My observations

Original recommendations in the concepts of control of such requests within 
Police forces used to include control of the booking out of the 29(3) forms 
to the investigating officers enabling a clear audit trail on authenticating 
requests. However I understood that ACPO in practice provide guidance but 
cannot necessarily 'enforce' its application across the different forces.  I 
do know that the design of Section 29 request forms was under review in the 
Merseyside Police area as they were seeking any observations on content from 
our organisation as a recipient.

One of the forms purposes is to provide an evidential trail for recipients 
to evidence they were acting in good faith in supplying data because it was 
being requested for one of the investigatory purposes the legislation never 
intended frustrate. What should be required is authenticating the sender as 
being employed within the relevant organisation (data controller) claiming 
the remits of access ie Crime prevention, Tax assessment etc.  If that 
individual is making a misleading request ie they are not being authoriseed 
by their employer then they are subject to Section 55 offences and their 
employers security procedures in controlling requests made in their name 
needs examination. The receiver of the form (supplier of data) should be in 
the clear as long as they check the source data controller employs the 
requestor.

To my mind it is therefore irrelevant if the requestor is a civillian 
employee of the Police authorities. In using the form they are acting on 
behalf of the requesting data controller with the controller being 
vicariously liable for their actions. The responsibility for controlling the 
requestor lies with the employer as the data controller. Recipients have no 
direct way of checking signatures on any forms received.

Id observe that the receipient needs to preserve their evidential trails due 
to their obligations to their own employees by using good document 
management to ensure all forms received (along with their associated 
policies on disclosure and staff training procedures on Section 29 handling) 
are accessible in case of later dispute. This enables them to evidence they 
acted in good faith in the information supply. The recipients procedures 
should be trying to protect their own employees from section 55 offences, ie 
exceeding their authority in disclosing.

A recipient data controller can after all refuse any access under section 29 
if their management policies so dictate thereby protecting their employees 
from section 55 offences, their data subjects privacy and also saving money 
on administrative processes.

David Wyatt





----- Original Message ----- 
From: "Christopher Spray" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Friday, January 06, 2006 8:14 PM
Subject: Re: [data-protection] Section 29(3)


> Gerry, the form used by many police forces (originally agreed for use with
> ISPs but adopted more generally and updated) states that the form must be
> signed by the  requesting officer and countersigned by a senior officer of
> rank no lower than Inspector.
>
> From personal experience I would not accept a request from a civilian
> employee - I have had experience of a civilian employee trying to make a
> request in order to conduct her own investigation into a crime against her
> father (identified before the request was granted)!
>
> I can't seem to find an up to date version of the form - the original
> template (albeit in its DPA 1984 guise) is here to give you an idea...
> http://duncan.gn.apc.org/DPAFORM.htm.  I think the more up to date 
> versions
> include a confirmation that failure to provide the information would be
> likely to prejudice the investigation (to give you assurance under the
> S29(3) requirements for disclosure).
>
> Don't forget though that any such request is no more than that ..a
> request..and you are not obliged to comply.
>
> Chris
>
>
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]]On Behalf Of Gerry Dane
> Sent: Friday, January 06, 2006 3:00 PM
> To: [log in to unmask]
> Subject: [data-protection] Section 29(3)
>
> Have received a Section 29(3) request form.
>
> Question: Does a civilian employee of the police have any powers of
> investigation in relation to crime? ie Can they properly leverage the
> exemption via this device, or does it have to be a warranted officer?
>
> I'm intending to get the thing countersigned by a senior officer - but
> once again can it be a senior civilian officer or does it have to be a
> 'proper copper'.
>
> Thanks,
>
> Gerry.
>
> Mr.G.Dane
> University of Newcastle
> Email: [log in to unmask]
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>       All archives of messages are stored permanently and are
>      available to the world wide web community at large at
>      http://www.jiscmail.ac.uk/lists/data-protection.html
>      If you wish to leave this list please send the command
>       leave data-protection to [log in to unmask]
>            All user commands can be found at : -
>        http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving message please send to the list 
> owner
>              [log in to unmask]
>  (all commands go to [log in to unmask] not the list please)
>   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>       All archives of messages are stored permanently and are
>      available to the world wide web community at large at
>      http://www.jiscmail.ac.uk/lists/data-protection.html
>      If you wish to leave this list please send the command
>       leave data-protection to [log in to unmask]
>            All user commands can be found at : -
>        http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving message please send to the list 
> owner
>              [log in to unmask]
>  (all commands go to [log in to unmask] not the list please)
>   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
        http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
              [log in to unmask]
  (all commands go to [log in to unmask] not the list please)
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^