I don’t think it’s incorrect in principle to be circumspect about sharing such information internally, but, equally, I can see why senior managers might wish to be aware of requests.
Specifically, though, surely your lawyers need to know details of requests which are or might be relevant to a legal claim against you? Consent of the requester is certainly not a prerequisite in those circumstances (see para 5(3) Sch 2 DPA if you want to argue that internal sharing = “disclosure” (which I’m not convinced it is)).
Sent from my iPhone
> On 14 Aug 2020, at 14:57, Hocking, Jon <[log in to unmask]> wrote:
>
> Fellow travellers on the path of enlightenment, pray share with me your wisdom...
>
> I've just received a request from a senior member of HR to be notified of all DSARS (data subject name, request details), as (and I quote)
> "I do believe I should be made aware of DSARs being submitted by staff/ ex staff as they could be material to other actions – particularly legal proceedings – or prompt the provision of support if they indicate someone could be at risk. ~"
>
> Now, this makes me somewhat uncomfortable, given the last DSAR I received was a request for any messages containing rumours about the data subject (later singled down to "affair") - but let's be honest, it's possible that it could be anything on a DSAR... and while certain people NEED to know to perform their searches, I'm struggling with this one.
>
> Is there specific legislation I can throw at HR to stop this, or am I just being over-paranoid, and it's a perfectly legitimate request from the HR department?
>
> Potential useful back-fill - we have a serial DSAR subject who is taking the organisation to ET - and their partner (also staff/ex-staff) has filed a separate DSAR for their own data. My suspicions are that HR want evidence for their ET - I have already been asked to reveal the results of the first 5 DSAR requests to the organisation lawyers, which I have refused to do until they present a legal reasoning why personal data can be shared without the consent of the data subject.
>
> Am I just getting too militant in my old age? Am I being the "wrong person" here, or am I right to be concerned?
>
> You guys and gals have wiser heads than me, and more experience in this field (3 years in - I feel like I should be in a circle "Hi, my name is Jon, it's been 3 days since my last DSAR" (apologies for the inconsiderate humour there, it's been a week...)
>
> ANY ADVICE APPRECIATED - including "yep, it's fine, just stop being a ****** insert term here")
>
> Happy Friday!
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> An archive of messages is stored permanently at http://www.jiscmail.ac.uk/lists/data-protection.html
>
> If you wish to leave this list please send an email to [log in to unmask] with no subject
> and leave data-protection as the message body. This is an automated service.
>
> Additional subscriber help is available at https://www.jiscmail.ac.uk/help/subscribers.html
>
> Any other list queries can be emailed to [log in to unmask]
>
> For general JISCMail queries please email [log in to unmask]
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
An archive of messages is stored permanently at http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send an email to [log in to unmask] with no subject
and leave data-protection as the message body. This is an automated service.
Additional subscriber help is available at https://www.jiscmail.ac.uk/help/subscribers.html
Any other list queries can be emailed to [log in to unmask]
For general JISCMail queries please email [log in to unmask]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|