I am sorry Lawrence but I think the examples you are providing relate to a very different set of circumstances.
Dawn Clarke
________________________________
From: This list is for those interested in Data Protection issues [[log in to unmask]] On Behalf Of Lawrence Serewicz [[log in to unmask]]
Sent: 28 January 2016 14:41
To: [log in to unmask]
Subject: Re: [data-protection] Police Requests for Info re Credibility of Witnesses
Dear All,
We had a case over four of years ago where the police explained that they were investigating a rape allegation. They requested the full social care file of one of our residents.
I asked for them to explain why they needed the full file. They never responded.
However, had I not asked, there was a view that the full file could be provided as people were concerned to respond positively to a police request.
I checked this with the Caldicott Guardian who was suitably alarmed to be having to provide a full social care file. They were trying to understand how this request would meet the Caldicott Principle that only the minimum of client information is to be disclosed to meet the request. It also raised questions about schedule 2 and 3 being met with regard to section 29 (1) (c)
29 Crime and taxation.
(1)Personal data processed for any of the following purposes—
(a)the prevention or detection of crime,
(b)the apprehension or prosecution of offenders, or
(c)the assessment or collection of any tax or duty or of any imposition of a similar nature, are exempt from the first data protection principle (except to the extent to which it requires compliance with the conditions in Schedules 2 and 3) and section 7 in any case to the extent to which the application of those provisions to the data would be likely to prejudice any of the matters mentioned in this subsection.
Thus the police have to satisfy the data controller that their case would be prejudiced by failure to disclose which means that the prejudice (harm to their investigation) overrides the conditions in schedule 2 and 3.
I would suggest that asking “to see the whole file to see if we can find out if anything is needed” does not provide enough evidence to demonstrate that the data controller has given due regard to its responsibilities to assess the exemption whether it is appropriate and it is *necessary*. https://ico.org.uk/media/for-organisations/documents/1594/section-29.pdf
See the example in paragraph 38.
A detective constable contacts an employer and asks them to provide contact details for one of their employees. They say that the disclosure is necessary for the crime and taxation purposes but are unwilling to provide further details in case it compromises the investigation. The employer needs to be satisfied that the exemption applies. They could ask that a more senior police officer signs off a request for disclosure and provides a statement that is as clear as possible about why the information is needed. If they are still concerned that disclosing the information would breach the DPA, they can ask the police to obtain a court order. [emphasis added]
What was particularly problematic is that if the full file had been sent, then the police would have become the data controller for it. Given the issues we have seen about data security, data protection, and records management, it would be remiss to be unconcerned about the security of the personal data disclosed to the other data controller. See page 25 of the https://ico.org.uk/media/for-organisations/documents/1068/data_sharing_code_of_practice.pdf where the guidance explains that
When personal data is shared, it is good practice for the organisation disclosing it to make sure that it will continue to be protected with adequate security by any other organisations that will have access to it. The organisation disclosing the information should ensure that the receiving organisation understands the nature and sensitivity of the information. It is good practice to take reasonable steps to ensure that those security measures are in place, particularly by ensuring that an agreed set of security standards has been signed up to by all the parties involved in a data sharing agreement. Please note, though, that the organisations the data is disclosed to will take on their own legal responsibilities in respect of the data, including its security.
One thing to remember is that s.29(3) is an exemption from the DPA it is *not* a search warrant. If they want to search the files to see if there is anything useful, then they should get a search warrant not a section 29(3) request. http://findlaw.co.uk/law/criminal/your_rights/police-needing-a-warrant.html See section 8 of the Police and Criminal Evidence Act 1984 http://www.legislation.gov.uk/ukpga/1984/60
If you are concerned about these types of requests, especially for full files, I would suggest that you consult with your Caldicott Guardian if you have one and your legal team.
Best,
Lawrence
________________________________
Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.
________________________________
All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):
* Leaving this list: send leave data-protection to [log in to unmask]<mailto:[log in to unmask]&BODY=LEAVE%20data-protection>
* Suspending emails from all JISCMail lists: send SET * NOMAIL to [log in to unmask]<mailto:[log in to unmask]&BODY=SET%20*%20NOMAIL>
* To receive emails from this list in text format: send SET data-protection NOHTML to [log in to unmask]<mailto:[log in to unmask]&BODY=SET%20data-protection%20NOHTML>
* To receive emails from this list in HTML format: send SET data-protection HTML to [log in to unmask]<mailto:[log in to unmask]&BODY=SET%20data-protection%20HTML>
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]<mailto:[log in to unmask]>
Any queries about sending or receiving messages please send to the list owner [log in to unmask]<mailto:[log in to unmask]>
(Please send all commands to [log in to unmask]<mailto:[log in to unmask]> not the list or the moderators, and all requests for technical help to [log in to unmask]<mailto:[log in to unmask]>, the general office helpline)
________________________________
________________________________
Internet communications are insecure, therefore City College Norwich (CCN) does not accept legal responsibility for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of CCN.
This email and any files sent with it are intended only for the named recipient and may be confidential. If you are not the named recipient please email the sender immediately then delete this message. You should not disclose the content, distribute or retain any copies of this message.
City College Norwich, Ipswich Rd., Norwich, Norfolk. NR2 2LJ.
--
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|