This was a similar response reported by the
opposition over their usage of the electoral role. Its about time we saw
some positive support for the legislation from ministers. FOI Act is
another example. OIC tends to get caught in the middle.
It will be interesting to see whether the rest of EU will support a UK
government request to repeal sections. I recall UK stood in the minority
camp in objecting to the initial directive. UK are also against 'opt in' for
email marketing, again I believe in the minority camp. In the meantime DPA
administrators have to struggle on with new incentive of potential
redundancy in their careers. All very positive on legislation which is
supposed to protect you and I as individuals ;-).
On the positive side it is often said that anything worth having never comes
easily.
David Wyatt
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]]On Behalf Of Tommy Kennedy
> Sent: 05 February 2002 09:05
> To: [log in to unmask]
> Subject: Re: Supplying information to locate data
>
>
> Further mud for these murky waters...........
>
> I received a "blank" SAR a few weeks back and phoned OIC for advice.
> Spoke to Peter Bloomfield.
> He was quite specific and clear.
> We should try and get "locating" information from the subject.
> But if the subject refused to provide any information we would be
> entitled to refuse the request.
>
> ????????
> Tommy.
>
> >>> Gill Smith <[log in to unmask]> 02/04/02 05:09pm >>>
> Dear All,
>
> Remember this? A few weeks ago, Leif Wilks said:-
>
> "We seem to be getting conflicting views from the OIC on this.
> Gill Smith says that their advice is that "if someone asked to see what
> information the Council held about them but did not give sufficient
> information to assist you in locating the information, such as connections
> or relationship with the council, you would still be expected to process
> their request. You would be expected to search
> the most obvious information systems (paper, IT, etc) where information
> about them may be held, (such as the Council Tax database) and provide
> information to them."
> I was at a meeting some time ago where Peter Bloomfield from the OIC said
> quite clearly that we do not need to respond to requests in the form "all
> the data that you hold" with no indication of where it might be.
> Section 7(3) seems to me to be pretty unambiguous."
>
> To settle this once and for all.... I have today spoken with Angela Cooney
> at the Information Commissioner's Office and she confirmed that data
> controllers would be expected to deal with requests, even though little or
> no information is given to assist them in locating information held. If a
> trawl was made of the most likely systems where information may
> be held, and
> an individual complained to them that their request had not been fully
> complied with under the DP Act, they would be sympathetic to the data
> controller and unlikely to carry out an assessment, or take enforcement
> action as the organisation had done everything it could to locate the
> information, in the absence of information to assist them. They
> would take a
> different view, however, if an organisation refused to respond to
> a subject
> access request merely because insufficient information was provided by the
> data subject.
>
> Thought you might be interested in the follow-up.
>
> Gill.
>
>
> Gill Smith
> Data Protection & Security Officer
> ICT Services
> Devon County Council - www.devon.gov.uk
> Tel: 01392 383165
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|