Concerning the issue of whether there is a separate 40 day 'consent' clock, when I raised this matter with the Information Commissioner's Office earlier this year the response was that this interpretation is likely to be inaccurate and they could find no circumstances in which other additional forty day periods might apply.
Their view is that at the end of the 40 day period, if you have not received consent you need to make a decision whether to disclose without such consent. However, they did suggest that it would be perfectly proper to explain to a data subject that additional relevant information may be available in a short time - thus allowing them to submit a second request at a later date.
Colin Atkinson
Data Protection Officer
University of Leicester
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]]On Behalf Of Ian Welton
Sent: 01 October 2004 11:29
To: [log in to unmask]
Subject: Re: Third party response consent. Was - RE: SAR and compliance
calendar days
Ian Mansbach on 01 October 2004 at 10:31 said:-
> Perhaps my reference to an SAR clock was confusing. All
> clocks start when
> one receives the SAR or, if later, when one has both the fee and the
> information referred to in s7(3). And they all finish 40 days
> after that.
> That is clear from s7(8) and s7(10).
>
> So, if the clocks run in parallel, why have two or, potentially, more
> clocks? My interpretation (and I'm uncertain that it is what Jay and
> Hamilton meant) is that each clock runs with its own
> promptness obligation.
> In other words, you don't delay complying with the SAR on the
> non-consent
> stuff if you are still waiting for consent for third party
> information. In
> that way, if you do not get consent (and it remains reasonable not to
> provide the data without consent), you have complied with the
> obligation to
> comply with the SAR promptly. But, as I have said before, others may
> interpret this differently.
I agree.
Considering this over the last few days, and digging deep into my memory, I
do recall that the ICO's office saying in the past that if they received a
complaint about tardiness on a partial response where the reason given was
awaiting third party consent, they would look more to the measures taken to
obtain the consent and what would be a reasonable time to achieve that,
rather than any self imposed forty day clock commencing on the date it was
recognised consent may be needed; After all it could be nothing was being
done for 30 of those 40 days.
Having said that. Both views do seem to have some benefits:-
1. The logic of the recognising consent 40 days could provide a much
extended cut off point at which a decision must be taken. (Albeit, dependent
on the actions taken, that could leave the organisation very vulnerable.)
2. An undefined but reasonable period within which to obtain consent, or
determine what action to take in responding with that material. (Which,
dependent on the actions taken, could also leave the organisation
vulnerable.)
It would seem it is probably more important to progress the actions taken to
obtain consent in a timely manner and document them carefully.
Ian W
> -----Original Message-----
> From: This list is for those interested in Data Protection
> issues [mailto:[log in to unmask]] On Behalf Of
> Ian Mansbach
> Sent: 01 October 2004 10:31
> To: [log in to unmask]
> Subject: Re: Third party response consent. Was - RE: SAR and
> compliance calendar days
>
>
> Perhaps my reference to an SAR clock was confusing. All
> clocks start when
> one receives the SAR or, if later, when one has both the fee and the
> information referred to in s7(3). And they all finish 40 days
> after that.
> That is clear from s7(8) and s7(10).
>
> So, if the clocks run in parallel, why have two or, potentially, more
> clocks? My interpretation (and I'm uncertain that it is what Jay and
> Hamilton meant) is that each clock runs with its own
> promptness obligation.
> In other words, you don't delay complying with the SAR on the
> non-consent
> stuff if you are still waiting for consent for third party
> information. In
> that way, if you do not get consent (and it remains reasonable not to
> provide the data without consent), you have complied with the
> obligation to
> comply with the SAR promptly. But, as I have said before, others may
> interpret this differently.
>
> Ian M
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|