Call me simple but the Commissioner's test is "whether the matter was
serious enough to warrant referral to the police" NOT "you have referred it
to the police" AND "the police have decided to take the case on" so where's
the problem? I think your auditor is getting his knickers in an unnecessary
twist.
As an auditor for a fraud database we, with the agreement of the
Commissioner, use the "whether the matter was serious enough to warrant
referral to the police" to determine whether a filing to the database is
justified.
Alasdair Warwood
----- Original Message -----
From: "Lewis Bourne" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Thursday, July 11, 2002 4:35 PM
Subject: Employment Practices Data Protection Code
Perhaps someone on the list can assist in getting me out of an argument that
has developed between myself and a Auditor. I have recently circulated Part
3 of the code - Monitoring at work - it prompted the following response from
the Auditor. I apologise for the length but believe you may find the
Auditors views interesting if not controversial:
Auditors comments:
"I see the Code (although not statutory) as limiting my ability to counter
fraudulent behaviour:
1). RIPA is primary legislation affecting defined public authorities and
this includes local authorities but does not impose similar constraints on
private sector organisations and Central Government Executive agencies,
quangos etc. RIPA affects not only regulatory work such as Environmental
Health enforcement, investigation of suspected Benefits fraud etc, but also
the ability of a public authority to monitor and enforce the conditions of
employment relevant to its workforce. Any significant breaches of
conditions of employment could constitute a criminal offence but the police
(and the Crown Prosecution Service) are increasingly less likely to take on
cases of workers defrauding their employer by not attending when they
should, even though this is effectively an offence of obtaining money (or
advantage) through deception. In some cases the only way an employer can
prove this, and prevent further loss of public funds, is through covert
(directed) surveillance. The Commissioner's Code implies that the suitable
test for such investigations should be whether the matter was serious enough
to warrant referral to the police.
Given the experiences of a number of authorities who have experienced "white
collar" crime, it is frequently a waste of time and effort trying to involve
the police. This does not mean that crime, sufficient to comply with the
requirements of RIPA, is not suspected.
As such, the advice in the Code is not in accordance with the provisions of
primary legislation and, if the advice were followed precisely, could result
in unnecessary losses of public funds. As such, I believe that the Code
should follow RIPA in referring to the prevention or detection of crime and
not seek to impose a higher standard of proof.
2). The comments relating to covert surveillance, perhaps using concealed
video recording equipment, in offices designated for the use of individuals
is also unreasonable. Take, for example, a cash collection kiosk used by
one person per shift. The use of concealed cameras may be essential in
proving instances of theft. As such, I believe that the Code again goes
beyond the provisions of the primary legislation in this area - RIPA - and
should outline a more relaxed view where criminal activity is suspected".
This response took me by surprise a bit particularly the heavy emphasis on
RIPA overruling the DPA issues. I responded with (what I believed) was a
non-confrontational reply i.e.. I agree that the RIPA is primary legislation
but so is the DPA (and also HRA). The whole point of the code is to offer
advice and guidance on the best way to comply with BOTH sets of legislation
whilst undertaking these activities, which you MUST do if the monitoring
involves an interception which results in recording of personal data. You
cannot take RIPA in isolation.
The response to this was:
"A hierarchy of legislation exists. The DPA sets out what can be collected
and how it is processed. The HRA enshrines a Right to Privacy but the RIPA
sets out when and how that right to privacy can be infringed by a public
body. As such, the RIPA is the relevant primary legislation in respect of
controlling surveillance by public bodies." This paragraph was then
concluded with comments about sticking nose in when not needed just to
justify existence.
Before a row develops perhaps someone from the list would like to comment on
the concept of a legislation hierarchy or anything else the friendly auditor
has commented on.
regards,
Lewis Bourne
Principal Information Security Officer
I.C.T. Services
This e-mail contains proprietary information some of which
or all of which may be legally privileged. It is for the
intended recipient only. If an addressing or transmission
error has misdirected the e-mail, please notify the author by
replying to this email. If you are not the intended recipient
you must not use, disclose, distribute, copy, print or rely
on this e-mail.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|