Working these days exclusively in commercial environments, I have never for one moment envisaged listing in a SAR response the names of persons or organisations to whom data is "disclosed", rather just the "classes" of the recipients.
Many clients will not record/log this data, as there is no business need for it. If they do, its retention period is likely to be significantly less than the retention period of the main data.
If they did record it, over the lifetime of a customer's record (which can be up to ten and more years with warranty periods) or employee records (which can be up to 50 years) the figure could total many hundreds of individuals, some of whom will no longer be employees - so "third parties" at the time of disclosure.
Some might even be dead ... so no problem there with disclosure <g>.
M
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Owen Thomas
Sent: 18 September 2015 15:53
To: [log in to unmask]
Subject: Re: [data-protection] Audit log entries - personal data?
Apologies if this has already been mentioned, but the SAR right includes the right "...to be given by the data controller a description of ... the recipients or classes of recipients to whom they are or may be disclosed"
I would argue that 'disclosure' cannot be confined to being an active handover of data and that anyone accessing electronic patient records and learning something new is having information disclosed to them.
I would argue that whether information is freely given to someone or is pulled out of a database by them is dancing on the head of a pin and that information in audit logs does fall within the scope of the SAR, as while log data isn't necessarily the Data Subject's personal data, it is clearly information falling within Section 7(1)(b)(iii) - even if (in the event) it is considered desirable to substitute job titles for names.
Owen
O Thomas
Information Governance Officer
Law & Governance
Commercial & Corporate Services Directorate Sunderland City Council
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|