Ian Mansbach on 30 September 2004 at 17:18 said:-
> The position is not much different from that of consent being
> refused. If
> you have been diligent in seeking consent and you don't get
> it for whatever
> reason then, unless it is reasonable in all the circumstances
> to disclose
> the third party data without consent, you are not obliged to
> provide it. The
> steps taken in seeking consent, whether the third party is
> capable of giving
> it, and any express refusal to give consent are specific
> considerations to
> be taken into account in deciding whether it is reasonable to disclose
> without consent. If one has sought consent and nothing has
> been heard by
> shortly before the 40th day on the SAR clock then it would be wise to
> consider whether it is reasonable to disclose without
> consent. In that way,
> if you decide it is reasonable, you still have time to comply.
If the SAR clock for third party consent data starts on the date that it was
recognised consent may be needed, and that date was approximately thirty
days down the line from the original start date, it could mean a full
response was not given until as much as seventy days or more after the
request was received.
That seems a very tenuous conclusion to reach from the DPA wording itself,
notwithstanding that the decision on reasonableness could still need to be
taken.
Ian W
> -----Original Message-----
> From: This list is for those interested in Data Protection
> issues [mailto:[log in to unmask]] On Behalf Of
> Ian Mansbach
> Sent: 30 September 2004 17:18
> To: [log in to unmask]
> Subject: Re: Third party response consent. Was - RE: SAR and
> compliance calendar days
>
>
> The position is not much different from that of consent being
> refused. If
> you have been diligent in seeking consent and you don't get
> it for whatever
> reason then, unless it is reasonable in all the circumstances
> to disclose
> the third party data without consent, you are not obliged to
> provide it. The
> steps taken in seeking consent, whether the third party is
> capable of giving
> it, and any express refusal to give consent are specific
> considerations to
> be taken into account in deciding whether it is reasonable to disclose
> without consent. If one has sought consent and nothing has
> been heard by
> shortly before the 40th day on the SAR clock then it would be wise to
> consider whether it is reasonable to disclose without
> consent. In that way,
> if you decide it is reasonable, you still have time to comply.
>
> Ian Mansbach
> Mansbachs
> Data Protection Practitioners
> [log in to unmask]
> phone: 0871 716 5060
>
>
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Ian Welton
> Sent: 30 September 2004 09:51
> To: [log in to unmask]
> Subject: Re: [data-protection] Third party response consent.
> Was - RE: SAR
> and compliance calendar days
>
>
> Ian Mansbach on 29 September 2004 at 17:57 said:-
>
> > There are a number of possible
> > interpretations as to when information requiring third
> party consent
> > must be be supplied. My preferred one is for the clock starting at
> > the same point in
> > time as for non-consent data and ending 40 days therafter or,
> > if later, the
> > day consent is received. My reasoning is that once consent is
> > obtained,
> > relief from the obligation to comply with the SAR granted by s7(4)
> > evaporates. The obligation to respond in respect of the third party
> > information kicks in the moment consent is obtained. Others
> > may, of course,
> > hold different views.
>
> Surely a strange situation could then arise if no consent were ever
> received; either because the request for consent was not
> received by the
> third party (out of date address data?) or that the request
> was ignored.
>
> What would be the situation of a data controller placed in
> that position?
>
>
> Ian W
>
> > -----Original Message-----
> > From: This list is for those interested in Data Protection issues
> > [mailto:[log in to unmask]] On Behalf Of Ian Mansbach
> > Sent: 29 September 2004 17:57
> > To: [log in to unmask]
> > Subject: Re: Third party response consent. Was - RE: SAR and
> > compliance calendar days
> >
> >
> > My goodness, Ian W, you've made me go search out my old text books!
> >
> > The view is expressed in one of the leading legal authorities,
> > Rosemary Jay and Angus Hamilton's "Data Protection Law and
> Practice",
> > in the following
> > terms:
> >
> > "Where any of the data are third party data for which
> consent is being
> > sought for disclosure a separate 40-day clock ticks for that data
> > only".
> >
> > My understanding is that the proposition flows from the
> words in s7(8)
> > "Subject to subsection (4)...".
> >
> > In practical terms, this means dividing the response into 2
> > parts: that
> > which necessitates third party consent and that which doesn't. Each
> > part needs to be dealt with promptly and, in any event, within 40
> > days. In the
> > case of data which does not require third party consent, it
> > is clear the
> > clock starts ticking on the day the SAR is received or, if
> > later, the first
> > day on which the other criteria are met (fee and information
> > to be satisfied
> > about identity and location of data). There are a number of possible
> > interpretations as to when information requiring third party
> > consent must be
> > be supplied. My preferred one is for the clock starting at
> > the same point in
> > time as for non-consent data and ending 40 days therafter or,
> > if later, the
> > day consent is received. My reasoning is that once consent is
> > obtained,
> > relief from the obligation to comply with the SAR granted by s7(4)
> > evaporates. The obligation to respond in respect of the third party
> > information kicks in the moment consent is obtained. Others
> > may, of course,
> > hold different views.
> >
> > Ian Mansbach
> > Mansbachs
> > Data Protection Practitioners
> > [log in to unmask]
> > phone: 0871 716 5060
> >
> >
> > -----Original Message-----
> > From: This list is for those interested in Data Protection issues
> > [mailto:[log in to unmask]] On Behalf Of Ian Welton
> > Sent: 29 September 2004 16:33
> > To: [log in to unmask]
> > Subject: [data-protection] Third party response consent. Was
> > - RE: SAR and
> > compliance calendar days
> >
> >
> > Ian Mansbach on 29 September 2004 at 14:39 said:-
> >
> > > It is believed that information which cannot be disclosed without
> > > first obtaining third party consent according to s7(4) is
> subject to
> > > a separate 40 day period. Accordingly, one should comply with the
> > > rest of the request
> > > first and then follow on with information for which one
> > > subsequently gets
> > > consent as soon as permission is received for that information.
> >
> > When would any separate 40 day period start from, and what supports
> > the belief that may happen?
> >
> > Ian W
> >
> >
> > > -----Original Message-----
> > > From: This list is for those interested in Data Protection issues
> > > [mailto:[log in to unmask]] On Behalf Of Ian Mansbach
> > > Sent: 29 September 2004 14:39
> > > To: [log in to unmask]
> > > Subject: Re: SAR and compliance calendar days
> > >
> > >
> > > Looking at this solely from a DPA perspective, there is a
> > distinction
> > > between omissions from an SAR and rectification of
> > inaccurate personal
> > > data.
> > >
> > > S7(8) requires one to comply with an SAR "promptly" and in
> > any event
> > > within 40 calendar days. The 40 days start on the day the SAR is
> > > received or, if later, the first day on which one has: (1) any
> > > required fee, and (2) any
> > > required information needed to (a) to satisfy oneself as to
> > > the identity of
> > > the requestor, and (b) to locate the requested data. The
> > > response must be
> > > complete to comply. So, if personal data was missing from
> > the initial
> > > response, the missing data must be found and passed on
> promptly and,
> > > in any event, within the original 40 day period.
> > >
> > > It may be that the 14 day time limit requested takes into
> > account the
> > > remaining days to comply with the 40 day maximum, or it
> may be that
> > > the data subject is granting a concession beyond the
> > original maximum
> > > period. In
> > > either event, it is probably reasonable but, if it is not
> possible
> > > to comply within that time then it would be wise to write
> explaining
> > > the situation and
> > > proposing an alternative date by when you will comply (always
> > > bearing in
> > > mind the requirement to respond "promptly").
> > >
> > > It is believed that information which cannot be disclosed without
> > > first obtaining third party consent according to s7(4) is
> subject to
> > > a separate 40 day period. Accordingly, one should comply with the
> > > rest of the request
> > > first and then follow on with information for which one
> > > subsequently gets
> > > consent as soon as permission is received for that information.
> > >
> > > There is no time limit to rectify inaccurate personal data.
> > However,
> > > given the potential legal remedies, it would be wise to
> rectify data
> > > as soon as possible and to notify the data subject accordingly.
> > >
> > > Ian Mansbach
> > > Mansbachs
> > > Data Protection Practitioners
> > > [log in to unmask]
> > > phone: 0871 716 5060
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
