I would say that it may be caught by Sec 55.
Whilst the information held on you may be yours there are some types of information where to see it might cause you distress or damage. There may also be third party information in there which should be redacted and which if accessed would lead the individual down the path of breaching Sec. 55.
The simple answer is that there is no reason that an individual shouldn’t request to see information but it should be done through proper channels in order to protect the individual, the organisation and any third parties.
Imagine you work in an office of a mental health trust and can access one of their medical systems. You look it up and find that your details are there from ten years ago when you saw a psychologist for a mild problem. However, in there were comments made by a close family member expressing their view that you were a nutter (technical term) and not to be trusted. You then confront the family member who in turn complains to the organisation. You get charged under Sec 55 (criminal offence), the organisation inform the ICO of a breach and in turn the ICO fine the trust £50,000. The family member sues and get s a substantial settlement and you loose your job and get a criminal record.
I just noticed that you are a mental health trust, so the example should be familiar!
Also there were a few Sec 55 prosecutions back at the turn of the year. It may be worth using these as examples too.
Hope that helps.
Simon Howarth MBCS CITP
Director
Mob. 07836 365588
@SSHowarth
Webtech Systems Limited t/a The Information Edge, registered in England No. 03428632.
More information from www.informationedge.co.uk
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Gudge, Teresa
Sent: 28 June 2012 13:25
To: [log in to unmask]
Subject: [data-protection] Which DPA para actually states you cannot look at your own data
Hello All
Can someone tell me please where in the Act it actually states that you are not allowed to access your own record.?
I know the interpretations of not accessing because it isn’t in the Data Controllers purpose for holding the record, and that you have to put in an SAR to obtain details held by an organisation, but if you work in an organisation and you know there is data held on a system about you – why can’t you access it ??
The obvious statement is that the data doesn’t actually belong to you – it belongs to the organisation.
Agree ? Disagree ? Help Please
Teresa Gudge
IT Security Specialist
BCS-ISEB CISM; ISEB Data Protection
Avon and Wiltshire Mental Health Partnership NHS Trust
Bath NHS House, Newbridge Hill, Bath, BA1 3QE
T: 01225 731774 Mobile 07826953268
PLEASE REMEMBER: If you need to send Patient Identifiable Information to any external e-mail address the information MUST BE SENT IN AN ENCRYPTED FILE. Please contact the Information Team to arrange.
|
All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]
Any queries about sending or receiving messages please send to the list owner [log in to unmask]
(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)