A late response to this one.

If a data controller suffers an 'accidental' disclosure of data in the 
circumstances spoken about in this thread AND if this type of accident 
is a semi-regular occurrence there is clearly a breach of the DP 
regulations.

With the public sector financial cuts I suspect there will be a great 
deal of 'wriggling' to mitigate costs in these areas and hence an 
increase in 'accidental breaches', which are seen (or sold) as 
acceptable within organisations. Equally the reporting of those types 
of breaches is likely to be resisted as that would reduce 
organisational 'flexibility' by increasing visibility.

Looking back through the history of DP the security element in the UK, 
contrary to the directives objective to generally improve DP, has 
clearly been on the downward trend, originally totally ignoring the 
'state of the art' requirements to a now adequate, or as it seems to be 
more frequently interpreted 'acceptable risk' to the data controller. 
Both the thrust of the regulations as well as the letter have been 
frequently ignored.

My answer to the question is that accidents can happen and that a DP 
breach will definitely have occurred, but whether action should/is 
taken will depend upon many of the circumstances unique to the data 
collection and data controller.  Question - has anybody yet heard of 
groups of data subjects requesting a data controller stops processing 
their data because of unlawful disclosures; If not why not, is that 
mechanism broken?

To me this issue seems anomalous with the anonymity debate. Clarifying 
that:- 

Unsurprisingly, perceived anonymity is more frequently used by a data 
controller to support its own cause above the cause of others, even 
where there is an overriding social interest.  An example would be one 
test I conducted where a series of comments were made on a blog which 
were very clearly wrong (probably because of a lack of knowledge in 
that area) and presented a situation which was in the interests of 
particular parties. Because of the nature of the information involved, 
at any level the broader social interest would require the comments 
corrected and accurate data included.  Because I was not registered, 
and had no wish to register with the blog provider to respond, I used 
an anonymous identity, but included my own name within the body of the 
text; The blogger who made the comments (a member of the privacy 
community) recognised my approach and who it came from because they 
subsequently attempted to verify that, but they did not publish the 
factual data provided or links.  Whilst this promoted their interests 
in reducing personal embarrassment at such an obvious error it did 
nothing to promote any interest in the wider improvement of knowledge, 
and in respect of myself provided further insight and evidence about 
the normal use of a facet of privacy.

Appropriate security, risk, or arguable adequacy in processes 
providing security; at the end of the day the organisation will decide 
and the data protection officers/officials will take on some of the 
responsibility.  

In those situations transparency in my opinion then becomes a 
necessary requirement if data subjects are to be informed sufficiently 
to determine what is  'acceptable' to them, and to allow for the 
possibility of improvements.




-----Original Message-----
From: This list is for those interested in Data Protection issues 
[mailto:[log in to unmask]] On Behalf Of Brenda Scourfield
Sent: 19 July 2010 10:18
To: [log in to unmask]
Subject: [data-protection] Accurate/inaccurate data


Electronic system holds correct address. Data is accurate and up to 
date. Person sends personal data to the wrong address having 
incorrectly copied the correct address on the system. Has this breached 
the act or just a mistake ? Any comments please ?

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^