davidwyatt on 15 September 2004 at 00:51 said:-
> 5: Also consider how you file the requests so it is not part
> of a relevant
> filing system as the request document itself is not
> necessarily exempt from
> subject access. I would state that a record of the request
> should be held by
> the Data Protection officer only in a dtate order file and
> not linked with
> HR files. I would advise that HR should not record a request has been
> received on employee files. This prevent arguments of data
> being unfairly
> collected or being excessive to its purpose. A request does
> not mean the
> employee has been proven guiilty of any offence. HR depts should have
> policies which covers employee obligations to keep them informed as
> employers of any facts material to continued employement.
Using this type of filing system could have a useful side effect worth
noting; post Durant an argument would be available that the data controller
will not have to respond to a SAR indicating information had been passed to
somebody under an exemption.
The files about exemptions access could effectively remain secret forever.
Ian W
> -----Original Message-----
> From: This list is for those interested in Data Protection
> issues [mailto:[log in to unmask]] On Behalf Of davidwyatt
> Sent: 15 September 2004 00:51
> To: [log in to unmask]
> Subject: Re: Police Requests
>
>
> Rachel
>
> Some observations which may assist
>
> The Association of Chief Police Officers have a Data
> Protection Code of
> Practice which covers their recommended standards for the
> various UK Police
> forces to follow. These should cover the controls which exist
> at their end
> in the officers originating requests obtaining authorised
> request forms for
> submission to data controllers when seeking data.
>
> The receiving controller should be looking at ensuring their
> procedures fit
> with section 29(3) of the Act ensuring that the request and
> any intended
> disclosure are relevant. Factors which should be considered.
> 1: There should be a declaration from the Police that a criminal
> investigation being undertaken into the person about whom the data is
> requested.
> 2:: The declaration should state whether in the requestors
> view a failure to
> disclose would predjudice their investigation. Enough
> information should be
> given to permit the controller to assess if a failure to
> supply would be
> prejudicial to the investigation..
> 3: An assessment should be made by the controller as to whether their
> failure to disclose would prejudice the investigation.
> Note that requests orginated under a section 29(3) are not
> mandatory to
> fufil.
> 4: The request should be in writing as it may be needed by
> way of evidence
> to support your disclosures should any subsequent challenge
> arise from a
> data subject regards improper disclosure. Holding this
> evidence protects the
> disclosee from section 55 offences.
> 5: Also consider how you file the requests so it is not part
> of a relevant
> filing system as the request document itself is not
> necessarily exempt from
> subject access. I would state that a record of the request
> should be held by
> the Data Protection officer only in a dtate order file and
> not linked with
> HR files. I would advise that HR should not record a request has been
> received on employee files. This prevent arguments of data
> being unfairly
> collected or being excessive to its purpose. A request does
> not mean the
> employee has been proven guiilty of any offence. HR depts should have
> policies which covers employee obligations to keep them informed as
> employers of any facts material to continued employement.
>
> Under DPA a Data controllers security obligations are to their data
> subjects. Disclosures should therefore only be made where
> either consent
> exists or an exemption procedure can be properly employed.
>
> As a futher control to discourage requests for disclosures
> which are not
> mandatory to fufil from whatever source it should be noted
> there is nothing
> in the Act which stops you having a policy which charges a
> fee for such
> requests to cover your costs. After all such administration
> overheads are
> either being paid for indirectly by someone such as tax payers (public
> sector) or customers / shareholders (private sector).
>
> Hope this assists
>
> David Wyatt
>
> ----- Original Message -----
> From: "Steel, Rachael" <[log in to unmask]>
> To: <[log in to unmask]>
> Sent: Tuesday, September 14, 2004 10:07 AM
> Subject: [data-protection] Police Requests
>
>
> > Does anyone know the process that I should follow when a
> request comes in
> > from the police for personal information on members of staff?
> >
> > Thanks
> >
> > Rachael Steel
> > Information Management Officer
> > Organisational Development
> > Telephone: 01375 652500
> >
> >
> > The information in this e-Mail and any attachment(s) are
> intended to be
> > confidential and may be legally privileged. Access to and use of its
> > content by anyone else other than the addressee(s) may be
> unlawful and
> > will not be recognised by Thurrock Council for business
> purposes. Thurrock
> > Council cannot accept any responsibility for the accuracy
> or completeness
> > of this message as it has been transmitted over a public network.
> >
> > Any opinions expressed in this document are those of the
> author and do
> > not necessarily reflect the opinions of Thurrock Council.
> >
> > Any attachment(s) to this message has been checked for
> viruses, but please
> > rely on your own virus checker and procedures.
> >
> > If you contact us by e-mail, we will store your name and address to
> > facilitate communications.
> > ____________________________________________________________________
> > This message has been checked for all known viruses by the
> MessageLabs
> > Virus Control Centre. For further information visit
> > http://www.messagelabs.com/stats.asp
> >
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > All archives of messages are stored permanently and are
> > available to the world wide web community at large at
> > http://www.jiscmail.ac.uk/lists/data-protection.html
> > If you wish to leave this list please send the command
> > leave data-protection to [log in to unmask]
> > All user commands can be found at : -
> > http://www.jiscmail.ac.uk/help/commandref.htm
> > (all commands go to [log in to unmask] not the list please)
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> http://www.jiscmail.ac.uk/help/commandref.htm
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|