Scenario:
1. SAR received from data subject
2. Consent sought from referee (also a data subject)
3. Consent refused
4. Reference withheld
5. Data subject seeks OIC enforcement (which is granted)
6. University releases reference
It seems to me that any organisation acting in such a way in such a scenario
is behaving correctly. i.e. in a DP principled way.
Two things 1) consent has been sought and the interests of all relevant data
subjects considered 2) the release of the reference has ultimately been
determined under legal compulsion.
(which I imagine (don't know, not a lawyer) would be the University's
defence against any alleged breach of the referee's DP rights)
The reason the reference was withheld (4. in this case) was because consent
was refused, seeking consent is therefore key. After all what is the point
of a data controller seeking consent if their mind is already made up to
release? To put it another way if everything else inclines the data
controller to release, what difference will consent make? In short, the data
controller seeks consent because s/he intends to use it as
reason/justification for action.
Gerry Dane.
Newcastle University
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|