Hi Rebecca
I have managed DSARs where this scenario occurred.
The approach I have applied is that whilst the requested of the DSAR is entitled to information held about them by the business, there is a duty of confidentiality due to other employees, whose personal information we of course redact /obfuscate when preparing the DSAR documents.
in particular where an individual has provided information with the expectation that they would be doing so in confidence, Section 7.4 is particularly helpful;
Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not
obliged to comply with the request unless-
(a) the other individual has consented to the disclosure of the information to the person making the request, or
(b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual.
As always it is a careful balancing act, and considered evaluation is necessary before any disclosure of another data subject's personal data. It may be that you can disclose the information without disclosing the source. However where it would be obvious to the DSAR requester that the source of the information could only be his colleague then consideration of the confidentiality due to the other employee is necessary. Section 5 is also helpful in this regard;
In subsection (4) the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information
sought by the request; and
that subsection is not to be construed as excusing a data controller from communicating so much of the information sought by the request as
can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.
Section 6 adds more detail;
In determining for the purposes of subsection (4)(b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual
concerned, regard shall be had, in particular, to-
(a) any duty of confidentiality owed to the other individual,
(b) any steps taken by the data controller with a view to seeking the consent of the other individual,
(c) whether the other individual is capable of giving consent, and
(d) any express refusal of consent by the other individual.
I hope this assists you in deciding how to manage disclosure of this information.
Kind regards
Cindy Paul
AXA Wealth
0117 322 5075
07979 240824
[log in to unmask]
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Rebecca Messenger-Clark
Sent: 09 January 2012 17:01
To: [log in to unmask]
Subject: [data-protection] Staff review records
Dear All,
I am currently dealing with a DSAR in which the requestor may get to see comments about them included in another member of staff's Review and Development pro-forma.
The owner of the form has argued that they completed it with an expectation that it would remain confidential. I can of course type the relevant content into a different document but I was interested to know whether anybody else had come across this issue before?
Many thanks,
Rebecca
Rebecca Messenger-Clark
Governance and Corporate Affairs Officer Secretariat University of Leeds
LS2 9JT
0113 34(3 7346)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
________________________________
This email originates from AXA Wealth, which includes the following companies. Details of the companies offering specific products are contained within product literature.
Architas Multi-Manager Limited (No. 06458717), AXA Portfolio Services Limited (No. 1128611), AXA Wealth Services Limited (No. 02238458) and AXA Wealth Limited (No. 01225468), are all companies registered in England and limited by shares. Their registered office is 5 Old Broad Street, London, EC2N 1AD. Each company promotes and distributes its own products and is authorised and regulated by the Financial Services Authority. AXA Wealth Services Limited also promotes and distributes the products of AXA Isle of Man Limited and AXA Life Europe Limited in the United Kingdom.
Winterthur Financial Services UK Limited, registered in England (No. 00823355) and limited by shares. Registered office: 5 Old Broad Street, London, EC2N 1AD. Winterthur Financial Services UK Limited provides some services to the above companies.
This message and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this in error, you should not disseminate or copy this email. Please notify the sender immediately and delete this email from your system.
Please also note that any opinions presented in this email are solely those of the author and do not necessarily represent those of the AXA UK Group of companies.
Emails may not be secure and may be read by unauthorised persons before they reach the recipient and the information copied or altered. The Information Commissioner and AXA recommend that you protect your confidential or personal information including that sent by email and we suggest that you consider the advice on the Getsafeonline website.
AXA cannot accept any responsibility for any resulting loss or compromise if you send such information in an email to us without suitable protection.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|