Simon,
Many thanks for that. For those of you interested in this subject you
might like to see the response I received from Lucie Dennehy a solicitor
at the Information Commissioner's office. It is very clear and succinct.
If interested e mail me privately and I will send you a copy.
Regards
Chris Brogan MA LLM
Managing Director
Security International Ltd
130 St Johns Road, Isleworth, Middlesex TW7 6PL, UK
Tel: +44 20 8847 2111 Fax: +44 20 8847 1852
Registered in England & Wales No. 1322074
Registered Office: 11 Loveday Road, London W13 9JT
www.securitysi.com
-----Original Message-----
From: Simon Richardson [mailto:[log in to unmask]]
Sent: 11 February 2009 13:01
To: [log in to unmask]; Chris Brogan
Subject: Re: Section 29 Exemptions
Chris
It's been quite some time since I last posted to this forum, so I
thought that
I'd start back with a nice easy one!
Ok, here we go...
ABC plc has obtained the data under section 29, and this same exemption
has
been relied upon by the disclosing organisation(s) to make the
disclosure.
Assuming that this process has been managed properly and all the
appropriate
steps taken, then ABC has lawfully obtained the information and is now a
data
controller (in common with the originating organisation) for that data.
Once the possibility of using this data for the purpose of a prosecution
(or
otherwise preventing, detecting etc crime) then the section 29 exemption
cannot be relied upon by ABC for continued processing of that data.
This does not mean that the organisation cannot continue to process that
data, it just means that it must establish a different, lawful basis for
doing so.
The section 35 exemption only applies to disclosures of data. ABC may
need to
process the data in other ways than disclosure so as to facilitate the
civil
action (e.g. storing, consulting, etc), therefore use of this exemption
is likely
to be unsatisfactory. So, we should consider whether continued
processing
would be lawful in the absence of an exemption.
In order to comply with the second Principle, that new purpose for
processing
must not be *incompatible* with the original purpose (criminal
prosecution) for
obtaining the data. This does not require that the new purpose needs to
be 'identical'. In my view, a civil action for the same activity that
prompted
the criminal investigation would not be usually be incompatible - it
seems like a
natural and consistent extension of the original purpose.
Continued processing must also comply with the first Principle, in that
it must
be fair and lawful. As soon as is practicable, the data subject should
be
advised that the organisation has the data (if they have not already
been so
advised), and the purpose for which the organisation now intends to use
the
data.
At least one schedule 2 condition needs to be met. This is likely to be
the 5th
condition (administration of justice) but you can also consider the 6th
condition (legitimate interests of the data controller, but you will
have to
establish that any resulting prejudice to the rights, freedoms or
legitimate
interests of the data subject is not 'unwarranted').
If the data is sensitive, a schedule 3 condition will also be required.
The 6th
condition (legal proceedings) or the 7th (administration of justice)
should
suffice.
Provided that the organisation has appropriate information management
policies and procedures in place, and complies with the data subject's
rights in
the normal way, the remaining Principles are unlikely to be a problem in
this
scenario.
On this basis, it is my view that the continued use of the data for the
purpose
of civil action, is likely to be lawful, if handled in the right way.
However, you
should be mindful that the organisations that provided the data may not
be
happy with this decision, and may be reluctant to make disclosures of
this
type in future. I would suggest consulting with them as soon as
possible.
When seeking information under section 29 in future, I'd suggest quoting
section 35 as well and advising the disclosing organisations that the
data may
be used for civil proceedings, if criminal prosecution is not possible.
It would be
unfair and unlawful (and probably an offence under section 55) if you
obtained
data under section 29 in the knowledge that you were unlikely to use it
for
crime prevention, detection or prosecution.
This process will also ensure that the data subject knows what
information
you have, how and why you intend to use it, and where you got it from
and
why. ABC have acted lawfully and fairly throughout, so it is hard to see
how a
HRA case could be established to argue that a trial would be unfair.
That's my opinion anyway.
Simon
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.0.234 / Virus Database: 270.10.23/1948 - Release Date:
02/12/09 07:20:00
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|