So, I've had another organisation claim that they can't provide me with
a lot of data as it contains personal data relating to other people and
it would require disproportionate effort to either contact all these
other people to see if they're happy for the data to be disclosed or to
go through and remove all the identifiable references. They claim to be
refusing to supply this data on the advice of the Data Protection Office.
Consider the (rather common, I would assume) case where every contact
with a company is recorded in some sort of Customer Management System,
with annotations by the staff member who dealt with the contact. Assume
this happens regularly, and over a longish period of time, such that,
by the time an SAR is made, most of the staff in question have now left
the organisation. Does the company really have to get permission from
all those ex-staff members to disclose the notes they made regarding the
customer, if they're annotated with their name? And can the company then
claim that if the employee's name cannot be removed automatically from
this data, that, due to the quantity of information that would have to
be processed by hand, that it would be disproportionate effort to supply
that data?
Surely this would be quite a major loophole?
Tony
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|