Hi
We looked at this in the context of an NHS Trust which has outsourced its security functions including CCTV to a company (and to a lesser extent in relation to general SARs) and essentially decided it wasn't possible in practice. Decisions on what is / is not personal data, whether exemptions apply, whether third party info needs to be redacted (involves a balancing test) are essentially controller decisions IMO.
We could (possibly but I still have doubts) have set up a process where they did the legwork and passed it back to the controller to make a 'decision' but decided not to go down that route.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|