Thanks for the responses. Pretty much as I guessed.
I think we all know that in practice the majority of controllers today, faced with a request for " a copy of ... " simply supply and pay no heed to the other requirements of s7 DPA 1998 despite the clear requirements of Regulation 2 of The Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 "A request for information under any provision of section 7(1)(a), (b) or (c) of the Act is to be treated as extending also to information under all other provisions of section 7(1)(a), (b) and (c)." Possibly one of the most breached requirements (after retention) of the 98 Act.
There is no equivalent of Reg 2 in the new DP Bill but any sensible reading of Art 15 and the transparency recitals, IMO, would require a similar approach to Reg 2 in most cases. I wonder how many controllers will take this view or will they simply, as now, send a copy of the file?
My meanderings were stimulated by the following question. A patient asks for a copy of his health records. These are defined in DP Bill (although not in the context of a SAR since the concept of an accessible record has gone). The controller has in the files some safeguarding records from when subject was a child. These do not fall within the definition of a health record. Does the controller simply remove than as they were not asked for and say nothing? Or does he at the very least refer to them because Article 15 requires him to disclose purpose and categories .. of personal data, not simply to provide copies of what is asked for?
Doing the former certainly seems to me to be at minimum disingenuous and lacking in transparency, and if not done very carefully deliberately misleading given that the point of SAR is to give the subject control over his PD. He hardly has that if you do not bother to mention something which (subject to exemptions) he has a clear right to going all the way back to Gaskin v UK.
Should it really matter how the subject phrases his request? "My health records", "my personal data" (a copy of my files" or something else - particularly as controllers will often, by providing a form, effectively phrase the request for the subject?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|