Michelle,
That is very helpful. Thanks. The situation, though, may be a bit sideways depending on what the applicant asks. For example, they may say "I would like to know how many times my account was accessed and by whom. In particular, I would like to know if Mrs ABC accessed the account."
As such, this does not necessarily meet a criteria for a disciplinary, but it strays into that territory between DPA and other regulatory activity (like disciplinary investigations.)
Can anyone point me in the direction of where I might find more information on exploring this grey territory? I am concerned that we may see a rise in these types of cases and I want to be ready.
How is everyone else handling these types of cases?
Best,
Lawrence
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Michelle Peel
Sent: 01 March 2012 09:33
To: [log in to unmask]
Subject: Re: [data-protection] Mechanics of a Subject Access Request (How would you approach this issue?)
Hi,
Just checked our Disciplinary Policy to make sure my assumption is right before I share it, which it is!
Upon Mr XYZ contacting us with his complaint/allegations, Mrs ABC would be informed of the complaint and asked to put her case forward. This would hopefully reveal whether she has accessed the information legitimately, and would provide information as a starting point. Audit (or whoever) would then be able to check any electronic systems to corroborate this if Mrs ABC is able to provide (rough) dates of acccess for a particular task.
If paper records, you might be lucky, and a checking out system might be in place. If the paper records were held offsite this would be true, if held in filing cabinets in the office, not so much I would imagine. Still, the legitimate purpose of access would be able to be confirmed by Mrs ABC's line manager.
Would you then need to check all systems/sources of the information? I would suggest not, as you would know that Mrs ABC does have access to the records in question and the question then would be how do you prove she did not use this information for personal reasons! Which I can't answer!
The question then is - how do you prevent this person having access in the future? In particular electronic systems in use in Children and Young People's Service we operate a "Restricted Records Policy". This policy enables us to lock down a child's record to particular names users, with the purpose of preventing staff access to protect the confidentiality of colleagues or family members or employees in cases where the child or family is related to an employee with access to the system. This is reliant on the honesty of employees, but in most cases once the case history becomes known to a social worker (for example) then this can be flagged up as names of colleagues are recognised.
I've digressed I realise, but thought it might be relevant!
Best wishes,
Michelle
Michelle Peel
CYPS Information Governance Officer
Trafford Council
________________________________
Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|