JISCMail - DATA-PROTECTION Archives

Coming to this late, as usual.

I always advise staff in training that an audit trail/log is disclosable to a requestor under a SAR. In fact I have been involved in a number of such disclosures (NHS).

It’s personal information. We don't redact. If the requestor then comes back to ask why someone has accessed their record we then investigate. I have dealt with a number of such issues more than one of these leading to potential criminal action (Sec. 55 DPA).

Simon Howarth.

-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Owen Thomas
Sent: 18 September 2015 15:53
To: [log in to unmask]
Subject: Re: [data-protection] Audit log entries - personal data?

Apologies if this has already been mentioned, but the SAR right includes the right "...to be given  by the data controller a description of ... the recipients or classes of recipients to whom they are or may be disclosed"

I would argue that 'disclosure' cannot be confined to being an active handover of data and that anyone accessing electronic patient records and learning something new is having information disclosed to them.

I would argue that whether information is freely given to someone or is pulled out of a database by them is dancing on the head of a pin and that information in audit logs does fall within the scope of the SAR, as while log data isn't necessarily the Data Subject's personal data, it is clearly information falling within Section 7(1)(b)(iii) - even if (in the event) it is considered desirable to substitute job titles for names.

Owen


O Thomas
Information Governance Officer
Law & Governance
Commercial & Corporate Services Directorate Sunderland City Council

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^