In reading the Constitution Unit's "Guidance on the Law"
http://www.dca.gov.uk/foi/sharing/toolkit/lawguide.htm, (which seems to
somewhat repeat, enlarge and provide more detail than the ICO's 1998
'Private lives And public powers' publication, albeit from a more biased
perspective,) in respect of data sharing and the law, I, like Ian B and
Stephen Williams am somewhat puzzled.
The document states:
"In doing so it will be important to ascertain whether there are express
statutory restrictions on the data sharing activity proposed, or any
restrictions which may be implied by the existence of other statutory,
common law or other provisions (see [section 3]). " ...... "Implied powers
will be more commonly invoked."
Where a public body intends to share data by utilising an 'implied power'
how is a data subject made aware of that processing intention, or is it to
be clearly implied?
Thinking of 'other provisions' I recall an old oft told anecdote amongst
police officers; A detained burglar who has indicated a willingness to have
other offences taken into consideration (TIC) is driven around the district
and asked to indicate the premises they have burgled, when driving past
houses subject of undetected burglary offences the driver would brake,
causing the offender to nod their head, thereby implying they had committed
that offence. I dare say other areas of law/society have similar anecdotes.
The document further states:
"As to further processing operations, in our view, the requirement of
compatibility has a relatively low threshold. Compatible does not mean
"identical to",
and
"purposes which are quite different from the original purposes can still be
compatible with those original purposes. We believe that, provided the
further processing is for a purpose that is not contradictory to the
originally specified purpose or purposes, it will be consistent with the
second principle."
Article 6 of the 95/46/EC states:
"1. Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not
further processed in a way incompatible with those purposes."
The word 'explicit' seems relevant here, which could create clear
differences in 'implication' relating to the use of data as advised in the
guidance linked to above. Legal transpositions aside, it was my impression
that the spirit of principle one and principle two was to keep the data
subject explicitly aware of the purposes their personal data is processed
for - and by whom - as a means of providing a chosen balance to their lives.
Avoiding enquiring in clear english, and directly with the data subject
would not be a 'fair' method of meeting DPA requirements. Perhaps
surprisingly, No is an answer the data subject is entitled to give, and
should not have to keep broadcasting.
Providing some balance the document does say:-
"As a general rule the Information Commissioner has indicated that consent
should be 'informed' and 'unambiguous'. Consent is notoriously hard to
define, although most people (we imagine) would feel able to recognise it
when they saw it. An evaluation of the adequacy of consent in the
circumstances where it is not obvious that it has been given or that it is
fully "informed", make it difficult to generalise. "
and
"Certain exemptions apply to "the non-disclosure provisions" which are
defined in section 27(3) and (4) as including: the first data protection
principle, except to the extent to which it requires compliance with the
conditions in Schedules 2 and 3; and the second, third, fourth and fifth
data protection principles, "to the extent to which they are inconsistent
with the disclosure in question". This is an important caveat, as if in any
particular case compliance with (for example) the fairness requirement in
the first data protection principle is not inconsistent with the disclosure
in question, there will be no exemption from that requirement."
Accepting the document was authored and published with the intention of
promoting data sharing in the public sector, (in my opinion it should be
read with that firmly in mind,) and that the ICO has not endorsed it, so is
left with a clear field to challenge any matter issuing from utilising the
DP guidance it contains; The only way I can make the use of the word
"implied" sensible in DP scenarios (without completely ignoring all previous
DP precedent) is in a restrictive legal sense. i.e. Base the implication on
what can be inferred because of its necessary relation to powers which are
expressly granted. Doing that will be a process of some complexity,
requiring careful documentation in itself, in which it may be best to
involve the firms lawyers. Indeed it is worthwhile conferring with a legal
dictionary to confirm the precise legal interpretive meaning of many words
at key points in that particular document if misunderstandings are to be
avoided.
It would appear prudent for list members recognise that highly motivated
staff quickly reading the first few paragraphs of that document, and
probably even after reading the whole set of documents, may approach them
with an old anecdotal type scenario, in attempting to loosen the data flows
and bypass perceived inhibiting factors provided by data subject protective
safeguards. I guess the clients/customers can always get in the way of good
administration. In the circumstances I perceive a need to read and be
critically familiar with the contents of the document, if only to have some
answers to hand when the inevitable approach occurs.
Ian W
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of [log in to unmask]
> Sent: 26 November 2003 12:29
> To: [log in to unmask]
> Subject: Re: D.C.A. Legal Guidance on Data Sharing
>
>
> In a message dated 26/11/03 11:07:11 GMT Standard Time,
> [log in to unmask] writes (extract):
>
>
> > What would be a contradictory purpose to
> > collecting Council Tax? Supporting a political movement
> aimed at its
> > abolition by making it unworkable -possibly - but almost
> anything else
> > would not be contradictory.
> >
>
> -----------
> There are many other anomalies in the guidance, presumably that's why
> the introduction says it was produced "in consultation with"
> rather than "with the
> approval of" the Information Commissioner.
>
> Interestingly, the guidance does not actually give an answer to the
> question of data sharing using Council Tax (CT) data as it fails to
> even approach the
> part of the 1992 legislation that restricts its further use
> (except now for
> empty homes policies). Discussion on whether secondary uses
> of CT data are
> compatible, or with consent, are still pointless as they
> would still be against the
> law.
>
> My view of the guidance is that it is sufficiently "woolly" to
> convince some people that data sharing will be okay providing a
> protocol or contract is in
> place.
>
> Caveat subscriptor.
>
> Ian B
>
>
> Ian Buckland
> Managing Director
> Keep IT Legal Ltd
>
> Please Note: The information given above does not replace or negate
> the need for proper legal advice and/or representation. It is
> essential that you do not
> rely upon any advice given without contacting your solicitor.
> If you need
> further explanation of any points raised please contact Keep
> I.T. Legal Ltd at
> the address below:
>
> 55 Curbar Curve
> Inkersall, Chesterfield
> Derbyshire S43 3HP
> (Reg 3822335)
> Tel: 01246 473999
> Fax: 01246 470742
> E-mail: [log in to unmask]
> Website: www.keepitlegal.co.uk
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> http://www.jiscmail.ac.uk/help/commandref.htm
> (all commands go to [log in to unmask] not the list
> please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|