A late response to this one.
If a data controller suffers an 'accidental' disclosure of data in the
circumstances spoken about in this thread AND if this type of accident
is a semi-regular occurrence there is clearly a breach of the DP
regulations.
With the public sector financial cuts I suspect there will be a great
deal of 'wriggling' to mitigate costs in these areas and hence an
increase in 'accidental breaches', which are seen (or sold) as
acceptable within organisations. Equally the reporting of those types
of breaches is likely to be resisted as that would reduce
organisational 'flexibility' by increasing visibility.
Looking back through the history of DP the security element in the UK,
contrary to the directives objective to generally improve DP, has
clearly been on the downward trend, originally totally ignoring the
'state of the art' requirements to a now adequate, or as it seems to be
more frequently interpreted 'acceptable risk' to the data controller.
Both the thrust of the regulations as well as the letter have been
frequently ignored.
My answer to the question is that accidents can happen and that a DP
breach will definitely have occurred, but whether action should/is
taken will depend upon many of the circumstances unique to the data
collection and data controller. Question - has anybody yet heard of
groups of data subjects requesting a data controller stops processing
their data because of unlawful disclosures; If not why not, is that
mechanism broken?
To me this issue seems anomalous with the anonymity debate. Clarifying
that:-
Unsurprisingly, perceived anonymity is more frequently used by a data
controller to support its own cause above the cause of others, even
where there is an overriding social interest. An example would be one
test I conducted where a series of comments were made on a blog which
were very clearly wrong (probably because of a lack of knowledge in
that area) and presented a situation which was in the interests of
particular parties. Because of the nature of the information involved,
at any level the broader social interest would require the comments
corrected and accurate data included. Because I was not registered,
and had no wish to register with the blog provider to respond, I used
an anonymous identity, but included my own name within the body of the
text; The blogger who made the comments (a member of the privacy
community) recognised my approach and who it came from because they
subsequently attempted to verify that, but they did not publish the
factual data provided or links. Whilst this promoted their interests
in reducing personal embarrassment at such an obvious error it did
nothing to promote any interest in the wider improvement of knowledge,
and in respect of myself provided further insight and evidence about
the normal use of a facet of privacy.
Appropriate security, risk, or arguable adequacy in processes
providing security; at the end of the day the organisation will decide
and the data protection officers/officials will take on some of the
responsibility.
In those situations transparency in my opinion then becomes a
necessary requirement if data subjects are to be informed sufficiently
to determine what is 'acceptable' to them, and to allow for the
possibility of improvements.
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Brenda Scourfield
Sent: 19 July 2010 10:18
To: [log in to unmask]
Subject: [data-protection] Accurate/inaccurate data
Electronic system holds correct address. Data is accurate and up to
date. Person sends personal data to the wrong address having
incorrectly copied the correct address on the system. Has this breached
the act or just a mistake ? Any comments please ?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|