I have to say that I would likely accept a S.29 request only from those organisations with a statutory or public function to undertake criminal investigations/prosecutions. So this could include local authorities, Trading Standards, HSE etc. Insurance companies have no such statutory function, and to my knowledge don't carry out a prosecution, they report fraudulent claims to the police, whatever they might tell you. As you say, their most likely reason for requesting the information is to decide whether or not to pay out on the claim and therefore not S.29. You could look at using S.35 legal proceedings, or the legitimate interest condition, but in both cases you will likely be looking to contact the data subject/3rd party for their consent or views before making a decision.

Dawn Clarke


________________________________
From: This list is for those interested in Data Protection issues [[log in to unmask]] On Behalf Of Chris Brogan [[log in to unmask]]
Sent: 08 March 2016 14:48
To: [log in to unmask]
Subject: [data-protection] Section 29 Exemption

Many thanks for the comments so far especially Phil Bradshaw's reference to Hansard.
On reflection my question was badly worded. So let me see if I can do better this time.
The background to this can be tracked back to Lord Norton's question that I referenced in my previous posting. Section 29 in the Bill was causing concern to Non Law Enforcement investigators. It was unclear if they could make a request under Section 29. This fog of uncertainty has continued and was discussed on numerous occasions with ICO officials at gatherings of non law enforcement investigators. I was privy to a very robust discussion at the end of the first Masters Degree Course in Information Rights run by Northumbria University. It was generally felt and supported by a few ICO officials who were on the course that it didn't apply to non law enforcement investigators. Elizabeth France on a number of occasions said that if you suspected that a crime had taken place you should report it to the police. The Police on numerous occasions said that they would need some evidence that a crime had taken place before they would consider investigating the matter.
It would seem that anyone can make a request to a DC under the section 29 exemption. It is up to the DC to decide whether to release the data.
Now my question should have been. If the DC has to satisfy the criteria imposed by section 29 before releasing how can he do that if the request is made by a non law enforcement investigator acting on behalf of a client say insurance company, credit card company. This investigator cannot necessarily provide the assurances needed to the DC.
He can tell the DC what his client has told him. The DC needs to be assured that the data provided will be processed in accordance with the DPA. The investigator is acting on his client's instructions he is not in a position to dictate to the client what to do with the data that he has obtained. There is also the question, for another time, that if the investigator is DP then why is he making the request?

I posed this question to one of the solicitors at the ICO some years ago. Amongst other comments the answer included a warning that if the person/organisation making a section 29 request had no intention of ever prosecuting the matter that was being investigated then the ICO would take a very dim view of it. Many insurance companies allow their contracted investigator to make Section 29 requests and have no intention of ever prosecuting. They just want to be in a position to rebut the claim. They often during that rebuttal use the info obtained by a section 29 request. Other organisations use investigators who in turn make these requests. If your organisation use external investigators that could be a problem for you.
For what it is worth I would advise a client to never release data to a contracted non law enforcement investigator. Rather insist that his client make the request.

Chris Brogan
________________________________

All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

 *   Leaving this list: send leave data-protection to [log in to unmask]<mailto:[log in to unmask]&BODY=LEAVE%20data-protection>
 *   Suspending emails from all JISCMail lists: send SET * NOMAIL to [log in to unmask]<mailto:[log in to unmask]&BODY=SET%20*%20NOMAIL>
 *   To receive emails from this list in text format: send SET data-protection NOHTML to [log in to unmask]<mailto:[log in to unmask]&BODY=SET%20data-protection%20NOHTML>
 *   To receive emails from this list in HTML format: send SET data-protection HTML to [log in to unmask]<mailto:[log in to unmask]&BODY=SET%20data-protection%20HTML>

All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]<mailto:[log in to unmask]>

Any queries about sending or receiving messages please send to the list owner [log in to unmask]<mailto:[log in to unmask]>

(Please send all commands to [log in to unmask]<mailto:[log in to unmask]> not the list or the moderators, and all requests for technical help to [log in to unmask]<mailto:[log in to unmask]>, the general office helpline)

________________________________

________________________________
Internet communications are insecure, therefore City College Norwich (CCN) does not accept legal responsibility for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of CCN.

This email and any files sent with it are intended only for the named recipient and may be confidential. If you are not the named recipient please email the sender immediately then delete this message. You should not disclose the content, distribute or retain any copies of this message.

City College Norwich, Ipswich Rd., Norwich, Norfolk. NR2 2LJ.


--

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^