 |
 |
Do not forget about the Section 27(3-4). The non-disclosure exemption. The exemptions from the various principles or part as far as detection of crime or apprehension of offenders are concerned are far wider than under the 1984 Act. This exemption is no longer simply linked to registration but exempts elements of the first principle (fair and lawful) from being applied in terms of a breach. However processing conditions must still be met. These should however have been met already if the personal data exists to disclose. David Wyatt Data Protection Manager Norwich Union ----- Original Message ----- From: <[log in to unmask]> To: <[log in to unmask]> Sent: Saturday, March 11, 2000 9:32 AM Subject: Re: Requests for Data by Police > One of the main things to remember when disclosing to the police under s28(3) > [1984 Act] or s29(3) [1998 Act] is that it is the Data User / Controller (not > the police) who must be reasonable convinced that failure to disclose would > prejudice the enquiry. > > If you are not individually authorised by the Data User / Controller (usually > your employer) to make the decision to disclose (or not) then you should > always pass the request to someone who is so authorised. > > There have been occasions (rare, but significant) where s28(3) disclosures > have been made about individuals who could not have been involved in the > alleged crime and the employer KNEW this to be the case (because the > individual was in one instance in a management meeting, in another he was > working in a different part of the country). > > I would imagine this type of disclosure is outside the scope of s29(3) and > unless the organisation is registered to disclose employee data to the police > could well be illegal. But then of course Principle One would require that > the individal is informed of likely recipients. > > Another thing to remember is in respect of s115 of the Crime and Disorder > Act. Data sharing under this Act is only allowed (it is not compulsory) > where compliance with the Data Protection Act 1998 has been met. In other > words, complying with the Principles, including: informing the individual > (seeking consent in most cases), ensuring the purpose is registered and > compatible with the reason for obtaining the data, ensuring data quality and > integrity, not releasing more than is strictly necessary, not keeping it for > too long (ref: Rehabilitation of Offenders, etc), processing with the rights > of the individual in mind and having appropriate security (including staff > vetting). > > Ian Buckland > Keep IT Legal Ltd > [log in to unmask] > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%