Re SAR redaction
A SAR can link to an employer Health and Safety obligation under the H&S at
Work Act 1974. H&S Section 7 states:
---
7 General duties of all employees at work
It shall be the duty of every employee while at work-
(a) to take reasonable care for the health and safety of himself and of
other persons who may be affected by his acts or omissions at work; and
(b) as regards any duty or requirement imposed on his employer or any
other person by or under any of the relevant statutory provisions, to
co-operate with him so far as is necessary to enable that duty or
requirement to be performed or complied with.
----
If the employer discloses the identity of its staff to a person they have no
direct control over they may be exposing the staff member to personal safety
risks. The risk is dependant partly on what data is needed to locate an
individual at work.
Section 7(4) of DPA shows they have no statutory obligation to disclose
identity of employees acting for them in transacting their company business.
Individuals see the relationship between Privacy and Safety and data
disclosure consent assists their control of that risk.
So I would agree with Gerry and as a default start from no discosure of
employee identity unless it is fundemental to resolving any issue at hand.
In most cases it is not as the individual has their dispute with the company
not the individual employee.
David Wyatt
----- Original Message -----
From: "Gerry Dane" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Monday, February 02, 2004 3:07 PM
Subject: Re: [data-protection] Redacted Information
The definition of what constitutes a third party is plain enough:
"2.8 Third Party Definition (s70 (1)) "Third party, in relation to
personal data, means any person other than - *
*
*
the data subject, the data controller, or any data processor or other
person authorised to process data for the data controller or processor."
The expression third party does not include employees or agents of the
data controller or data processor, which persons are for the purpose of
this expression to be interpreted as being part of the data controller
or processor. As such, this expression is distinguishable from
"recipient", which effectively separates employees/agents of the data
controller/processor from the data controller/processor itself." (OIC
Legal Guidance)
However, to apply a strict legal definition and pretend it to be a
considered judgement is a mistake. There are circumstances in which NOT
seeking consent would be inappropriate. I wouldn't allow the definition
to stop me seeking consent if I thought the case required it or for that
matter making the judgement to redact if consent could not be obtained.
Best,
Gerry
Mr.G.Dane
University of Newcastle
Newcastle upon Tyne
NE1 7RU
Email: [log in to unmask]
-------------------------------------------
The views expressed in this message are those of the
sender and not necessarily those of the University.
>-----Original Message-----
>From: Tony Bowden [mailto:[log in to unmask]]
>Sent: 02 February 2004 13:28
>To: [log in to unmask]
>Subject: Re: [data-protection] Redacted Information
>
>
>On Mon, Feb 02, 2004 at 01:23:12PM +0000, Rob Dawson wrote:
>> In completing an SAR that will give details of third parties
>(eg other
>> employees) you do not have to give their details unless the third
>> party has consented. You could find that disclosing a third party
>> name without consent may cause distress.
>
>A member of staff acting in connection with their employment
>is not a Third Party.
>
>Tony
>
>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> http://www.jiscmail.ac.uk/help/commandref.htm
> (all commands go to [log in to unmask] not the list
>please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|