Dear All,

Thanks for the helpful and thoughtful posts on this topic.  I appreciate that the advice can be very specific to the question asked.  The blog post would focus on the general principles.  A more detailed response could be done off the blog through email, with the general principles brought to the blog.

 

For example, someone may contact me and ask "As part of my job role, I have access to databases of information stored by the Council. Can I use my access to look up details on behalf of friends or relatives if they ask me to?"

 

For a data protection officer, the answer is clear. For experienced officers, this should be obvious.  For new officers, who may be unsure of procedures or situations like this, it may not be obvious.  They may have been told not to but not understand why.

 

In a blog you could explain this such as

"No. Although you may have permission from the person you are still not authorised to view this information at work as it is not part of your job. They may not be aware of the full extent of the information held about them. Therefore information they did not expect you to see will be shared with you. As well of this you will be considered to be improperly accessing information and conducting personal business in work time. If your friend or family want to view the personal information held by the council you should advise them to contact the data protection officer so it can be in line with the data protection act."

 

I appreciate that this may be an obvious point, but it is also a way to make other people, who may have the same concerns, but not want to ask (for fear of revealing ignorance or impropriety).  Thus, someone can see the issue and address the point.

 

At the same time, such questions can give you a sense of where the gaps are regarding knowledge and awareness on these topics.  My concern is that these questions are likely held by at least 10 other people who may have a similar concern, but are unwilling to ask.

 

I guess this gets back to how we leverage data protection knowledge within an organisation to help staff understand their roles and responsibilities under the Act. Do we wait for the questions or do we attempt to be proactive? I would be interested in the different ways to approach this issue.

 

Best,

 

Lawrence

 

 

 

 

 

 

 




Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.

All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]

Any queries about sending or receiving messages please send to the list owner [log in to unmask]

(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)