Ian Mansbach on 29 September 2004 at 17:57 said:-
> There are a number of possible
> interpretations as to when information requiring third party
> consent must be
> be supplied. My preferred one is for the clock starting at
> the same point in
> time as for non-consent data and ending 40 days therafter or,
> if later, the
> day consent is received. My reasoning is that once consent is
> obtained,
> relief from the obligation to comply with the SAR granted by s7(4)
> evaporates. The obligation to respond in respect of the third party
> information kicks in the moment consent is obtained. Others
> may, of course,
> hold different views.
Surely a strange situation could then arise if no consent were ever
received; either because the request for consent was not received by the
third party (out of date address data?) or that the request was ignored.
What would be the situation of a data controller placed in that position?
Ian W
> -----Original Message-----
> From: This list is for those interested in Data Protection
> issues [mailto:[log in to unmask]] On Behalf Of
> Ian Mansbach
> Sent: 29 September 2004 17:57
> To: [log in to unmask]
> Subject: Re: Third party response consent. Was - RE: SAR and
> compliance calendar days
>
>
> My goodness, Ian W, you've made me go search out my old text books!
>
> The view is expressed in one of the leading legal
> authorities, Rosemary Jay
> and Angus Hamilton's "Data Protection Law and Practice", in
> the following
> terms:
>
> "Where any of the data are third party data for which consent is being
> sought for disclosure a separate 40-day clock ticks for that
> data only".
>
> My understanding is that the proposition flows from the words in s7(8)
> "Subject to subsection (4)...".
>
> In practical terms, this means dividing the response into 2
> parts: that
> which necessitates third party consent and that which
> doesn't. Each part
> needs to be dealt with promptly and, in any event, within 40
> days. In the
> case of data which does not require third party consent, it
> is clear the
> clock starts ticking on the day the SAR is received or, if
> later, the first
> day on which the other criteria are met (fee and information
> to be satisfied
> about identity and location of data). There are a number of possible
> interpretations as to when information requiring third party
> consent must be
> be supplied. My preferred one is for the clock starting at
> the same point in
> time as for non-consent data and ending 40 days therafter or,
> if later, the
> day consent is received. My reasoning is that once consent is
> obtained,
> relief from the obligation to comply with the SAR granted by s7(4)
> evaporates. The obligation to respond in respect of the third party
> information kicks in the moment consent is obtained. Others
> may, of course,
> hold different views.
>
> Ian Mansbach
> Mansbachs
> Data Protection Practitioners
> [log in to unmask]
> phone: 0871 716 5060
>
>
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Ian Welton
> Sent: 29 September 2004 16:33
> To: [log in to unmask]
> Subject: [data-protection] Third party response consent. Was
> - RE: SAR and
> compliance calendar days
>
>
> Ian Mansbach on 29 September 2004 at 14:39 said:-
>
> > It is believed that information which cannot be disclosed without
> > first obtaining third party consent according to s7(4) is subject
> > to a separate 40
> > day period. Accordingly, one should comply with the rest of
> > the request
> > first and then follow on with information for which one
> > subsequently gets
> > consent as soon as permission is received for that information.
>
> When would any separate 40 day period start from, and what
> supports the
> belief that may happen?
>
> Ian W
>
>
> > -----Original Message-----
> > From: This list is for those interested in Data Protection issues
> > [mailto:[log in to unmask]] On Behalf Of Ian Mansbach
> > Sent: 29 September 2004 14:39
> > To: [log in to unmask]
> > Subject: Re: SAR and compliance calendar days
> >
> >
> > Looking at this solely from a DPA perspective, there is a
> distinction
> > between omissions from an SAR and rectification of
> inaccurate personal
> > data.
> >
> > S7(8) requires one to comply with an SAR "promptly" and in
> any event
> > within 40 calendar days. The 40 days start on the day the SAR is
> > received or, if
> > later, the first day on which one has: (1) any required fee,
> > and (2) any
> > required information needed to (a) to satisfy oneself as to
> > the identity of
> > the requestor, and (b) to locate the requested data. The
> > response must be
> > complete to comply. So, if personal data was missing from
> the initial
> > response, the missing data must be found and passed on
> > promptly and, in any
> > event, within the original 40 day period.
> >
> > It may be that the 14 day time limit requested takes into
> account the
> > remaining days to comply with the 40 day maximum, or it may be that
> > the data subject is granting a concession beyond the
> original maximum
> > period. In
> > either event, it is probably reasonable but, if it is not
> > possible to comply
> > within that time then it would be wise to write explaining
> > the situation and
> > proposing an alternative date by when you will comply (always
> > bearing in
> > mind the requirement to respond "promptly").
> >
> > It is believed that information which cannot be disclosed without
> > first obtaining third party consent according to s7(4) is subject
> > to a separate 40
> > day period. Accordingly, one should comply with the rest of
> > the request
> > first and then follow on with information for which one
> > subsequently gets
> > consent as soon as permission is received for that information.
> >
> > There is no time limit to rectify inaccurate personal data.
> However,
> > given the potential legal remedies, it would be wise to rectify
> > data as soon as
> > possible and to notify the data subject accordingly.
> >
> > Ian Mansbach
> > Mansbachs
> > Data Protection Practitioners
> > [log in to unmask]
> > phone: 0871 716 5060
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> http://www.jiscmail.ac.uk/help/commandref.htm
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> http://www.jiscmail.ac.uk/help/commandref.htm
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
