On the other hand, if you disclose in error the damage is done; there is no 
way to get the information back.

I'm sure I have seen (but of course cannot now find) a document in which the 
ICO takes a very pragmatic approach.  As far as I recall it says that if, 
despite all your efforts, you do not have a response within the 40 days you 
should release the information that you know you are OK to release and 
explain the delay with the remainder.  If you are acting in good faith you 
are unlikely to be penalised for a technical breach.  OK, there is a 
residual risk, but surely that's better than releasing information that 
should be withheld?


Paul Ticher
0116 273 8191
www.paulticher.com
22 Stoughton Drive North, Leicester LE5 5UB

For continuous priority support on Data Protection, sign up to my support 
service:
www.paulticher.com/data-protection-services


----- Original Message ----- 
From: "Bell, Neil" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Friday, April 12, 2013 9:50 AM
Subject: data-protection] SAR's - releasing information from other agencies


Apologies to the group for missing the terms 'subject to applicable 
exemptions' in my last post. However, the default starting position must 
always be to disclose.

Information in a social care situation comes from lots of sources and a 
disclosure officer has a maximum of 40 calendar days to retrieve, collate, 
possibly redact and provide in full the records to the data subject.

Before a disclosure officer releases, it would be prudent to capture the 
opinion of the last or most recent professional dealing with the individual 
such as the social worker who should be well aware of the persons wellbeing 
and capability to receive 'their' records but beyond that it becomes less 
practical, I have many times waited weeks for a response from medical 
practitioners which has put my organisation in jeopardy as the DPA clock is 
ticking. This is exactly what information sharing between organisations is 
meant to break down, increase trust and reduce 'silo thinking' in social and 
medical care.

We are talking about data controlling not data processing therefore I must 
go back to my original statement of if you are making decisions based upon 
that information that affects the data subject, you must disclose it 
(subject to applicable exemptions defined and applied by the disclosing 
organisation).

Neil

There are 10 types of people in the world, those who understand binary and 
those who don't

From: This list is for those interested in Data Protection issues 
[mailto:[log in to unmask]] On Behalf Of Simon Howarth
Sent: 12 April 2013 09:08
To: [log in to unmask]
Subject: Re: [data-protection] SAR's - releasing information from other 
agencies

I must take a very different view to Neil's.

Taking NHS information as the example with which I am very familiar:

Medical information can only be released to an individual once it has been 
reviewed by a suitable medical professional (within the NHS). For many 
medical complaints there will be very little reason to withhold. However, if 
the medical conditions relate to mental health, for example, someone 
qualified needs to be satisfied that release of the information will not in 
any way cause adversity to the requestor or other people.

If you hold this type of information you really must consider the 
appropriateness of releasing such information and if you do not understand 
the information being held or have a concept of how it might cause people 
undue distress etc., then you must get further advice.

Neil's quote "...if you hold it you are potentially making decisions on it 
therefore you must disclose it..." is not right. There is no "must disclose 
it". An individual has the right to request information that is held about 
them, but exemptions exist which allow refusal. Therefore you must CONSIDER 
disclosure, however it is not mandatory if suitable exemption exists.

By way of example. Several years ago I was covering the IG position for a 
mental health trust. I was contacted by a very upset individual who had 
requested some social work records. These records had a psychologist's notes 
included which provided the information that this individual's mother was 
not her real mother. It had been decided by all concerned to withhold this 
information because of the damage that it would cause to this person's 
longer term treatment. Imagine the phone call I had with a distraught woman 
now wanting to know who her mother really was? The psychologist concerned 
was apoplectic and estimated that it has set this woman back almost to day 1 
of her mental health treatment.

PLEASE look carefully at "third party information" and if unsure seek 
further advice. It might be more work, and as someone once said - A million 
to one chance? There are 60 million people in the UK alone. That means that 
every day that million to one chance happens to 60 people.

Simon Howarth MSc. MBCS CITP

From: This list is for those interested in Data Protection issues 
[mailto:[log in to unmask]] On Behalf Of Bell, Neil
Sent: 10 April 2013 16:55
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: [data-protection] SAR's - releasing information from other agencies

I always play 'a straight bat' on these and released all information held 
including the names of social care or medical professionals. My reason for 
this is that if you hold it you are potentially making decisions on it 
therefore you must disclose it. Conversely you wouldn't ask the originator 
of the document whether you could use it to make a decision that affected 
the data subject, would you?

Neil
There are 10 types of people in the world, those who understand binary and 
those who don't
<snip>
________________________________

All archives of messages are stored permanently and are available to the 
world wide web community at large at 
http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the 
email if you are receiving emails in HTML format):

 *   Leaving this list: send leave data-protection to 
[log in to unmask]<mailto:[log in to unmask]&BODY=LEAVE%20data-protection>
 *   Suspending emails from all JISCMail lists: send SET * NOMAIL to 
[log in to unmask]<mailto:[log in to unmask]&BODY=SET%20*%20NOMAIL>
 *   To receive emails from this list in text format: send SET 
data-protection NOHTML to 
[log in to unmask]<mailto:[log in to unmask]&BODY=SET%20data-protection%20NOHTML>
 *   To receive emails from this list in HTML format: send SET 
data-protection HTML to 
[log in to unmask]<mailto:[log in to unmask]&BODY=SET%20data-protection%20HTML>

All user commands can be found at 
http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an 
otherwise blank email to 
[log in to unmask]<mailto:[log in to unmask]>

Any queries about sending or receiving messages please send to the list 
owner 
[log in to unmask]<mailto:[log in to unmask]>

(Please send all commands to 
[log in to unmask]<mailto:[log in to unmask]> not the list or the 
moderators, and all requests for technical help to 
[log in to unmask]<mailto:[log in to unmask]>, the general office 
helpline)

________________________________
The National Trust is a registered charity no. 205846. Our registered office 
is Heelis, Kemble Drive, Swindon, Wiltshire SN2 2NA.
The views expressed in this email are personal and may not necessarily 
reflect those of the National Trust unless explicitly stated otherwise.
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 
If you have received this email in error, please notify me immediately. If 
you are not the intended recipient of this email, you should not copy it for 
any purpose, or disclose its contents to any other person. Senders and 
recipients of email should be aware that, under the Data Protection Act 
1998, the contents may have to be disclosed.
This email has been scanned by the MessageLabs Email Security System. For 
more information please visit <>. However the National Trust cannot accept 
liability for viruses that may be in this email and we recommend that you 
check all emails with an appropriate virus scanner.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at 
http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list 
owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your 
needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^