Audit Scotland is, without question, a Public Authority. Article 8 is, therefore, very clearly engaged. This is how I see it. The employee has a right to the privacy of their banking arrangements UNLESS the requirement for compulsory disclosure is (a) in accordance with law; and (b) necessary in a democratic society and proportionate. What this means is, that first of all, Audit Scotland must have statutory powers which explicitly allow the compulsion that is apparently placed on the employee. If they do not have powers, the employee does not have to provide the requested information. If sanctions are applied in those circumstances, I would suggest that those sanctions would be ultra vires and therefore unlawful. Even if Audit Scotland do have statutory powers, those powers must be necessary in a democratic society. Article 8 is a qualified Convention right, so justification of necessity is possible. Prevention and detection of crime is one of those justifications which could easily permit qualification of the right. However I fail to see how mere bank account data is necessary in these circumstances. In any event, surely there would have to be some form of reasonable suspiction of an offence to exercise compulsion for the prevention and detection of crime?. Finally, even if you can show that the interference with the Convention right is both according to law, and necessary, it must still be proportionate. This is often called the 'sledgehammer' criterion. (i.e. what you must not use for the purposes of accessing the edible part of nuts). So if the interference is disproportionate (and in the absence of reasonable suspicion it would appear to be) then the interference with the Convention right is unlawful. And the powers of compulsory disclosure, if they exist in in secondary legislation, may potentially be quashed. Does this help? Nigel ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving messages please send to the list owner [log in to unmask] Full help Desk - please email [log in to unmask] describing your needs To receive these emails in HTML format send the command: SET data-protection HTML to [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^