It's not just alarming it's fundamentally wrong in two significant respects.
Where it is technically right I believe is that "under s7 DPA" the right to have
the source of the data identified does depend on having made an information
SAR as until you identify the personal data the source is not derterminable.
However that is being pernicketty as the letter clearly identifies the personal
data - it does not ask for it because the applicant already knows it - it his his
name and email address. The ICO could reasonably have concluded reading
the letter as a whole that the request under s7(1)(a) and 7(1)(b) could be
implied in this case - after all he often exhorts us to be purposive.
Be that as it may the real problem is that it totally overlooks the existence of
FOIA.
The request for the source is on any interpretation a request for recorded
information and s1 FOIA always applies. Almost certainly the information as to
the source is not personal data (we bought a mailing list from XYZ) and even
if the ICO is technically right that you cannot hang it on a non-existent SAR
the information should be supplied under FOIA.
Secondly the response also totally ignores the DUTY to advise and assist. If
there was a technical difficulty of the type which the ICO asserts, when the
desire of the applicant is abundantly clear, failure to advise the applicant "you
need to do this..." is a clear breach of that duty.
A case of myopia I believe.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|