Ian Mansbach on 29 September 2004 at 17:57 said:- > There are a number of possible > interpretations as to when information requiring third party > consent must be > be supplied. My preferred one is for the clock starting at > the same point in > time as for non-consent data and ending 40 days therafter or, > if later, the > day consent is received. My reasoning is that once consent is > obtained, > relief from the obligation to comply with the SAR granted by s7(4) > evaporates. The obligation to respond in respect of the third party > information kicks in the moment consent is obtained. Others > may, of course, > hold different views. Surely a strange situation could then arise if no consent were ever received; either because the request for consent was not received by the third party (out of date address data?) or that the request was ignored. What would be the situation of a data controller placed in that position? Ian W > -----Original Message----- > From: This list is for those interested in Data Protection > issues [mailto:[log in to unmask]] On Behalf Of > Ian Mansbach > Sent: 29 September 2004 17:57 > To: [log in to unmask] > Subject: Re: Third party response consent. Was - RE: SAR and > compliance calendar days > > > My goodness, Ian W, you've made me go search out my old text books! > > The view is expressed in one of the leading legal > authorities, Rosemary Jay > and Angus Hamilton's "Data Protection Law and Practice", in > the following > terms: > > "Where any of the data are third party data for which consent is being > sought for disclosure a separate 40-day clock ticks for that > data only". > > My understanding is that the proposition flows from the words in s7(8) > "Subject to subsection (4)...". > > In practical terms, this means dividing the response into 2 > parts: that > which necessitates third party consent and that which > doesn't. Each part > needs to be dealt with promptly and, in any event, within 40 > days. In the > case of data which does not require third party consent, it > is clear the > clock starts ticking on the day the SAR is received or, if > later, the first > day on which the other criteria are met (fee and information > to be satisfied > about identity and location of data). There are a number of possible > interpretations as to when information requiring third party > consent must be > be supplied. My preferred one is for the clock starting at > the same point in > time as for non-consent data and ending 40 days therafter or, > if later, the > day consent is received. My reasoning is that once consent is > obtained, > relief from the obligation to comply with the SAR granted by s7(4) > evaporates. The obligation to respond in respect of the third party > information kicks in the moment consent is obtained. Others > may, of course, > hold different views. > > Ian Mansbach > Mansbachs > Data Protection Practitioners > [log in to unmask] > phone: 0871 716 5060 > > > -----Original Message----- > From: This list is for those interested in Data Protection issues > [mailto:[log in to unmask]] On Behalf Of Ian Welton > Sent: 29 September 2004 16:33 > To: [log in to unmask] > Subject: [data-protection] Third party response consent. Was > - RE: SAR and > compliance calendar days > > > Ian Mansbach on 29 September 2004 at 14:39 said:- > > > It is believed that information which cannot be disclosed without > > first obtaining third party consent according to s7(4) is subject > > to a separate 40 > > day period. Accordingly, one should comply with the rest of > > the request > > first and then follow on with information for which one > > subsequently gets > > consent as soon as permission is received for that information. > > When would any separate 40 day period start from, and what > supports the > belief that may happen? > > Ian W > > > > -----Original Message----- > > From: This list is for those interested in Data Protection issues > > [mailto:[log in to unmask]] On Behalf Of Ian Mansbach > > Sent: 29 September 2004 14:39 > > To: [log in to unmask] > > Subject: Re: SAR and compliance calendar days > > > > > > Looking at this solely from a DPA perspective, there is a > distinction > > between omissions from an SAR and rectification of > inaccurate personal > > data. > > > > S7(8) requires one to comply with an SAR "promptly" and in > any event > > within 40 calendar days. The 40 days start on the day the SAR is > > received or, if > > later, the first day on which one has: (1) any required fee, > > and (2) any > > required information needed to (a) to satisfy oneself as to > > the identity of > > the requestor, and (b) to locate the requested data. The > > response must be > > complete to comply. So, if personal data was missing from > the initial > > response, the missing data must be found and passed on > > promptly and, in any > > event, within the original 40 day period. > > > > It may be that the 14 day time limit requested takes into > account the > > remaining days to comply with the 40 day maximum, or it may be that > > the data subject is granting a concession beyond the > original maximum > > period. In > > either event, it is probably reasonable but, if it is not > > possible to comply > > within that time then it would be wise to write explaining > > the situation and > > proposing an alternative date by when you will comply (always > > bearing in > > mind the requirement to respond "promptly"). > > > > It is believed that information which cannot be disclosed without > > first obtaining third party consent according to s7(4) is subject > > to a separate 40 > > day period. Accordingly, one should comply with the rest of > > the request > > first and then follow on with information for which one > > subsequently gets > > consent as soon as permission is received for that information. > > > > There is no time limit to rectify inaccurate personal data. > However, > > given the potential legal remedies, it would be wise to rectify > > data as soon as > > possible and to notify the data subject accordingly. > > > > Ian Mansbach > > Mansbachs > > Data Protection Practitioners > > [log in to unmask] > > phone: 0871 716 5060 > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > All archives of messages are stored permanently and are > available to the world wide web community at large at > http://www.jiscmail.ac.uk/lists/data-protection.html > If you wish to leave this list please send the command > leave data-protection to [log in to unmask] > All user commands can be found at : - > http://www.jiscmail.ac.uk/help/commandref.htm > (all commands go to [log in to unmask] not the list please) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > All archives of messages are stored permanently and are > available to the world wide web community at large at > http://www.jiscmail.ac.uk/lists/data-protection.html > If you wish to leave this list please send the command > leave data-protection to [log in to unmask] > All user commands can be found at : - > http://www.jiscmail.ac.uk/help/commandref.htm > (all commands go to [log in to unmask] not the list please) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - http://www.jiscmail.ac.uk/help/commandref.htm (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^