I received a response to one of my outstanding RFAs today from the OIC.
Part of it states:
In 2003 a new ruling was made in relation to subject access requests
(Durant v FSA 2003). This ruling adopts a more restrictive approach than
the office has previously taken. Please be awware that the office is
still considering the full effects of the ruling and its implicatation
but it seems likely that in light of the Durant Ruling the purpose of
section 7 of the DPA 1998 is to enable an individual to check whether a
data controller's processing of his persona data unlawfully infringes
his privacy.
It is not an automatic key to any information, readily accessible or
not, of matters in which he may be named or involved. It is likely in
most cases that only information that named and directly refers to him
will quality. It is our view that this information does not quality as
personal data.
As much of the information I was seeking to obtain was comments that
members of staff made about work I did for the company (including comments
that whilst I as working there I had to complain about), I find this to
be a complete disregard for what I believed to be one of the purposes
of the DPA.
The company in question also provided approximately 1000 pages of
completely unintellible information dumped directly from their database,
most of which was in the form of:
19847 43821 401854
19847 43910 1048941
... etc for hundreds of pages.
With each section of this they provided a reference to what this section
was called (e.g. 'tat'), and headers which supposedly state the column
information (customerid, tatid, otherid(!)).
The OIC have also failed to get the company to elucidate further on this
declaring that "<the company> states that much of the information is
techical, and in each case they have provided details of what the
information provided represents, including table headers."
They have therefore closed the investigation.
My view on this is that, particularly with regard to Durant, the UK is now
no longer in compliance with the objectives of the original EC directive,
and that Subject Access is now almost entirely a myth. A company can
refuse to provide most information; and what they do provide can be
completely unintelligible.
Under this new approach, I suspect that most organisations will be able
to relax their DPA procedures significantly, and that many of those
currently employed in full-time Data Protection roles could be out of
a job within a year.
Tony
Tony
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
