Apologies if this has already been mentioned, but the SAR right includes the right "...to be given by the data controller a description of ... the recipients or classes of recipients to whom they are or may be disclosed"
I would argue that 'disclosure' cannot be confined to being an active handover of data and that anyone accessing electronic patient records and learning something new is having information disclosed to them.
I would argue that whether information is freely given to someone or is pulled out of a database by them is dancing on the head of a pin and that information in audit logs does fall within the scope of the SAR, as while log data isn't necessarily the Data Subject's personal data, it is clearly information falling within Section 7(1)(b)(iii) - even if (in the event) it is considered desirable to substitute job titles for names.
Owen
O Thomas
Information Governance Officer
Law & Governance
Commercial & Corporate Services Directorate
Sunderland City Council
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|