Simon, 
Many thanks for that. For those of you interested in this subject you
might like to see the response I received from Lucie Dennehy a solicitor
at the Information Commissioner's office. It is very clear and succinct.
If interested e mail me privately and I will send you a copy.
Regards 

Chris Brogan MA LLM
Managing Director 
Security International Ltd
130 St Johns Road, Isleworth, Middlesex TW7 6PL, UK
Tel:  +44 20 8847 2111  Fax:  +44 20 8847 1852
Registered in England & Wales No. 1322074
Registered Office:  11 Loveday Road, London W13 9JT
www.securitysi.com 
-----Original Message-----
From: Simon Richardson [mailto:[log in to unmask]] 
Sent: 11 February 2009 13:01
To: [log in to unmask]; Chris Brogan
Subject: Re: Section 29 Exemptions

Chris

It's been quite some time since I last posted to this forum, so I
thought that 
I'd start back with a nice easy one!

Ok, here we go...

ABC plc has obtained the data under section 29, and this same exemption
has 
been relied upon by the disclosing organisation(s) to make the
disclosure. 
Assuming that this process has been managed properly and all the
appropriate 
steps taken, then ABC has lawfully obtained the information and is now a
data 
controller (in common with the originating organisation) for that data.

Once the possibility of using this data for the purpose of a prosecution
(or 
otherwise preventing, detecting etc crime) then the section 29 exemption

cannot be relied upon by ABC for continued processing of that data.

This does not mean that the organisation cannot continue to process that

data, it just means that it must establish a different, lawful basis for
doing so.

The section 35 exemption only applies to disclosures of data. ABC may
need to 
process the data in other ways than disclosure so as to facilitate the
civil 
action (e.g. storing, consulting, etc), therefore use of this exemption
is likely 
to be unsatisfactory. So, we should consider whether continued
processing 
would be lawful in the absence of an exemption.

In order to comply with the second Principle, that new purpose for
processing 
must not be *incompatible* with the original purpose (criminal
prosecution) for 
obtaining the data. This does not require that the new purpose needs to 
be 'identical'. In my view, a civil action for the same activity that
prompted 
the criminal investigation would not be usually be incompatible - it
seems like a 
natural and consistent extension of the original purpose.

Continued processing must also comply with the first Principle, in that
it must 
be fair and lawful. As soon as is practicable, the data subject should
be 
advised that the organisation has the data (if they have not already
been so 
advised), and the purpose for which the organisation now intends to use
the 
data.

At least one schedule 2 condition needs to be met. This is likely to be
the 5th 
condition (administration of justice) but you can also consider the 6th 
condition (legitimate interests of the data controller, but you will
have to 
establish that any resulting prejudice to the rights, freedoms or
legitimate 
interests of the data subject is not 'unwarranted'). 

If the data is sensitive, a schedule 3 condition will also be required.
The 6th 
condition (legal proceedings) or the 7th (administration of justice)
should 
suffice.

Provided that the organisation has appropriate information management 
policies and procedures in place, and complies with the data subject's
rights in 
the normal way, the remaining Principles are unlikely to be a problem in
this 
scenario.

On this basis, it is my view that the continued use of the data for the
purpose 
of civil action, is likely to be lawful, if handled in the right way.
However, you 
should be mindful that the organisations that provided the data may not
be 
happy with this decision, and may be reluctant to make disclosures of
this 
type in future. I would suggest consulting with them as soon as
possible. 

When seeking information under section 29 in future, I'd suggest quoting

section 35 as well and advising the disclosing organisations that the
data may 
be used for civil proceedings, if criminal prosecution is not possible.
It would be 
unfair and unlawful (and probably an offence under section 55) if you
obtained 
data under section 29 in the knowledge that you were unlikely to use it
for 
crime prevention, detection or prosecution.

This process will also ensure that the data subject knows what
information 
you have, how and why you intend to use it, and where you got it from
and 
why. ABC have acted lawfully and fairly throughout, so it is hard to see
how a 
HRA case could be established to argue that a trial would be unfair.

That's my opinion anyway. 

Simon





No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.0.234 / Virus Database: 270.10.23/1948 - Release Date:
02/12/09 07:20:00

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^