I don't know whether this issue affects all the readers on this list unless
Universities and colleges are still classed as public bodies, apologies if it
irrelevant . . .
In a message dated 10/09/2002 18:43:08 GMT Daylight Time,
[log in to unmask] writes:
<< Am I missing the point - if the data subjecct has given consent have they
not effectively given the information directly to each relevant department
(subject to adequate Fair Procesing Notice) so it is not CT data being
shared across the Council? >>
----------
I suppose it depends upon how the data were collected in the first place. As
in the example I gave (and it was just an example in respect of ultra vires)
many of councils using such functions as "ihavemoved.com" do so in the name
of their CT departments. If you look at the list of councils signed up to
that particular website, the majority are finance departments or specific CT
functions.
In other examples, the specific legislation affecting the collection of data
do not allow other processing to take place because of the way the laws were
written. Such as the planning laws, which do not allow the councils to sell
the lists for marketing purposes - but many of them do it and are "subject to
challenge" as in the address sharing case. In some instances, the
legislation even tells the council from where the information can be
obtained, thereby adding further problems to the data sharing issues.
In many cases, consent will not override the legislation as nothing in that
law allows for it (unlike the DPA which specifically mentions it as a valid
justification for processing). Look at Schedule 2, para 17 of the Local
Government Finance Act 1992 - the Council Tax legislation - which
specifically restricts any further use of the personal data.
To say a person has effectively given the data to each department is a point
which a court could consider and I do see where you are coming from on this
one. I was only trying to make the ultra vires rule a little simpler to
understand. In a nutshell the rule is this: As private individuals, we can
all do whatever we like unless there is a law which prevents it (a
restrictive law system in general) - but if we are a public body it's the
other way round, we cannot do anything unless a specific law allows or
compels it (enabling laws). DPA will not override any other law as far as I
know so the "consent to process" issue is largely irrelevant.
Ian
Ian Buckland
Managing Director
Keep IT Legal Ltd
Please Note: The information contained in this document does not replace or
negate the need for proper legal advice and/or representation. It is
essential that you do not rely upon any advice given without contacting your
solicitor. If you need further explanation of any points raised please
contact Keep I.T. Legal Ltd at the address below:
55 Curbar Curve
Inkersall, Chesterfield
Derbyshire S43 3HP
(Reg 3822335)
Tel: 01246 473999
Fax: 01246 470742
E-mail: [log in to unmask]
Website: www.keepitlegal.co.uk
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|