Tim
I'm delighted that the ICO have finally come to the sensible conclusion - but I
find the way that they got there a bit strange.
They've decided that it was a valid SAR on the basis that you quoted the DPA!
I've always understood that quoting the Act was irrelevant to whether it
should be considered a SAR or not, and section 7(2) makes no mention of this
being a relevant factor.
Simon
On Tue, 24 Feb 2009 17:47:16 +0000, Tim Trent
<[log in to unmask]> wrote:
>Remember this one? The UKIC said that I had not issued a SAR at all. We
>debated on the list the fact that a SAR was a SAR whether its scope had
>been limited or not.
>
>I appealed. That was frustrating, too, because they tried to insist that
>I used a form. I insisted that my email was sufficient and must be taken
>as the substantive appeal. heigh ho!
>
>I have received a reply I hope I;ve redacted the original perosn;s name
>everywhere.:
>
>BEGINS:
>
>Thank you for your e-mail dated concerning an assessment made by Mr
>[redacted]. I am [redacted]'s manager and as such your case been passed
>to me to review and respond.
>
>As I understand it you received unsolicited e-mail from Bryan Garnier &
>Co. The issue of unsolicited e-mail to your private email address has
>been dealt with under The Privacy and Electronic Communication
>Regulations 2003 by [redacted] under reference number ELE0221710.
>
>As you had no previous dealings with this company on 9 November 2008 you
>wrote to Bryan Garnier & Co asking them to tell you the source of your
>data record and also made a Section 11 request to cease processing your
>data for the purposes of direct marketing. This matter was dealt with as
>an enquiry under reference RFA0232973.
>
>In your request to Bryan Garnier & Co you did not make a request for a
>copy of your personal data but you asked Bryan Garnier & Co to tell you
>the source of your data. [redacted] explained the rights afforded to
>individuals under Section 7 of the DPA. [redacted] also explained that
>whilst individuals are entitled to be any information available to the
>data controller as the source of their data, this entitlement is only
>when an individual makes a subject access request for copy of their
>information. [redacted] was of the view that your request for the
>source did not qualify as a valid subject access request and therefore
>the data controller (Bryan Garnier & Co) would not be under any
>obligation to respond to your request under the DPA. [redacted] advised
>you to make a further subject access request which I understand you made
>on 4 February 2009.
>
>Although you made a further subject access request you disagreed with
>[redacted]'s interpretation and therefore asked for a review.
>
>On reviewing your case I note that in your email of 9 November 2008 you
>had specifically quoted the Data Protection Act 1998 for the source of
>your information. Taking into account that you had quoted the DPA and
>made it very clear that you were making a request under the DPA
>technically the data controller should have been treated your request to
>be a formal request for the information to which you are entitled to
>under the DPA 1998.
>
>Therefore I agree with you that your e-mail of 9 November 2008 to Bryan
>Garnier & Co was a valid subject access request for information as to
>where the sender of the e-mail got the e-mail address from. Therefore we
>would consider it as a request for information under Section 7 (1) (c )
>(ii). We should have therefore considered your request as a legitimate
>request for limited information to Bryan Garnier & Co and treated it as
>a request for assessment. I am very sorry that you were told by
>[redacted] that your request to Bryan Garnier & Co was not a valid
>subject access request for your information.
>
>As you may be aware that when we receive a data protection complaint we
>are under a duty, in most cases, to make an 'assessment'. This
>assessment is our view as to whether it is likely or unlikely that an
>organisation has complied with the DPA in the situation that has been
>described to us.
>
>If we consider it is unlikely that an organisation has complied with the
>DPA, we will let you know and will decide what action, if any, to take.
>Whilst we cannot award compensation, we will educate the organisation to
>help them understand their obligations and advise them to take steps to
>comply with the law in the future.
>
>I will now take up the issue of your subject access request of 9
>November 2008 with to Bryan Garnier & Co. I will now write to them and
>ask them to provide you with the information to which you are entitled,
>if it is available to them.
>
> From the information you have provided it appears likely that *Bryan
>Garnier & Co** *has failed to comply with the sixth *principle* in this
>case. This is because *they do not appear to have responded to your
>subject access request within the time period prescribed in the DPA.*
>
>In light of this it is my assessment that it is unlikely that *Bryan
>Garnier & Co** **has* complied with the DPA in this case. This
>assessment is based solely on the information you provided.
>
>I will now write to *Bryan Garnier & Co** *to tell them about this
>assessment and to recommend the steps they should take to* **bring their
>processing into compliance with the DPA in this case.*
>
>I have made this assessment based only on the information you
>provided. *Bryan Garnier & Co** **may** *well want to give their point
>of view. If *Bryan Garnier & Co** **has* any information to suggest that
>this assessment should be changed, I will ask them to provide it within
>28 days and will write to let you know. Otherwise this matter is
>considered as closed.
>ENDS
>
>Interesting, isn't it. The UKIC patently does know the law, and can
>begin to get it right, but it takes a hefty shove, sometimes. And they
>are receiving money to do this job, too.
>
>By the way,if this has arrived more than once, you will know that even
>demigods such as I have real trouble with the web based posting
>interface, so I had to copy it to my email client! Ah well. Back to
>mere mortal status as usual!
>
>
>--
>------------------------------------------------------------------------
>
>*Tim Trent* - Consultant
>*/Tel/*: +44 (0)7710 126618
>*/web/*: ComplianceAndPrivacy.com <http://complianceandprivacy.com> -
>where busy executives go to find the news first
>*/personal blog/*: timtrent.blogspot.com/
><http://timtrent.blogspot.com/> - news, views, and opinions
>*/personal website/*: Tim's Personal Website
><http://www.trent.karoo.net> - more than anyone needs to know
>
>Marketing by Permission
><http://feeds.feedburner.com/%7Er/MarketingByPermission/%7E6/1>
>
>*Important*: This message is private and confidential. If you have
>received this message in error, please notify us and remove it from your
>system. This email and any attachment(s) are believed to be virus-free,
>but it is the responsibility of the recipient to make all the necessary
>virus checks. This email and any attachments to it are copyright of
>Meadowood Associates, owners of Compliance And Privacy, unless otherwise
>stated. Their copying, transmission, reproduction in whole or in part
>may only be undertaken with the express permission, in writing, of
>Meadowood Associates, at Meadowood House, 30 Redditch, Bracknell,
>Berkshire, RG12 0TT.
>
>
>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
>All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the list
owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^
>
>
>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
