I think this is clearer than everyone seems to be making it. If a data subject submits a valid SAR disclosures must be made. No data that can identify any data subject other than the one submitting the SAR may be released to the requestor. It is not relevant whether the data subject is/is not a current or non or ex employee, nor whether the relevant data is on computer or on paper. The only thing that matters is that it is indexed in a structured manner (or retrievable in that way) in accordance with the definitions of the act. It could be argued that a shared surname could be such a structured index method. _____________________________________________________________ Tim Trent Chief Privacy Officer EMEA Gartner EMEA Marketing, Tamesis, The Glanty, Egham, Surrey, United Kingdom, TW20 9AW Switchboard +44 (0)1784 431 611, Direct Line +44 (0)1784 267 335, Mobile +44 (0)7710 126 618, Fax +44 (0)1784 268 932 http://www.gartner.com [log in to unmask] The opinions expressed in this message are my own, and may or may not reflect those of my employer. They are expressed as a part of the discussion on the JISCMail mailing list on data protection and for no other purpose. They have no legal standing and are offered as part of informed and informal discussion. They may NOT be attributed to Gartner in any way. Any personal data provided is provided expressly for use of discussions on the JISCMail Data Protection Discussion list. Under the UK Data Protection Act 1998 I expressly forbid any individual or organisation to make commercial use of my data published either on the email list or in the archives of that or other lists whether this message appears or not. This includes messages already published in the archives. -----Original Message----- From: Kirsty Gray [mailto:[log in to unmask]] Sent: 13 September 2002 14:09 To: [log in to unmask] Subject: Re: Internal Investigation Brenda, I don't understand - if he's not an employee then presumably you won't have information about him in 'structured' manual files so he doesn't have SAR rights related to his personal data in his wife's (or anyone else's) personnel file until 2005. Or is it that all the information is on computer and easy to search / find? If so, do you HAVE to disclose? Guess that depends on what information is held, how obtained and from whom. What are the grounds that HR are using for non-disclosure? That the information held about him was provided in confidence by a third party? But even then you'd have to balance common law duty of confidentiality to that third party against his right to (a) have access to the data and (b) prevent further processing and (c) have it corrected, if incorrect, or details of his version of events appended etc. If his wife / your employee made the SAR - theoretically you'd need his consent to disclose the bits about him to her or else delete as 3rd party! Seems like a real can of worms, good luck! Kirsty. Kirsty E Gray Information Rights Officer Gateshead Council Tel. No: (0191) 433 2170 Fax. No: (0191) 478 2755 mailto:[log in to unmask] http://www.gateshead.gov.uk (Note - views expressed are those of the sender, are provided for discussion and debate and do not necessarily reflect the council's corporate position.) -----Original Message----- From: Brenda Scourfield [mailto:[log in to unmask]] Sent: 13 September 2002 10:29 To: [log in to unmask] Subject: Internal Investigation We have received an SAR from the husband of an employee who is currently the subject of an harrasment investigation. He (not an employee) has been complained about having got involved in obstructing the person accused of harrassment. Apparently, he has been named in various documents, minutes of interviews etc. Personnel are claiming that they do not need to disclose. This afternoon, copies of all documents are being supplied to his wife (3rd parties deleted). Question - do we have to disclose, obviously deleting 3rd party references if their permission to disclose has not been given ? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - www.jiscmail.ac.uk/user-manual/summary-user-commands.htm (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Important Information This e-mail constitutes a confidential communication and is subject to legal privilege. If you have received this e-mail in error, please notify us immediately. You should not use or copy it for any purpose, nor disclose it to any other person. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - www.jiscmail.ac.uk/user-manual/summary-user-commands.htm (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - www.jiscmail.ac.uk/user-manual/summary-user-commands.htm (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^