Thanks for that. I take your points.
I think there are two situations:
* the employee is clearly an agent of the Data Controller where they
are carrying out their job functions. If I send an e-mail on behalf of my
employer, that is not my personal data. If I make a SAR to my employer, I
would not expect to see copies of all the e-mails I had sent on my
employer's behalf.
* the employee is clearly a Data Subject in respect of their
relations with their employer. If I send an e-mail to my manager requesting
annual leave, that is personal data about me, and I would expect to see it
if I make a SAR.
There is a potential grey area where an employee is expressing personal
opinions, either about colleagues or people outside the organisation, but I
think it is usually possible to come down on one side or the other:
* Manager making comments in an appraisal: agent
* Colleague complaining about bullying or other inappropriate
behaviour: Data Subject
* and so on
What I hadn't properly realised was the absence of the term 'third party'
from s.7. I'll have to think about that.
Paul Ticher
0116 273 8191
www.paulticher.com
22 Stoughton Drive North, Leicester LE5 5UB
----- Original Message -----
From: "Baines, Jonathan" <[log in to unmask]>
To: "Paul Ticher" <[log in to unmask]>; <[log in to unmask]>
Sent: Friday, October 07, 2011 12:19 PM
Subject: RE: [data-protection] Subject Access/Health & Safety Query
Can't agree with the first paragraph. Just because a person is employed by
and acting on behalf of a data controller cannot mean they are not "another
individual" under s7(4).
The ICO's guidance deals with this to an extent where it says "Responding to
such subject access requests may involve providing information relating to
another individual (a 'third party individual'). For instance, if the
requested information is a personnel file on an employee, it may contain
information identifying managers or colleagues who have contributed to (or
are discussed in) that file. This may lead to a conflict between the
requesting employee's right of access and the third party's rights over
their own personal information."
(http://www.ico.gov.uk/for_organisations/data_protection/~/media/documents/library/Data_Protection/Detailed_specialist_guides/SAR_AND_THIRD_PARTY_INFORMATION_100807.ashx)
By your argument the manager or colleague are only an agent of the data
controller and don't have those third party rights over their own personal
information.
Surely the need to consult every member of staff before releasing
information in response to a SAR is obviated by 7(4)(b).
Jonathan Baines
Legal and Democratic Services
Buckinghamshire County Council
01296 383681
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Paul Ticher
Sent: Friday 07 October 2011 10:42
To: [log in to unmask]
Subject: Re: [data-protection] Subject Access/Health & Safety Query
I don't think a member of staff is a third party if they are acting in the
course of their employment. They are an agent of the Data Controller.
(Otherwise, you would have to consult every member of staff who had
contributed to a record before making any Subject Access release.)
Also, you can't delete the comment before responding to the Subject Access
Request, unless this would have happened anyway as a matter of routine.
I can't see an alternative to releasing the information. My best suggestion
is a heavy duty warning to the Data Subject that any retaliatory action will
get them into a heap of trouble.
Paul Ticher
0116 273 8191
www.paulticher.com
22 Stoughton Drive North, Leicester LE5 5UB
----- Original Message -----
From: "Piers Margetts" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Thursday, October 06, 2011 3:32 PM
Subject: Re: Subject Access/Health & Safety Query
There is some really good guidance and examples in the recent guidance
document issues by the ICO about releasing information in complaint files
which can be found at
http://www.ico.gov.uk/~/media/documents/library/Data_Protection/Practical_application/access_to_information_held_in_complaint_files.ashx
Big difficulty as you have said is that the person recording the comment is
in a public facing role and their identity would reasonably be known
irrespective of whether you redact any names. You could go down the consent
route, if the author does not give consent and they have real concerns as to
their safety, then you could argue that it is not reasonable in all
circumstances to release in the absence of consent. My view is that unless
there is very real evidence that releasing this information will endanger
the author I believe that you have no option but to release it.
Piers
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Steve Hunter
Sent: 06 October 2011 14:41
To: [log in to unmask]
Subject: [data-protection] Subject Access/Health & Safety Query
Hi all
Need your help/views on a potential scenario.
Customer X is currently going through a complaint and as a result he is
refusing to pay for his services. During the investigation and processing of
his complaint, the individual has become irate with the way his request has
been handled and has visited our premises on several occasions appearing
angry and demanding to speak to senior managers - who have had to cool him
down. This behaviour has been reflected in his phone calls to our
Income/Finance team who are dealing with his bill. At times, calls have had
to be terminated. On one day he spoke with an employee and there was an
exchange about his unpaid bill. Following the telephone conversation, the
member of staff on her file note suggests that the 'customer is arrogant'.
Surprise, surprise - Customer X submits a Subject Access request. Due to his
previous behaviour, the service manager and the manager who met with him on
the last occasion are concerned (due to his previous behaviour) that he
could pose a health and safety risk to the author of the comment. I'm of the
view that no exemption under the DPA or the wording of Section 7-9 offers us
any help in this case, however the Service Manager and our H&S Officer are
keen to see the duty to protect the H&S of the employee override the access
rights of individual and suggest that this comment should be redacted. Is
there anything under the Act that could allow for this? I am under the
impression there isn't and I feel that the information should be disclosed.
After all, staff are advised not to make such comments.
Redacting the name of the employee is futile, as the individual will know
who he has spoken to at the time.
Any thoughts?
Could the individual serve a Section 10 notice due to the potential damage
to them or the distress/fear of reprisals?
Thanks
Steve
________________________________
All archives of messages are stored permanently and are available to the
world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the
email if you are receiving emails in HTML format):
* Leaving this list: send leave data-protection to
[log in to unmask]<mailto:[log in to unmask]&BODY=LEAVE%20data-protection>
* Suspending emails from all JISCMail lists: send SET * NOMAIL to
[log in to unmask]<mailto:[log in to unmask]&BODY=SET%20*%20NOMAIL>
* To receive emails from this list in text format: send SET
data-protection NOHTML to
[log in to unmask]<mailto:[log in to unmask]&BODY=SET%20data-protection%20NOHTML>
* To receive emails from this list in HTML format: send SET
data-protection HTML to
[log in to unmask]<mailto:[log in to unmask]&BODY=SET%20data-protection%20HTML>
All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an
otherwise blank email to
[log in to unmask]<mailto:[log in to unmask]>
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]<mailto:[log in to unmask]>
(Please send all commands to
[log in to unmask]<mailto:[log in to unmask]> not the list or the
moderators, and all requests for technical help to
[log in to unmask]<mailto:[log in to unmask]>, the general office
helpline)
________________________________
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your
needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your
needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Buckinghamshire County Council
Visit our Web Site : http://www.buckscc.gov.uk
Buckinghamshire County Council Email Disclaimer
This Email, and any attachments, may contain Protected or Restricted
information and is intended solely for the individual to whom it is
addressed. It may contain sensitive or protectively marked material and
should be handled accordingly. If this Email has been misdirected, please
notify the author or [log in to unmask] immediately. If you are not
the intended recipient you must not disclose, distribute, copy, print or
rely on any of the information contained in it or attached, and all copies
must be deleted immediately. Whilst we take reasonable steps to try to
identify any software viruses, any attachments to this Email may
nevertheless contain viruses which our anti-virus software has failed to
identify. You should therefore carry out your own anti-virus checks before
opening any documents.
Buckinghamshire County Council will not accept any liability for damage
caused by computer viruses emanating from any attachment or other document
supplied with this email.
All GCSx traffic may be subject to recording and / or monitoring in
accordance with relevant legislation.
The views expressed in this email are not necessarily those of
Buckinghamshire County Council unless explicitly stated.
This footnote also confirms that this email has been swept for content and
for the presence of computer viruses.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|