 |
 |
Fortunately an issue of only occasional relevance since most category E manual data IS subject to a SAR. Only that within s33A(2) which I assume covered your original example is exempt.
Even for a non-public organisation the issue is not necesarily as envisaged because the 'manual' report would in most cases probably be part of a relevant filing system or intended by the data controller so to be* .
Even if not category C data does that mean we have to search all photocopiers just on the off chance that someone may at one time have copied a piece of paper which we admit to having but is technically not 'data' ? I think s7(3)(a) may have some relevance, and also (subjected to awaited appeal decsions) the concept of reasonable and proprtionate searches.
* Even if an officer keeps an unofficial note , for his own purposes, it is probably the case when you consder the controller's policies and procedures etc. that you will be able to show that these should be in the proper file as they will contractually belong to the employer and it is unlikely employer will claim he sanctions such unofficial record keeping.
----- Original Message -----
From: Lawrence Serewicz
Sent: 07/30/13 04:00 PM
Subject: [data-protection] ] Two Monday morning DPA challenges
Phil and everyone else who responded,
Yes, I agree about the beyond use. I was being sloppy with my technology (see below).
In both cases, the material was exempt under s.33(A). It was category E data rather than category C. ( I was a bit loose in the language by saying it was not covered by A-E (it is still category E)).
In the first scenario. They are beyond use. I was thinking of a scenario where they could be extracted from the photocopier. I know that this is rare today, but the access is destined to increase. If we compare today to thirty years ago when photocopiers did not retain a copy as they did not have hard drives so the “processing” was different, future photocopiers are likely to allow such copies to be accessed with increased ease.
The main point in both scenarios was that the data was manual until processed (either by photocopying or by scanning to be an electronic copy). The sub-argument was whether a manual file that is photocopied becomes data. As Jonathan explained, it would be now be processed and therefore personal data. In effect it would go from category E to category A.
The second scenario the issue was a matter of dates. At the first request, the material was manual data (category E) until processed. The material would also be exempt under s.33(A) The follow up SAR would capture it as it had become data. It had been processed (scanned to a file to be sent as an attachment via email) and thus held as data by the organisation.
The issue highlights how one part of an organisation can understand a document as manual data, and therefore exempt under s.33 (A) unaware that another part of the organisation has processed it and turned it into personal data ie Category A data.
Also, it was to highlight the issue that the organisation could disclose the material in the spirit of the DPA although it could be considered exempt under s.33(A) in scenario 1 but *not* in scenario 2. (In scenario 2 it would not be exempt under s.33(A) because it was not category E data as it had become category A data).
As DPA advisers, we would have to provide the full DPA advice considering what the letter and the spirit of the Act require. Whatever our personal views, the organisation, as data controller, will decide what it wants to disclose ie whether it wants to override s.33(A) or not in scenario 1. We would also have to be vigilant, in giving our advice, to scenarios 2 where one part of an organisation views the material as manual data (ie category E) while another part has it as category A.
Thanks again to everyone for helping me think through the issues.
Best,
Lawrence
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Phil Bradshaw
Sent: 29 July 2013 14:15
To: [log in to unmask]
Subject: Re: [data-protection] Two Monday morning DPA challenges
How about this from ICO guide on deleting data :
However, the ICO will adopt a realistic approach in terms of recognising that deleting information from a system is not always a straightforward matter and that it is possible to put information ‘beyond use’, and for data protection compliance issues to be ‘suspended’ provided certain safeguards are in place:
1. information has been deleted with no intention on the part of the data controller to use or access this again, but which may still exist in the electronic ether. For example, it could be waiting to be over-written with other data.
I know the scenario is not about deletion as such but there are clear parallels if you adopt a 'realistic approach' as in all my years at work I cannot ever remember ever wanting to access a photocopier hard disk - so far as most users are concerned this is 'beyond use'. Does 'realistic' mean not strictly complying with the law ?
Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):
- Leaving this list: send leave data-protection to [log in to unmask]
- Suspending emails from all JISCMail lists: send SET * NOMAIL to [log in to unmask]
- To receive emails from this list in text format: send SET data-protection NOHTML to [log in to unmask]
- To receive emails from this list in HTML format: send SET data-protection HTML to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]
Any queries about sending or receiving messages please send to the list owner [log in to unmask]
(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)
All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]
Any queries about sending or receiving messages please send to the list owner [log in to unmask]
(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)