JISCMail - DATA-PROTECTION Archives

All the examples and views given do serve to illustrate the necessity for
carefully considered views informing the policy of the data controller,
which obviously then requires fully implementing.

There are many examples of police officers (including inspectors and above)
abusing the s.29(3) exemptions, for domestic, financial, or other personal
purposes, resulting in a reduction of trust in every individual police
officers discretion and an increased internal trend by the police service of
requiring an inspector rank to countersign the originating request.
Inevitably in such a culture, as further abuses come to light which that
authority level has proven insufficient to stop, pressures to further raise
the level of authority across the board are likely to initially be seen as a
previously effective and simple to implement rectification exercise.

Many organisations will suffer similar issues, (I do recall where a member
of the political establishment was shown to have abused s.29(3) - the
flexibility provided by police discretion was thought suitable to deal with
that case as part of an internal exercise.) to varying extents with any
level of staff, and each will no doubt seek to implement resolutions
suitable for their organisational culture and the data in question. Hence
the need to ensure requesting organisations views are reflected in any
authority level for s.29(3) disclosures, but they should not be the only
determining factor.

Many issues could well identify variations in the associated risks and
required authority dependent upon the organisation being disclosed to, the
data itself, the purpose held, and the ease of administration within each
data controller organisation.

My experience has shown that some organisations accepted a constable’s
authority for some data but that an inspector’s authority was often
insufficient for access to other data. Should a s.29(3) request be refused
the policing organisation may always consider other options.  e.g. I
perceive many circumstances where a s.29(3) request signed by a police
inspector and served on a journalistic organisation could well be rejected
and have seen other circumstances where direct computer access is granted to
service s.29(3) requests with the level of authority delegated to temporary
staff operating computer terminals working within given parameters provided
in a policy document and the work being audited subject to operational
requirements as opposed to identified risk or need. I would hazard a guess
operational requirements in the recent security environment have largely
taken precedence over many more mundane administrative matters.

Whilst a general acceptance by all organisations of an inspectors counter
signature may be simple for the police to train their officers in, and does
greatly simplify the internal training and administration there, it clearly
does not reflect the varying levels of security risk associated with the
personal data held by all organisations in the wider community, and in
itself often creates a weakness.  i.e. Overworked police inspectors (or
acting inspectors) signing a pile of what may be viewed at the time as
routine s.29(3) requests during the end of a shift may provide nothing more
than merely a consistent level of authority.

In a similar way to any data fishing exercise, seemingly measured s.29(3)
requests may result in data which is excessive, or more costly to maintain
for the purpose than intended, whilst also distracting the data controllers
involved.

As has been previously muted by others a number of times a very real level
of audit of s.29(3) separate from both data controllers could be provided by
a requirement for disclosure of the s.29(3) data disclosure to a data
subject at a sufficient time after an exemption had been granted not to
cause a compromise.
Unfortunately views that having to provide details of audit trail access to
records as part of any subject access request are more frequently seen as
additional costs or possible compromises for data controllers, than real
benefits which may be achieved by such audit details forming part of any
database record, and deny the difficulties caused by audit trails themselves
being subject to subject access, making considerations regarding time
limiting compromises for data controllers more difficult to identify and
alienating compromised data subjects.


Ian W


> -----Original Message-----
> From: This list is for those interested in Data Protection
> issues [mailto:[log in to unmask]] On Behalf Of
> Roland Perry
> Sent: 07 January 2006 19:14
> To: [log in to unmask]
> Subject: Re: Section 29(3)
>
>
> In message
> <[log in to unmask]>, at
> 20:14:49 on Fri, 6 Jan 2006, Christopher Spray
> <[log in to unmask]> writes
>
> >I can't seem to find an up to date version of the form
>
> This site (which I maintain) has the history of the first two
> generations of 29(3) form:
>
> http://www.internetcrimeforum.org.uk/dpa29-3form.html
>
> If anyone has any later versions available I'd be happy to
> include them.
>
>  >I think the more up to date versions include a confirmation
> that  >failure to provide the information would be likely to
> prejudice the
>  >investigation (to give you assurance under the S29(3)
> requirements for  >disclosure).
>
> The form I have says that "failure to provide the information
> will, in
> [the authorising officer's] view, be likely to prejudice" ..
> either ..
> "The prevention and detection of crime, or the apprehension or
> prosecution of offenders" or "National Security".
>
> Whether or not that's a sufficient claim to provide 100% assurance is
> still something that requires evaluating in the light of individual
> circumstances when the form is received.
> --
> Roland Perry
> Secretariat, Internet Crime Forum.
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>        All archives of messages are stored permanently and are
>       available to the world wide web community at large at
>       http://www.jiscmail.ac.uk/lists/data-protection.html
>       If you wish to leave this list please send the command
>        leave data-protection to [log in to unmask]
>             All user commands can be found at : -
>         http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving message please send to
> the list owner
>               [log in to unmask]
>   (all commands go to [log in to unmask] not the list please)
>    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.11/219 - Release Date: 1/2/06

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
        http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
              [log in to unmask]
  (all commands go to [log in to unmask] not the list please)
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^