A couple of observations: the Data Subject can sue the organisation if he or
she can prove damage has been caused. The Commissioner's staff will almost
certainly tell the organisation to comply if the subject makes a request for
assessment, and if the organisation refuses and basically tells the IC to
get knotted, that's probably the kind of thing that might prompt
consideration of enforcement. Recalcitrant data controllers can get away
with so much, but if they thumb their noses at the IC in such a way as he
can't ignore it, he might well react.
This may be a naïve comment, but few organisations like to know that they
are explicitly ignoring their legal obligations, so in my experience a bit
of bullying works wonders. Threaten to sue. Threaten them with the IC - not
everyone knows that his powers are somewhat deficient. The company concerned
often finds that they had - shock horror - simply mislaid the original
request.
And if you'll forgive a bit of classic Data Protection Officer pedantry, I
don't think that it now seems like this - it's been this way since the Act
came in.
Tim Turner
Data Protection / FOI Officer
Legal and Property Services
Wigan Council
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Nigel Roberts
Sent: Mon 30 April 2007 13:18
To: [log in to unmask]
Subject: [data-protection] Failure to respond within statutory timescale to
Subject Access Request
s.7 of the UK Act allows a Data Subject to make a Subject Access Request. A
similar provision exists in the Guernsey Law.
There is a 40 day statutory deadline.
A person has served such a request.
What are the legal and practical consequences of /not/ replying within the
statutory timescale
It now seems that there is no effective sanction for this breach unless the
Commissioner can be persuaded to issue an enforcement notice. This is likely
to take time
Has anyone on the Data Protection list been in this situation (on either
side)??
What practical steps can this person take?
What liabilities (both theoretical and in reality) does the non-compliant
company or organisation likely to suffer.
I'd be grateful for any comments at all.
Nigel
PS: For the purposes of thism I am going to make the assumption that the UK
and Guernsey statutory provisions are practically the same, so I suspect
that the place of establishment of the company or Data Protection
Registration doesn't really come into it, but I have cc'd this to Data
Protection Commissioner, and will post anything I get back which highlights
any differences.
--
Nigel Roberts, CEO
Island Networks Group, Alderney, Guernsey GY9 3JZ
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands
can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your
needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|