I mentioned previously that the DCA had published their legal guidance on data sharing. Having read most of the document through once there seem to be at least two areas that deserve comment. The first is in relation to the information to be given to data subjects under the Fair Processing Code ( Section 6 Para refers). The way the document is worded serves to diminish the distinction between paragraphs 2 (1)(a) and 2(1)(b) in Part II of Schedule 1. The Schedule gives clear options about timing in relation to personal data where this is obtained from third parties. It is silent about the timing of the Fair Processing Information in relation to data obtained from data subjects. The DCA Legal Guidance states ‘that personal data are not to be regarded as being processed fairly unless, at the first time that processing takes place, or very soon afterwards, the relevant data subject is provided with, or has made readily available to him, certain information ('the information requirements').’ The ‘soon afterwards’ is presumably the DCA’s shorthand for Section 2.(2) of the Schedule. It does not apply to data obtained from the data subject. The Commissioner’s Legal Guidance is that because the Act is silent on this, the presumption must be that where personal data is obtained directly from data subjects the Fair Processing Information must be given to them at that time. Of course, processing includes obtaining and although this is acknowledged elsewhere in the Guidance, this is not emphasised. It would be better if the Guidance just came out and said that where personal data is obtained directly from data subjects the Fair Processing Information should (as far as practicable) be given to them at that time. The second area is in relation to Principle 2 and compatibility. The DCA Legal Guidance states: “As to further processing operations, in our view, the requirement of compatibility has a relatively low threshold. Compatible does not mean "identical to", and purposes which are quite different from the original purposes can still be compatible with those original purposes. We believe that, provided the further processing is for a purpose that is not contradictory to the originally specified purpose or purposes, it will be consistent with the second principle.” This is a radical departure and appears to represent an attempt to move the goal posts. It defeats the whole purpose of Principle 2 since it ignores the first part, the need to specify. It also contradicts the Commissioner’s Legal Guidance. The Commissioner has stated that he takes a strict view of compatibility and makes clear the link between compatibility and the further information required under the Fair Processing Code. The point being that the data subject should understand what the information is going to be used for. In relation to this the Commissioner’s Guidance states that: “In deciding …..what further information is necessary, data controllers should consider what processing of personal data they will be carrying out once the data have been obtained and consider whether or not data subjects are likely to understand the following: (a) the purposes for which their personal data are to be processed; (b) the likely consequences of such processing such that the data subject is able to make a judgement as to the nature and extent of the processing; and (c) whether particular disclosures can be reasonably envisaged. It would be expected that the more unseen the consequences of processing the more likely it is that the data controller will be expected to provide further information.” And “In the context of the 1984 Act, the Data Protection Tribunal have supported the Commissioner’s view that personal information will not be fairly obtained unless the individual has been informed of the non-obvious purpose or purposes for which it is required, before the information is obtained.” And “Where the data controller already holds information for a specific purpose, it can only be used for a different purpose that would not have been envisaged by the data subject at the time of collection of the information, if the data controller has the consent of the data subject.” The last sentence in the quote from the DCA is also a nonsense. Why is any other use compatible as long as it is not the opposite or contrary? Is fishing compatible with geology? What would be a contradictory purpose to collecting Council Tax? Supporting a political movement aimed at its abolition by making it unworkable –possibly – but almost anything else would not be contradictory. It would be interesting to know what the Commissioner had to say about the Guidance. Has he published his response to the consultation by the DCA? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - http://www.jiscmail.ac.uk/help/commandref.htm (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^