Apologies in advance for getting into the detail of the Data Protection
Act, but I have a query about being able to comply with some elements of it
when dealing with electronic records and ERMS's.
My query concerns Subsection 14 (1) to (6) of DPA that states:
"If a court is satisfied on the application of a data subject that personal
data of which the applicant is the subject are inaccurate, the court may
order the data controller to rectify, block, erase or destroy those data
and any other personal data in respect of which he is the data controller
and which contain an expression of opinion which appears to the court to be
based on the inaccurate data." (1)
As this seems to apply, "whether or not the data accurately record
information received or obtained by the data controller from the data
subject or a third party," (2) I am interested in how others would approach
doing this with electronic records and whether and how their systems would
permit it if so required.
Is it reasonable to deal with any necessary changes as additions, rather
than being able to selectively alter records and compromise their
integrity: i.e that the correct data should be captured in a new record
that also captures the pre-existing 'accurate,' data, but reflect that
changes have been enforced,- while disposing of the original record, (in a
controlled manner: carried out by an authorised person, provide and audit
trail)?
Admittedly, the likelihood of this being required is rare and I think it is
possible to mitigate against this risk of being ordered to do this by
ensuring that, "the requirements mentioned in paragraph 7 of Part II of
Schedule 1 have been complied with," so that the Court may instead, "make
an order requiring the data to be supplemented by such statement of the
true facts relating to the matters dealt with by the data." (2a).
However it is a question that I've been asked in the context of developing
systems to manage electronic records and I'd be grateful for any views on
this.
Many thanks
Caroline Ives
|