** Reply to note from "Trent,Tim" <[log in to unmask]> Fri, 26 Jul 2002 11:56:51 +0100
> I think that one is not entitled to exclude any data source from the efforts
> one makes in acceding to a SAR. It is not up to the Data Subject to know
> where their data is held, it is up to you as a data controller. By the
> logic you state here you could exclude ANY data set not referred to
> explicitly in a SAR, which is invalid.
Hi Tim, I see you got your Friday wind-up spoon too.
Not quite. I don't expect a definition of data, nor do I expect to search in
medical research data or the archives department when the request is
from an employee. (Definately Friday, so biiiiig spoon is out).
I did say on all my messages on the matter I would expect a reasonable pointer
as to what we are looking for. 40 days is not enough to trawl through every
computer (say 2500 machines) in the hope of finding something ... but if the
request is such that can help us identify the people involved in a process or
decision making (and thus their pcs) then I do not see how any reason to claim
disproportionate effort. Remember we are talking email not other docs.
Reality Test.
You and I have communicated off list.
Your messages to me are probably (most most likely) deleted AND if not they are
kept on my computer (ie. automatically removed from the "system").
My messages to you are kept in my mailer (thus on my PC's hard disk) (until I
choose to clear them ... or like last time I got them corrupt and I decided I
should start clean).
You send SAR to us for example, ignoring I am the DPO and perhaps likely to see
it ;-), on what grounds should the organisation think you and I might have
exchanged email.
Should the organisation know (ie. keep yours+my messages)? (I don't think so
else we could have communicated straight on the list so the whole world -
literally - could know) ... employee privacy, your privacy 'n all that. The
organisation though should be able to find the info.
If you make a complaint - and I guess in my legal ignorance - that you would
have to give a damn good pointer as to where data about you might be processed
(eg. my office) hence you prove the point and win, why could you not give that
pointer in the first place? (... Unless I read your message wrong).
-------------------
I agree with the other comments on the list that it is all about educating users
(a) that email is not private, nor confidential and too easy to make hasty
comments with;
(b) to consider throwing things away than keep them in perpetuity,
The length of string we (or at least I) are trying to define is how much info
should a SAR provide?
> We are expected to scour filing cabinets, PDAs Personal Organisers and all
> other extremely difficult data sources as well.
Oh *****. Not playing any more. Your Friday spoon is a bigger than mine :-)
We should even rejoin the shredder cuttings ... if the Iranians could do it in
1979, 30 years on we should be able to just press a button and have paper pages
reconstructed.
Charles
==============================================
Charles Christacopoulos, Data Protection & Management Information Officer,
Planning & Information, University of Dundee, Dundee, DD1 4HN, Scotland,
United Kingdom.
Tel: 44(0)1382-344891. Fax: 44(0)1382-201604.
http://www.somis.dundee.ac.uk/ http://somis2.ais.dundee.ac.uk/
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|