What normally happens in this instance is that the investigation company
that is instructed is not instructed in accordance with the DPA. i.e.
Data Controller and Data Processor legal relationship not created. The
DPA is quite specific.."evidenced in writing"..I have argued for a long
time that if that legal relationship is not created then breaches of Dp
take place. The investigator is in possession of personal data so he is
processing it. What condition has he satisfied from schedule 2. Breach
of 1st principle. The relationship has not been created so he is
determining what processing takes place so he is a data controller. Has
he notified the commissioner? No? Criminal offence Part 3 section 17. He
is in possession of data that he is not entitled to therefore it cant be
secure because it is somewhere it shouldn't be. Breach of principle 7.
He shouldn't have it, how therefore can it be being processed with the
data subjects rights in mind. Breach of principle 6. It is being
processed for a purpose other than was intended, breach of principle 2.
He shouldn't have it in the first place so he is keeping it longer than
is necessary, breach of 5th principle.
I am suggesting that in most authorities those breaches and others are
happening every single day when you instruct an external agency to track
down debtors, investigate fraud, collect rate arrears.
Even if you instruct them in accordance with DPA have you ensured that
the processor understands the DPA. It is your responsibility. Most of
them don't have the first idea.
Chris Brogan
Managing Director
Security International Ltd
130 St Johns Road, Isleworth, Middlesex TW7 6PL, UK
Tel: +44 20 8847 2111 Fax: +44 20 8847 1852
Registered in England & Wales No. 1322074
Registered Office: 11 Loveday Road, London W13 9JT
www.securitysi.com
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Kate McGinlay
Sent: 23 November 2006 16:01
To: [log in to unmask]
Subject: Re: Data Protection Act - Section 29 <fwd>
--- Begin Forwarded Message ---
Date: Thu, 23 Nov 2006 15:45:09 +0000
From: [log in to unmask]
Subject: RE: Data Protection Act - Section 29
Sender: [log in to unmask]
To: Chris Brogan <[log in to unmask]>
Reply-To: [log in to unmask]
Message-ID: <[log in to unmask]>
Wow! Chris that is really informative. What about Local authorities and
authorities who farm out the fraud detection roles the third party
investigative companies. Could you argue that even with the defences of
section 29, an organisation could be in breach by collecting such data,
or processing such data for another purpose like this?
How widespread is it, and should this worry the average man in the
street, that ACME investigations has their file. Even if they are using
their powers supposedly for fraud. Is there not a real risk that by
giving personal data to persons who are totally unqualified to conduct
an investigative function could easily clone such identities. Is it
therefore not a massive risk to give out data to organisations under
section 29, so that as Chris says we must only deal with Police.
What then happens to all of these agencies who are set up, presumably
to save Police time shuffling paper?
Best wishes to all
Legal Compliance
King's College London
On Thu, 23 Nov 2006 15:36:56 -0000 Chris Brogan
<[log in to unmask]> wrote:
> Many non police organizations conduct criminal investigations. The
> recommended skills for Private Investigators include conduct of
criminal
> investigations. The British retail Crime association advise their
> members on criminal investigations. Civilian powers of arrest have
> recently been reviewed. Telecom companies conduct their own
> investigations and then present their evidence to the police. Royal
Mail
> with no more authority than the man in the street conduct their own
> criminal investigations and prosecutions. There are many more
examples.
> Should you respond to a section 29 request from them? Now that is a
> tricky one. If it goes pear shaped where does that leave you? If a
> private investigator makes a section 29 request I suggest you ask why
he
> is doing it. Shouldn't it be the Data controller his client? If he
makes
> the request without the sanction of his client has he now determined
> that processing and taken on the mantle of Data Controller? If he has
> which condition in schedule 2 has he satisfied? If as I suspect he
> hasn't then surely there is a breach of DPA at least Principle 1,
> probably 2, could argue a breach of 6, most certainly 7? If you
respond
> in these circumstances are you being reckless? Would this be a section
> 55 offence? If Richard Thomas gets his way and this happens in 2 years
> time could you end up in the pokey for 2 years.
> Who said DP was boring?
> May I suggest that you only respond to law enforcement section 29
> requests.
>
> Chris Brogan
> Managing Director
> Security International Ltd
> 130 St Johns Road, Isleworth, Middlesex TW7 6PL, UK
> Tel: +44 20 8847 2111 Fax: +44 20 8847 1852
> Registered in England & Wales No. 1322074
> Registered Office: 11 Loveday Road, London W13 9JT
> www.securitysi.com
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Legal Compliance
at
> KCL
> Sent: 23 November 2006 14:46
> To: [log in to unmask]
> Subject: Data Protection Act - Section 29
>
> Dear all,
>
> I was wondering if many of the other organisations often receive
> requests
> under section 29 of the DPA.
>
> If so, I would just like to see what your views are, and whether you
> feel
> this moves some of the administrative burden for criminal
investigations
>
> onto the public sector. How appropriate do you feel this is, that
> certain 'low level' investigations are undertaken by persons who have
> otherwise nothing to do with the Police (I hope).
>
> Best wishes
>
> Legal Compliance
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving message please send to the list
> owner
> [log in to unmask]
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>
>
>
----------------------
[log in to unmask]
--- End Forwarded Message ---
----------------------
[log in to unmask]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list
owner
[log in to unmask]
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|