On the other hand, if you disclose in error the damage is done; there is no
way to get the information back.
I'm sure I have seen (but of course cannot now find) a document in which the
ICO takes a very pragmatic approach. As far as I recall it says that if,
despite all your efforts, you do not have a response within the 40 days you
should release the information that you know you are OK to release and
explain the delay with the remainder. If you are acting in good faith you
are unlikely to be penalised for a technical breach. OK, there is a
residual risk, but surely that's better than releasing information that
should be withheld?
Paul Ticher
0116 273 8191
www.paulticher.com
22 Stoughton Drive North, Leicester LE5 5UB
For continuous priority support on Data Protection, sign up to my support
service:
www.paulticher.com/data-protection-services
----- Original Message -----
From: "Bell, Neil" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Friday, April 12, 2013 9:50 AM
Subject: data-protection] SAR's - releasing information from other agencies
Apologies to the group for missing the terms 'subject to applicable
exemptions' in my last post. However, the default starting position must
always be to disclose.
Information in a social care situation comes from lots of sources and a
disclosure officer has a maximum of 40 calendar days to retrieve, collate,
possibly redact and provide in full the records to the data subject.
Before a disclosure officer releases, it would be prudent to capture the
opinion of the last or most recent professional dealing with the individual
such as the social worker who should be well aware of the persons wellbeing
and capability to receive 'their' records but beyond that it becomes less
practical, I have many times waited weeks for a response from medical
practitioners which has put my organisation in jeopardy as the DPA clock is
ticking. This is exactly what information sharing between organisations is
meant to break down, increase trust and reduce 'silo thinking' in social and
medical care.
We are talking about data controlling not data processing therefore I must
go back to my original statement of if you are making decisions based upon
that information that affects the data subject, you must disclose it
(subject to applicable exemptions defined and applied by the disclosing
organisation).
Neil
There are 10 types of people in the world, those who understand binary and
those who don't
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Simon Howarth
Sent: 12 April 2013 09:08
To: [log in to unmask]
Subject: Re: [data-protection] SAR's - releasing information from other
agencies
I must take a very different view to Neil's.
Taking NHS information as the example with which I am very familiar:
Medical information can only be released to an individual once it has been
reviewed by a suitable medical professional (within the NHS). For many
medical complaints there will be very little reason to withhold. However, if
the medical conditions relate to mental health, for example, someone
qualified needs to be satisfied that release of the information will not in
any way cause adversity to the requestor or other people.
If you hold this type of information you really must consider the
appropriateness of releasing such information and if you do not understand
the information being held or have a concept of how it might cause people
undue distress etc., then you must get further advice.
Neil's quote "...if you hold it you are potentially making decisions on it
therefore you must disclose it..." is not right. There is no "must disclose
it". An individual has the right to request information that is held about
them, but exemptions exist which allow refusal. Therefore you must CONSIDER
disclosure, however it is not mandatory if suitable exemption exists.
By way of example. Several years ago I was covering the IG position for a
mental health trust. I was contacted by a very upset individual who had
requested some social work records. These records had a psychologist's notes
included which provided the information that this individual's mother was
not her real mother. It had been decided by all concerned to withhold this
information because of the damage that it would cause to this person's
longer term treatment. Imagine the phone call I had with a distraught woman
now wanting to know who her mother really was? The psychologist concerned
was apoplectic and estimated that it has set this woman back almost to day 1
of her mental health treatment.
PLEASE look carefully at "third party information" and if unsure seek
further advice. It might be more work, and as someone once said - A million
to one chance? There are 60 million people in the UK alone. That means that
every day that million to one chance happens to 60 people.
Simon Howarth MSc. MBCS CITP
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Bell, Neil
Sent: 10 April 2013 16:55
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: [data-protection] SAR's - releasing information from other agencies
I always play 'a straight bat' on these and released all information held
including the names of social care or medical professionals. My reason for
this is that if you hold it you are potentially making decisions on it
therefore you must disclose it. Conversely you wouldn't ask the originator
of the document whether you could use it to make a decision that affected
the data subject, would you?
Neil
There are 10 types of people in the world, those who understand binary and
those who don't
<snip>
________________________________
All archives of messages are stored permanently and are available to the
world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the
email if you are receiving emails in HTML format):
* Leaving this list: send leave data-protection to
[log in to unmask]<mailto:[log in to unmask]&BODY=LEAVE%20data-protection>
* Suspending emails from all JISCMail lists: send SET * NOMAIL to
[log in to unmask]<mailto:[log in to unmask]&BODY=SET%20*%20NOMAIL>
* To receive emails from this list in text format: send SET
data-protection NOHTML to
[log in to unmask]<mailto:[log in to unmask]&BODY=SET%20data-protection%20NOHTML>
* To receive emails from this list in HTML format: send SET
data-protection HTML to
[log in to unmask]<mailto:[log in to unmask]&BODY=SET%20data-protection%20HTML>
All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an
otherwise blank email to
[log in to unmask]<mailto:[log in to unmask]>
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]<mailto:[log in to unmask]>
(Please send all commands to
[log in to unmask]<mailto:[log in to unmask]> not the list or the
moderators, and all requests for technical help to
[log in to unmask]<mailto:[log in to unmask]>, the general office
helpline)
________________________________
The National Trust is a registered charity no. 205846. Our registered office
is Heelis, Kemble Drive, Swindon, Wiltshire SN2 2NA.
The views expressed in this email are personal and may not necessarily
reflect those of the National Trust unless explicitly stated otherwise.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error, please notify me immediately. If
you are not the intended recipient of this email, you should not copy it for
any purpose, or disclose its contents to any other person. Senders and
recipients of email should be aware that, under the Data Protection Act
1998, the contents may have to be disclosed.
This email has been scanned by the MessageLabs Email Security System. For
more information please visit <>. However the National Trust cannot accept
liability for viruses that may be in this email and we recommend that you
check all emails with an appropriate virus scanner.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your
needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|