There is a whole heap of difference between "consulting" with staff
about disclosing their e-mails, and getting their "consent". If you
tell them what you propose to do and why, and they don't lodge a Section
10 "objection to processing notice", then you should disclose the
e-mails to the DSAR. If they have made inappropriate comments in their
professional capacity, they should be held accountable for their
actions. And if employees have been guilty of improper behaviour, you
would be well advised not to be seen as trying to cover this up. In my
experience you have to be seen as not taking sides in disputes between
members of staff to whom you have an equal responsibility. Litigation
is far more likely to come from a DSAR who feels conspired against, than
by an employee whose embarrassing e-mail has been disclosed (especially
when they know their comments were ill-advised or untrue.) You also
have to consider the possibility that your communications regarding the
handling of the DSAR might later become the subject of an FOI request.
Are you really comfortable with the possibility that you might have to
defend the advice you give and decisions you've made?
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Simon Macaulay
Sent: 23 June 2005 14:47
To: [log in to unmask]
Subject: Re: [data-protection] Internal staff SAR
Hi ian,
I would have thought a policy is necessary if you are about to search
their accounts instead of them volunteering up the emails themselves.
This would cover the employer against a breach of the Human rights Act
where employees who 'expect' a right to privacy will claim a breach of
HRA if they were never aware that their emails could be searched.
That's my reading of the need for a policy.
Also... surely consent is needed before disclosing the personal data of
a third party where it is caught up in the area of information requested
by the subject? I know there is no absolute directive to have consent
before releasing data but no-one in their right minds is going to risk
this scenario unless they want a posse of disgruntled third party
employees serving law suits. Unless of course it's in extraordinary
circumstances... or perhaps as your inferring Ian, someone who is an
employee and therefore it's possible to consider it 'reasonable' to
disclose their PD without consent?
Simon.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list
owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|