It would depend upon your systems (manual and computerised) for retrieving
data. If for example you are a large organisation with centralised systems
and/or a central database with subdirectories (or similar) or an efficient
cross-referencing system for manual files, you would need very little information
from the DS to be able to service the request. If however the systems are
distributed with little or no linking or cross-referencing, you may need a lot more
info to be able to identify the data. So (as ever) it depends.
The law says you are not obliged to provide the data if you don't have enough
information to be able to find it. But if your system is ultra efficient and
you can identify all the data on that person by their name and address (say)
then you would have to supply everything without further reference to the DS.
A good way of working out whether you need further information from the data
subject would be to ask yourself: "If this request was from the police (s29),
would I be writing back to them for further information to be able to identify
the data subject or the information requested?" If you wouldn't, you
shouldn't be asking the DS for more info.
(yes there is also the problem of whether failure to disclose would prejudice
but I'm trying to simplify the scenario)
Ian B
In a message dated 13/12/04 14:30:25 GMT Standard Time, Gerry.D
[log in to unmask] writes:
> My problem isn't so much the amount to charge for a SAR (it's a tenner if
> we choose to levy it) but the information I need to service one. Under FoI we
> are entitled to refer back to the applicant if we have insufficient info to
> service their request.
>
> What do we do now with a DPA 'give me everything you've got on me' type of
> request? Are we entitled to insist on a narrower scope (7(3)) and delay
> compliance until we have it? What if the data subject simply says 'No I won't
> refine my request', - I want everything! - My understanding is that they are
> absolutely entitled to do that if they so wish. Whilst we are entitled to seek
> what we 'reasonably require' to service the request, I see no provision
> within section 7 that obliges the data subject to enter into negotiation on the
> matter.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|