Well my expected rain arrived and moved on.

Summary of responses.

One off-line response referred me back to the thread
http://www.jiscmail.ac.uk/cgi-bin/webadmin?A2=ind0407&L=data-protection&P=R1
9622&I=-1 with the same title which contains relevant material.

1.
> When reviewing published privacy policies, do those responsible for DP
> within organisations match any changes back to any
> notifications/CoP/principles/data subjects?

Annual reviews of data collections conducted. Sounded as if they are mainly
conducted as an aid to maintaining notifications and do generate a lot of
work, which can be seen as a distraction at some points within the
organisation, unless sympathetically linked into some other major change or
business evaluation which may be taking place. 

Relatively static processes require less attention.

2.
> If proposed changes to a privacy policy would affect data already
collected,
> is reliance placed upon Schedule 1, Part 2,  2(1)(b) with the onus on the
> data subject to notice the policy changes, or are other means used?

Reliance to become aware of changes seemed to be mainly placed on the data
subjects, who are informed of this along with other Principle 1 information
when the data is collected. 

3. 
> What criteria are used to determine the most appropriate route to take?

This question was not directly answered, possibly due to my poor wording.

The question was framed because I have noticed there is little
ability/wish/drive to notify data subjects of changes individually due to
various factors. (Privacy being one of them.)

The media are sometimes utilised to push out major changes. But there does
not seem to be any consensus or identification of an appropriate methodology
for different sectors, data sets, data quantities, or consequences of the
changes.  

Some web sites do place additional links on the home page when the on-line
privacy policy changes in the same way that some newspapers publish details
of changes to their own policies within the paper for a set period of time.
I have not noticed any of the relevant broadcasting media notifying changes
in a similar way, an historical issue I suppose, but possibly indicative of
how these matters do not necessarily naturally develop.  Organisations where
on-line use of services is limited seem to try to rely upon notification of
the policy during any data subject contact/collection of data.

4.
> What ethical considerations impinge on any deliberations?

Nobody mentioned this directly.  

Assuming the ethical stance of the organisation is followed in any
deliberations would indicate a high degree of importance in DPO's reflecting
an organisations documented code of conduct or statement of intent within
any work produced, as a means of providing some very limited protection for
themselves.  i.e. Q. Why was the data subject compromised in that way - A.
Because it is in line with the organisations stated purpose and code of
conduct.

Perhaps paying some careful/sensitive attention into any of those policy
areas, where possible DP conflict could exist, might be a very beneficial
exercise for all concerned. Of course the CEO would need to be very closely
involved as they would no doubt wish the matters to be properly documented.


Ian W

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
        http://www.jiscmail.ac.uk/help/commandref.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^