My goodness, Ian W, you've made me go search out my old text books!
The view is expressed in one of the leading legal authorities, Rosemary Jay
and Angus Hamilton's "Data Protection Law and Practice", in the following
terms:
"Where any of the data are third party data for which consent is being
sought for disclosure a separate 40-day clock ticks for that data only".
My understanding is that the proposition flows from the words in s7(8)
"Subject to subsection (4)...".
In practical terms, this means dividing the response into 2 parts: that
which necessitates third party consent and that which doesn't. Each part
needs to be dealt with promptly and, in any event, within 40 days. In the
case of data which does not require third party consent, it is clear the
clock starts ticking on the day the SAR is received or, if later, the first
day on which the other criteria are met (fee and information to be satisfied
about identity and location of data). There are a number of possible
interpretations as to when information requiring third party consent must be
be supplied. My preferred one is for the clock starting at the same point in
time as for non-consent data and ending 40 days therafter or, if later, the
day consent is received. My reasoning is that once consent is obtained,
relief from the obligation to comply with the SAR granted by s7(4)
evaporates. The obligation to respond in respect of the third party
information kicks in the moment consent is obtained. Others may, of course,
hold different views.
Ian Mansbach
Mansbachs
Data Protection Practitioners
[log in to unmask]
phone: 0871 716 5060
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Ian Welton
Sent: 29 September 2004 16:33
To: [log in to unmask]
Subject: [data-protection] Third party response consent. Was - RE: SAR and
compliance calendar days
Ian Mansbach on 29 September 2004 at 14:39 said:-
> It is believed that information which cannot be disclosed without
> first obtaining third party consent according to s7(4) is subject
> to a separate 40
> day period. Accordingly, one should comply with the rest of
> the request
> first and then follow on with information for which one
> subsequently gets
> consent as soon as permission is received for that information.
When would any separate 40 day period start from, and what supports the
belief that may happen?
Ian W
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Ian Mansbach
> Sent: 29 September 2004 14:39
> To: [log in to unmask]
> Subject: Re: SAR and compliance calendar days
>
>
> Looking at this solely from a DPA perspective, there is a distinction
> between omissions from an SAR and rectification of inaccurate personal
> data.
>
> S7(8) requires one to comply with an SAR "promptly" and in any event
> within 40 calendar days. The 40 days start on the day the SAR is
> received or, if
> later, the first day on which one has: (1) any required fee,
> and (2) any
> required information needed to (a) to satisfy oneself as to
> the identity of
> the requestor, and (b) to locate the requested data. The
> response must be
> complete to comply. So, if personal data was missing from the initial
> response, the missing data must be found and passed on
> promptly and, in any
> event, within the original 40 day period.
>
> It may be that the 14 day time limit requested takes into account the
> remaining days to comply with the 40 day maximum, or it may be that
> the data subject is granting a concession beyond the original maximum
> period. In
> either event, it is probably reasonable but, if it is not
> possible to comply
> within that time then it would be wise to write explaining
> the situation and
> proposing an alternative date by when you will comply (always
> bearing in
> mind the requirement to respond "promptly").
>
> It is believed that information which cannot be disclosed without
> first obtaining third party consent according to s7(4) is subject
> to a separate 40
> day period. Accordingly, one should comply with the rest of
> the request
> first and then follow on with information for which one
> subsequently gets
> consent as soon as permission is received for that information.
>
> There is no time limit to rectify inaccurate personal data. However,
> given the potential legal remedies, it would be wise to rectify
> data as soon as
> possible and to notify the data subject accordingly.
>
> Ian Mansbach
> Mansbachs
> Data Protection Practitioners
> [log in to unmask]
> phone: 0871 716 5060
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|