Rachel
Some observations which may assist
The Association of Chief Police Officers have a Data Protection Code of
Practice which covers their recommended standards for the various UK Police
forces to follow. These should cover the controls which exist at their end
in the officers originating requests obtaining authorised request forms for
submission to data controllers when seeking data.
The receiving controller should be looking at ensuring their procedures fit
with section 29(3) of the Act ensuring that the request and any intended
disclosure are relevant. Factors which should be considered.
1: There should be a declaration from the Police that a criminal
investigation being undertaken into the person about whom the data is
requested.
2:: The declaration should state whether in the requestors view a failure to
disclose would predjudice their investigation. Enough information should be
given to permit the controller to assess if a failure to supply would be
prejudicial to the investigation..
3: An assessment should be made by the controller as to whether their
failure to disclose would prejudice the investigation.
Note that requests orginated under a section 29(3) are not mandatory to
fufil.
4: The request should be in writing as it may be needed by way of evidence
to support your disclosures should any subsequent challenge arise from a
data subject regards improper disclosure. Holding this evidence protects the
disclosee from section 55 offences.
5: Also consider how you file the requests so it is not part of a relevant
filing system as the request document itself is not necessarily exempt from
subject access. I would state that a record of the request should be held by
the Data Protection officer only in a dtate order file and not linked with
HR files. I would advise that HR should not record a request has been
received on employee files. This prevent arguments of data being unfairly
collected or being excessive to its purpose. A request does not mean the
employee has been proven guiilty of any offence. HR depts should have
policies which covers employee obligations to keep them informed as
employers of any facts material to continued employement.
Under DPA a Data controllers security obligations are to their data
subjects. Disclosures should therefore only be made where either consent
exists or an exemption procedure can be properly employed.
As a futher control to discourage requests for disclosures which are not
mandatory to fufil from whatever source it should be noted there is nothing
in the Act which stops you having a policy which charges a fee for such
requests to cover your costs. After all such administration overheads are
either being paid for indirectly by someone such as tax payers (public
sector) or customers / shareholders (private sector).
Hope this assists
David Wyatt
----- Original Message -----
From: "Steel, Rachael" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Tuesday, September 14, 2004 10:07 AM
Subject: [data-protection] Police Requests
> Does anyone know the process that I should follow when a request comes in
> from the police for personal information on members of staff?
>
> Thanks
>
> Rachael Steel
> Information Management Officer
> Organisational Development
> Telephone: 01375 652500
>
>
> The information in this e-Mail and any attachment(s) are intended to be
> confidential and may be legally privileged. Access to and use of its
> content by anyone else other than the addressee(s) may be unlawful and
> will not be recognised by Thurrock Council for business purposes. Thurrock
> Council cannot accept any responsibility for the accuracy or completeness
> of this message as it has been transmitted over a public network.
>
> Any opinions expressed in this document are those of the author and do
> not necessarily reflect the opinions of Thurrock Council.
>
> Any attachment(s) to this message has been checked for viruses, but please
> rely on your own virus checker and procedures.
>
> If you contact us by e-mail, we will store your name and address to
> facilitate communications.
> ____________________________________________________________________
> This message has been checked for all known viruses by the MessageLabs
> Virus Control Centre. For further information visit
> http://www.messagelabs.com/stats.asp
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> http://www.jiscmail.ac.uk/help/commandref.htm
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|