I agree with comments so far:
Disproportionate effort only applies to the provision of a copy in permanent
form.
Employees, while acting on the Data Controller's business, are agents of the
Data Controller, and therefore not third parties. I suppose there may be a
case for clarifying this in people's terms and conditions, but that wouldn't
alter the fact. (An employee making a complaint of harassment against a
colleague *would* have third party rights, because they wouldn't be doing
that on behalf of the employer.)
I would also add that s.7 (4) is not a blanket provision to withhold third
party data without consent, because you can also disclose third party data
if it is 'reasonable in all the circumstances to comply ... without the
consent of the other individual'. This suggests that there may be no need
even to seek consent, if you are sure that it is reasonable to disclose
without it, either because the third party information is trivial, or
because the Data Subject already knows that information, or whatever.
Paul Ticher
Information Management
0116 273 8191
22 Stoughton Drive North, Leicester LE5 5UB
I hereby require any recipient of this message not to use my personal data
for direct marketing purposes.
----- Original Message -----
From: "Tony Bowden" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Friday, June 20, 2003 2:07 PM
Subject: Avoiding Disclosure
> So, I've had another organisation claim that they can't provide me with
> a lot of data as it contains personal data relating to other people and
> it would require disproportionate effort to either contact all these
> other people to see if they're happy for the data to be disclosed or to
> go through and remove all the identifiable references. They claim to be
> refusing to supply this data on the advice of the Data Protection Office.
>
> Consider the (rather common, I would assume) case where every contact
> with a company is recorded in some sort of Customer Management System,
> with annotations by the staff member who dealt with the contact. Assume
> this happens regularly, and over a longish period of time, such that,
> by the time an SAR is made, most of the staff in question have now left
> the organisation. Does the company really have to get permission from
> all those ex-staff members to disclose the notes they made regarding the
> customer, if they're annotated with their name? And can the company then
> claim that if the employee's name cannot be removed automatically from
> this data, that, due to the quantity of information that would have to
> be processed by hand, that it would be disproportionate effort to supply
> that data?
>
> Surely this would be quite a major loophole?
>
> Tony
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|