JISCMail - DATA-PROTECTION Archives

Interesting.

The ICO guidance and templates were not there last time I looked - admittedly some time back.

My initial reaction is that this would be a silly way to do it for any complex organisation. 

Given that the ICO reined back from having a complex notification document under the old Directive to meet similar requirements I wonder whether this is based purely on ICO thoughts or some consistency from Europe. Is there any WP guidance on this yet?

Whilst accepting that my initial response was perhaps a little trite anything that duplicates what is already fully recorded would seem to me to be excess to requirements. I was responding on the assumption that an organisation already has an effective and comprehensive Information Asset Register with processes that keep it up to date. 

Take something such as our Electronic Service Records. They pretty comprehensively cover our whole HR function. They are referenced in our IAR which will include things like legal basis and data flows, have a system level security policy, and the content and the type of data and purpose is fully documented. All these are business records. I can't see anything in Article 30 which necessarily requires us to duplicate this. 

I guess this depends on what "a record" means. If "a record" means one document we are in big trouble. Under R17 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 a health provider must "maintain securely an accurate, complete and contemporaneous record in respect of each service user". No-one has suggested that means a patient record is one document and in one place. It isn't and cannot be. In my Trust alone I guess it is potentially distributed across at least 150 electronic systems plus several paper files in some cases. 

And finally on a risk assessment basis I will be far more worried about sending out patient records to the wrong addressee following a SAR than a technical breach of s30 ...

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^