Paul,
I agree with the second point. My understanding of the first is that the data subject (the person being screened) did not know the screening company so there is no relationship for a fpn or a pn to be issued.

To be sure, the company doing the hiring may need to alert them to screening and vetting as part of the application process. However, I am not sure they need to beyond stating that candidates beyond a certain stage or in a specific field (children) may be vetted.   Aside from that, they do not need to explain sources and methods.

In effect, most job application forms will make reference to this possibility, but they may be lacking.

Best

Lawrence


Lawrence W. Serewicz
Principal Information Management Officer
Room 4/140
Durham County Council
DH1 5UF
0191-372-8371


----- Original Message -----
From: This list is for those interested in Data Protection issues <[log in to unmask]>
To: [log in to unmask] <[log in to unmask]>
Sent: Mon Nov 22 14:55:56 2010
Subject: Re: [data-protection] Screening companies using publicly available information

Lawrence,

I take the point, but I think in this case the onus lies on the Data
Controller who, for the purposes of this question, is to my mind the
organisation that commissions the screening to be carried out.  They must
already have contact with the Data Subject(s), because otherwise they would
not know who they wanted to screen.  Therefore they are in a position to
issue a FPN before they commission the screening, and I believe this is what
they should do.

The wider issue of how privacy can or should be sufficiently protected, and
by whom, in an interconnected world is perhaps a topic for another day.

Paul

Paul Ticher
0116 273 8191
22 Stoughton Drive North, Leicester LE5 5UB


----- Original Message -----
From: "Lawrence Serewicz" <[log in to unmask]>
To: "'Paul Ticher'" <[log in to unmask]>; <[log in to unmask]>
Sent: Monday, November 22, 2010 1:15 PM
Subject: RE: [data-protection] Screening companies using publicly available
information


Paul,
I can see the point you are making, but personal information in the public
domain is on a continuum rather than an absolute.

For example, the overall success of the UK government in UK league tables or
the GDP effect would be the personal information of the PM.  He is, after
all, responsible for the government at the time and the information within
those reports, when link to information in the hands of other data
controllers, would identify him.

Moving from the Macro level to the micro level, we still have the same
issue. If the local council publishes, under the transparency agenda, the
performance information for a service that someone is responsible for, then
it would be their personal information.

The challenge in the public sphere (for personal information) is whether the
personal information has entered the public sphere through he intent or
consent of the data subject.  For example, I would expect that anything I
put on my public profile on facebook would enter the public domain.
However, I would not expect a list of my most recent library books to be in
the public domain.  The intent and purpose of that transaction is private.
The intent and purpose of my public profile is, well, public.

Take for example, the decision to change one's name by deed poll.  Our names
would be personal information but we are making that public information as
part of the deed poll. The intent and purpose are public even thought it
could be classed as personal information.  By contrast, someone's username
and avatar on War Quest, although public, is for intent and purpose private.

The political philosophical problem of private and public, at least in the
UK, is that the public and private spheres are not well defined, in part
because of the political regime which shapes the laws, as it is in
republics.  This  is not to say that republics are superior to
constitutional monarchies, it is only to say (at least from a political
philosophically) that republics have a clearer notion of the two spheres and
how they interact.  [I am putting the point quite crudely as there are huge
discussions around public and private within communitarianism and the
understanding of identity within a republic.]

What is the underlying problem is not the initial use, or even the secondary
use.  What is problematic is that third use.  In this scenario, how can a
first order data controller offer a FPN or a PN that can cover the 3rd party
use?  For example, if I publish information on my public profile on
Facebook.  How can facebook deal with or follow up on a third order usage?
The only way to do this would be to start delimiting the internet so that
information published in one platform or on one platform can only be used on
that platform.  However, that solution runs counter to the idea of the
internet and open and linked data.

If personal data in the public domain is to be protected (still an open
question whether it should be protected) it will require a sea change in how
Fair Processing Notices or Privacy Notices are enforced and the clarity
around the data subject's ability to enforce their data rights in the public
domain is improved.  Furthermore, the data subject needs to be given the
ability to enforce their own data rights. As it stands now the privacy
notices can help police this type of data aggregation but it will not
restrain it much until the law (and its enforcement) catch up with the
technology.

Best,

Lawrence

Principal Information Management Officer
Durham County Council
Room 4/140
County Hall
County Durham
DH1 5UF

0191-372-8371





-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Paul Ticher
Sent: 22 November 2010 12:27
To: [log in to unmask]
Subject: Re: [data-protection] Screening companies using publicly available
information

There are a number of points here.

1)    Personal data that is in the public domain is still personal data.
Therefore all the Principles and Data Subject rights apply as well as the
possible obligation to issue Data Subjects with a privacy notice.



Help protect our environment by only printing this email if absolutely
necessary. The information it contains and any files transmitted with it are
confidential and are only intended for the person or organisation to whom it
is addressed. It may be unlawful for you to use, share or copy the
information, if you are not authorised to do so. If you receive this email
by mistake, please inform the person who sent it at the above address and
then delete the email from your system. Durham County Council takes
reasonable precautions to ensure that its emails are virus free. However, we
do not accept responsibility for any losses incurred as a result of viruses
we might transmit and recommend that you should use your own virus checking
procedures.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^