JISCMail - DATA-PROTECTION Archives

I mentioned previously that the DCA had published their legal guidance on
data sharing.  Having read most of the document through once there seem to
be at least two areas that deserve comment.

The first is in relation to the information to be given to data subjects
under the Fair Processing Code ( Section 6 Para refers).  The way the
document is worded serves to diminish the distinction between paragraphs 2
(1)(a) and 2(1)(b) in Part II of Schedule 1.

The Schedule gives clear options about timing in relation to personal data
where this is obtained from third parties.  It is silent about the timing
of the Fair Processing Information in relation to data obtained from data
subjects.

The DCA Legal Guidance states ‘that personal data are not to be regarded as
being processed fairly unless, at the first time that processing takes
place, or very soon afterwards, the relevant data subject is provided with,
or has made readily available to him, certain information ('the information
requirements').’

The ‘soon afterwards’ is presumably the DCA’s shorthand for Section 2.(2)
of the Schedule.  It does not apply to data obtained from the data
subject.  The Commissioner’s Legal Guidance is that because the Act is
silent on this, the presumption must be that where personal data is
obtained directly from data subjects the Fair Processing Information must
be given to them at that time. Of course, processing includes obtaining and
although this is acknowledged elsewhere in the Guidance, this is not
emphasised.  It would be better if the Guidance just came out and said that
where personal data is obtained directly from data subjects the Fair
Processing Information should (as far as practicable) be given to them at
that time.

The second area is in relation to Principle 2 and compatibility.  The DCA
Legal Guidance states:

“As to further processing operations, in our view, the requirement of
compatibility has a relatively low threshold. Compatible does not
mean "identical to", and purposes which are quite different from the
original purposes can still be compatible with those original purposes. We
believe that, provided the further processing is for a purpose that is not
contradictory to the originally specified purpose or purposes, it will be
consistent with the second principle.”

This is a radical departure and appears to represent an attempt to move the
goal posts.  It defeats the whole purpose of Principle 2 since it ignores
the first part, the need to specify.  It also contradicts the
Commissioner’s Legal Guidance.  The Commissioner has stated that he takes a
strict view of compatibility and makes clear the link between compatibility
and the further information required under the Fair Processing Code.  The
point being that the data subject should understand what the information is
going to be used for.  In relation to this the Commissioner’s Guidance
states that:

 “In deciding …..what further information is necessary, data
controllers should consider what processing of personal data they will be
carrying out once the data have been obtained and consider whether or not
data subjects are likely to understand the following:

(a) the purposes for which their personal data are to be processed;
(b) the likely consequences of such processing such that the data subject
is able to make a judgement as to the nature and extent of the processing;
and
(c) whether particular disclosures can be reasonably envisaged.

It would be expected that the more unseen the consequences of processing
the more likely it is that the data controller will be expected to provide
further information.”

And

“In the context of the 1984 Act, the Data Protection Tribunal have
supported the Commissioner’s view that personal information will not be
fairly obtained unless the individual has been informed of the non-obvious
purpose or purposes for which it is required, before the information is
obtained.”

And

“Where the data controller already holds information for a specific
purpose, it can only be used for a different purpose that would not have
been envisaged by the data subject at the time of collection of the
information, if the data controller has the consent of the data subject.”

The last sentence in the quote from the DCA is also a nonsense.  Why is any
other use compatible as long as it is not the opposite or contrary?  Is
fishing compatible with geology?  What would be a contradictory purpose to
collecting Council Tax?  Supporting a political movement aimed at its
abolition by making it unworkable –possibly – but almost anything else
would not be contradictory.

It would be interesting to know what the Commissioner had to say about the
Guidance.  Has he published his response to the consultation by the DCA?

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
        http://www.jiscmail.ac.uk/help/commandref.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^