Like Trish-Louise I have not had time to look up the precedent but she is absolutely right. There is clear case law on this. At least one case I recall was where a DC refused to post to a house in mulitiple-occupation and was held to have breached s7 / principle 6.
We must distinguish the two questions in this and the related thread.
1. Verifying identity. Here the onus is clearly on the DC and they bear the risk, and must establish they have taken reasonable and appropriate steps if they mis-identify.
2. Delivering the data to an identified subject. Here providing it is explained, the risk is on the subject, as the duty on the DC is to provide the information, and if they specify the method and the risk is explained* the DC must comply.
* This could include a risk that they get less as an insecure delivery method would, in my view, be a factor you would take into account under s7(4) in deciding whether to exclude "also someone else's' data.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|