JISCMail - DATA-PROTECTION Archives

Our Social Work Department and Education Dept have an Open Access Policy
which allows individuals to view their files and obviously those contain
sensitive personal data.  Obviously anything which could cause harm or
distress would not be disclosed.
Doreen
 

-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Nigel Roberts
Sent: 30 October 2006 18:00
To: [log in to unmask]
Subject: Re: Verification of requestor identity - subject access

Indeed. But 'sensitive data' has always had a different Data Protection
treatment to ordinary data. (And probation and mental health
applications are clearly 'sensitive data').

For sensitive data, more checks /of course/ are required.

But in either case (and if you are a public authority there is a legal
obligation - HRA 1998) such checks MUST be 'proportionate'.

I am certainly not going to provide something with sensitive data on it
(like a bank statement), in order to access data which is routine and
NOT sensitive, clearly fails the 'sledgehammer' test for
proportionality.



Nigel

Simon Howarth wrote:
> I agree with those that say that some form of verification is 
> reasonable, although depending on the type of information required, 
> may lead to a request for less "critical" proof.
> 
> I dealt with requests for medical records for a NHS Trust for a while,

> and being a mental health trust I don't think we could have been doing

> our job properly if we simply relied on a letter and nothing more.
> 
> Part of our process was to send back a form that had to be filled in 
> and which request certain information to allow us to proceed knowing 
> that any risk of someone impersonating the subject was limited and
acceptable.
> 
> I would be very worried if I asked for my own sensitive information by

> letter, and was simply granted it - in fact I would be minded to 
> complain to the ICO!
> 
> Simon Howarth.
> 
> -----Original Message-----
> From: This list is for those interested in Data Protection issues 
> [mailto:[log in to unmask]] On Behalf Of Nigel Roberts
> Sent: 30 October 2006 14:46
> To: [log in to unmask]
> Subject: Re: [data-protection] Verification of requestor identity - 
> subject access
> 
> RONAN DURNIN wrote:
>> Dear All,
>>
>> I'm currently drafting some guidance concerning subject access
requests.
>>
>> With regards to verifying the identity of the requestor is it 
>> reasonable to ask that one form of official photographic ID be 
>> provided (identity cards, anyone?!) or in the absence of such ID, two
of the following:
> 
> I would suggest that it is UNREASONABLE. And the reason it is 
> unreasonable is that unless the person is at a counter, you have no 
> need to have the person's likeness provided or stored.
> 
> I will look up the law, but it seems to me that you need to be 
> reasonably satisfied that a person making the request is who they say 
> they are.
> 
> A signed letter, with a reply address ought to be sufficient to 
> satisfy 'reasonably satisifed'. Anyone who writes to you purporting to

> be the person concerned commits the offence of forgery if they are not

> who they say they are.
> 
> If they have access to the person's address, they can easily get hold 
> of a utility bill.
> 
>  > *	Written statement confirming identity of requestor by Religious
>  > Minister, Lawyer/Barrister or GP
>  >
> 
> A bit over the top for a mere SOA (its not a passport application), 
> but certainly sufficient for the purpose.
> 
> Nigel
> 
> PS: Requesting bank or credit card statements is IMO excessive data 
> collection -- yoiu have no need to know who I bank with, or what my 
> overdraft limit is!!
> 
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>        All archives of messages are stored permanently and are
>       available to the world wide web community at large at
>       http://www.jiscmail.ac.uk/lists/data-protection.html
>       If you wish to leave this list please send the command
>        leave data-protection to [log in to unmask]
>             All user commands can be found at : -
>         http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving message please send to the list
owner
>               [log in to unmask]
>   (all commands go to [log in to unmask] not the list please)
>    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>        All archives of messages are stored permanently and are
>       available to the world wide web community at large at
>       http://www.jiscmail.ac.uk/lists/data-protection.html
>       If you wish to leave this list please send the command
>        leave data-protection to [log in to unmask]
>             All user commands can be found at : -
>         http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving message please send to the list
owner
>               [log in to unmask]
>   (all commands go to [log in to unmask] not the list please)
>    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
        http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list
owner
              [log in to unmask]
  (all commands go to [log in to unmask] not the list please)
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

PLEASE NOTE: THE ABOVE MESSAGE WAS RECEIVED FROM THE INTERNET.
On entering the GSI, this email was scanned for viruses by the
Government Secure Intranet (GSi) virus scanning service supplied
exclusively by Cable & Wireless in partnership with MessageLabs.
In case of problems, please call your organisational IT Helpdesk.
The MessageLabs Anti Virus Service is the first managed service to
achieve the CSIA Claims Tested Mark (CCTM Certificate Number
2006/04/0007), the UK Government quality mark initiative for information
security products and services.  For more information about this please
visit www.cctmark.gov.uk


********************************************************************
* This email is privileged, confidential and subject to copyright. *
* Any unauthorised use or disclosure of its content is prohibited. *
* The views expressed in this communication may not necessarily    *
* be the views held by Scottish Borders Council.                   *
* Please be aware that any email sent or received by the Council   *
* may require to be disclosed by the Council under the provisions  *
* of the Freedom of Information (Scotland) Act 2002.               *
********************************************************************

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
        http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
              [log in to unmask]
  (all commands go to [log in to unmask] not the list please)
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^