This is a straight SAR for CCTV data, S29 does not apply as there are no proceedings, banning the child from the store is a domestic matter and not attached to proceedings that would engage non-disclosure provisions.
This is way I have always dealt with parent on behalf of child SARs:
1. Was the request received in writing?
2. Is the information requested held?
3. Is the requester the data subject?
4. How old is the child?
5. If over 12 (Fraser guidelines/ Gillick competency)
6. If over 12 and competent, child to be treated as an adult and parent does not overrule child’s rights as ‘the’ data subject
7. If under 12, who presents to the data controller as the most appropriate person responsible for the child
8. Once responsible person is identified, deal with that person on behalf of the data subject, recording the ID shown and a copy of information disclosed
In this case, I would need to see evidence of Mr A’s link to the data subject so that he can exercise the data subjects rights on their behalf. Fostering documentation should be adequate along with something with the current address of Mr A and something with his photo such as driving licence or passport.
I wouldn’t go any further than that as I would now have enough to show that I have received the SAR correctly and supplied the information to the correct person to the best of my ability and have records to show that
Regards
Neil
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]]<mailto:[mailto:[log in to unmask]]> On Behalf Of Grimbaldus
Sent: 12 February 2013 05:30
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: Re: [data-protection] SAR from step-father
Chris
Many thanks. I have taken the liberty of adding the DP list back in to the circulation.
Re the relationship, if Mr A is a foster parent, there is a fair presumption that any partner of his is too and is neither a birth nor adoptive parent. If he is step-father, then his partner might be one of Master B's birth or adoptive parents ... or not.
Note the careful choice of words, modern family relationships can be a challenge to Data Controllers such as retailers, who have no access to detailed Personal Data about the Data Subject and others in their family - the like of which Local Authorities (for example) have.
I have not had to deal with a SAR from a 'parent' before. Should I ask for birth certificate, adoption papers, fostering papers, etc., as evidence? What is acceptable?
Re s29, I could argue that disclosure of the images would reveal the positions of the CCTV cameras and any limitations there might be as to their resolution or coverage, thus acting to prejudice our detection of crime.
M
Sent from my iPad
On 11 Feb 2013, at 23:10, "Chris Spray" <[log in to unmask]<mailto:[log in to unmask]>> wrote:
Hi, technically, I believe that unless the “step father” has formally adopted the child he has no legal parental responsibility and therefore I would only allow the mother to do it, so I wouldn’t even bother to try and validate the relationship. I’d tell him to get the mother to get in touch?
Playing devil’s advocate, re S29 how would disclosure of the CCTV images prejudice the prevention or detention if crime?
Chris
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Grimbaldus
Sent: 11 February 2013 17:28
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: Re: [data-protection] SAR from step-father
Phil
Many thanks.
I would argue that s29(1)(a) still applies, as we have taken action to bar Master B, regardless of the police NFAing it.
From what Master B said to the police - and he was very evasive and seemed particularly streetwise - we believe there was an accomplice. There are also numerous employees in the various images, the majority of them not being involved in the incident. Some shoppers may be known by sight. Others might be identifiable from other information in our possession.
The question of validating the relationship between Mr A and Master B is more troubling. Particularly as I have learned in the meanwhile that Mr A was not particularly helpful at the time, and that, in conversation, he described his relationship as "foster parent" and part of his identity evidence was an ID card from a foster agency.
M
Sent from my iPad
On 11 Feb 2013, at 17:15, Phil Bradshaw <[log in to unmask]<mailto:[log in to unmask]>> wrote:
Given the decsion not to take action, s29 does not seem available, as disclosure fails the "likely to prejudice any of the matters" test.
My inclination would be to disclose pixelating out both Master A and Master B. That is to minimise any mischief or emabarrassment to B in the event A decides to 'publish' the video. I do not think that breaches s7 as they know who they are so no PD has really been withheld.
Indeed I think that more of a concern than the bystanders who presumably are entirely innocent and not pixelating them may not breach their rights - but I would do it anyway
----- Original Message -----
From: Grimbaldus
Sent: 02/11/13 04:51 PM
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: [data-protection] SAR from step-father
We (in the retail sector) have received a SAR from a person claiming to be the step-father of an individual who was involved in an attempted theft from premises. The police attended but released the offender owing to his being aged under 10. The purloined items were voluntarily returned prior to the police attending.
The step-father - who has supplied satisfactory means of identifying himself - is requesting sight of the CCTV images taken on the premises at the time of the incident. I am minded to decline, citing DPA Pt 4, s29(1)(a) and (b).
However, in case the business prefers to disclose, it seems to me to be necessary to satisfy ourselves that Mr A is the step-father of Master B (they have different family names and appear to be different nationalities from their names and appearances). What form of evidence of the relationship would the learned and experienced correspondents on here consider to be satisfactory?
Further, would CCTV images of Master B on his escorted way out of the premises be covered by the exemption? Would images of him on his way in be covered, as we cannot demonstrate any intent at that stage?
Whilst we will pixelate faces of others on the CCTV, should we pixelate Mr A's face, as he is not the Data Subject?
The organisation does try to be extra helpful, and disclosure of CCTV is not uncommon.
Many thanks for readers' consideration of these questions, and more thanks for answers.
M
________________________________
The National Trust is a registered charity no. 205846. Our registered office is Heelis, Kemble Drive, Swindon, Wiltshire SN2 2NA.
The views expressed in this email are personal and may not necessarily reflect those of the National Trust unless explicitly stated otherwise.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify me immediately. If you are not the intended recipient of this email, you should not copy it for any purpose, or disclose its contents to any other person. Senders and recipients of email should be aware that, under the Data Protection Act 1998, the contents may have to be disclosed.
This email has been scanned by the MessageLabs Email Security System. For more information please visit <http://www.messagelabs.com/email>. However the National Trust cannot accept liability for viruses that may be in this email and we recommend that you check all emails with an appropriate virus scanner.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
