JISCMail - DATA-PROTECTION Archives

I don't see why the data subject should have to make a second request. If
you haven't received consent by the end of 40 day period and you decide not
to disclose without consent, and then you receive consent after replying,
the obligation to provide the information still exists. It may have been
legitimate for you not to have disclosed the third party data at the time of
the initial reply but the moment the condition for disclosing it is met you
have to provide it.

Ian M


-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Atkinson, C.
Sent: 01 October 2004 14:42
To: [log in to unmask]
Subject: Re: [data-protection] Third party response consent. Was - RE: SAR
and compliance calendar days


Concerning the issue of whether there is a separate 40 day 'consent' clock,
when I raised this matter with the Information Commissioner's Office earlier
this year the response was that this interpretation is likely to be
inaccurate and they could find no circumstances in which other additional
forty day periods might apply.

Their view is that at the end of the 40 day period, if you have not received
consent you need to make a decision whether to disclose without such
consent.  However, they did suggest that it would be perfectly proper to
explain to a data subject that additional relevant information may be
available in a short time -  thus allowing them to submit a second request
at a later date.

Colin Atkinson
Data Protection Officer
University of Leicester



-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]]On Behalf Of Ian Welton
Sent: 01 October 2004 11:29
To: [log in to unmask]
Subject: Re: Third party response consent. Was - RE: SAR and compliance
calendar days


Ian Mansbach on 01 October 2004 at 10:31 said:-

> Perhaps my reference to an SAR clock was confusing. All
> clocks start when
> one receives the SAR or, if later, when one has both the fee and the
> information referred to in s7(3). And they all finish 40 days 
> after that.
> That is clear from s7(8) and s7(10). 
> 
> So, if the clocks run in parallel, why have two or, potentially, more 
> clocks? My interpretation (and I'm uncertain that it is what Jay and 
> Hamilton meant) is that each clock runs with its own promptness 
> obligation. In other words, you don't delay complying with the SAR on 
> the non-consent
> stuff if you are still waiting for consent for third party 
> information. In
> that way, if you do not get consent (and it remains reasonable not to
> provide the data without consent), you have complied with the 
> obligation to
> comply with the SAR promptly. But, as I have said before, others may
> interpret this differently.

I agree.  

Considering this over the last few days, and digging deep into my memory, I
do recall that the ICO's office saying in the past that if they received a
complaint about tardiness on a partial response where the reason given was
awaiting third party consent, they would look more to the measures taken to
obtain the consent and what would be a reasonable time to achieve that,
rather than any self imposed forty day clock commencing on the date it was
recognised consent may be needed; After all it could be nothing was being
done for 30 of those 40 days.

Having said that.  Both views do seem to have some benefits:-

1. The logic of the recognising consent 40 days could provide a much
extended cut off point at which a decision must be taken. (Albeit, dependent
on the actions taken, that could leave the organisation very vulnerable.)

2. An undefined but reasonable period within which to obtain consent, or
determine what action to take in responding with that material. (Which,
dependent on the actions taken, could also leave the organisation
vulnerable.)

It would seem it is probably more important to progress the actions taken to
obtain consent in a timely manner and document them carefully.

Ian W

> -----Original Message-----
> From: This list is for those interested in Data Protection
> issues [mailto:[log in to unmask]] On Behalf Of 
> Ian Mansbach
> Sent: 01 October 2004 10:31
> To: [log in to unmask]
> Subject: Re: Third party response consent. Was - RE: SAR and 
> compliance calendar days
> 
> 
> Perhaps my reference to an SAR clock was confusing. All
> clocks start when
> one receives the SAR or, if later, when one has both the fee and the
> information referred to in s7(3). And they all finish 40 days 
> after that.
> That is clear from s7(8) and s7(10). 
> 
> So, if the clocks run in parallel, why have two or, potentially, more 
> clocks? My interpretation (and I'm uncertain that it is what Jay and 
> Hamilton meant) is that each clock runs with its own promptness 
> obligation. In other words, you don't delay complying with the SAR on 
> the non-consent
> stuff if you are still waiting for consent for third party 
> information. In
> that way, if you do not get consent (and it remains reasonable not to
> provide the data without consent), you have complied with the 
> obligation to
> comply with the SAR promptly. But, as I have said before, others may
> interpret this differently.
> 
> Ian M

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
        http://www.jiscmail.ac.uk/help/commandref.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
        http://www.jiscmail.ac.uk/help/commandref.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
        http://www.jiscmail.ac.uk/help/commandref.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^