----- Original Message -----
From: "Broom, Doreen" <[log in to unmask]>
To: <[log in to unmask]>
Cc: <[log in to unmask]>
Sent: Thursday, October 12, 2000 4:29 PM
Subject: RE: Confidential medical health records
> I agree entirely so is it therefore not up to the custodian of the
data(the
> trust) to inform the data subject regarding any breach in the data
> protection principles such as in the above case. It not only affects the
> data subject but their relatives, friends etc.
> > From: [log in to unmask] [SMTP:[log in to unmask]]
> > Sent: 12 October 2000 16:17
> > To: [log in to unmask]
> > Subject: Confidential medical health records
> > Rather than a discussion of who is owner or custodian, in dp terms
surely it is
> > the d.controller who is responsible and in the scenario cited, that is
> > the trust,isn't it?
=
If the data controller has no responsibility to notify the data subject
about a breach affecting them, some data subjects will inevitably end up
suffering harm without being able to effectively track down
what caused it.
Considering the origin of harm caused as emanating from electronic data,
understanding and proving what has happened, is a particularly difficult if
not on occasions
impossible task even for the professional. Individual data subjects will
never be able to afford the expertise or provide finance to bring a legal
case. Therefore the DPA will never be fully effective and the majority of
data subjects will be denied any real recourse to justice.
Does this then not open up issues from the HRA:-
Article 6 (Right to a Fair Trail) which includes a guarantee for
access to fair and public hearing.
Article 10 (Freedom of Expression) which includes the right to receive and
impart information and ideas for the protection of the reputation or rights
of others.
If the data controller does not disclose to the data subject, is not the
data controller making a decision which denies the data subject the right
for access to a civil law remedy where harm may be caused?
DPA 1998, Schedule 7, Paragraph 11 covers this area of self incrimination by
the data controller, as regards subject access, but exempts offences other
than under the DPA 1998 from disclosure. Does this not set indicate
disclosure of offences under the DPA 1998 is necessary?
How does the above sit with the right to silence that exists in law?
Ian
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|