Paul
Aside from the obvious considerations what I was trying to explain (admittedly not very well) was that which is completely and utterly obvious that the applicant is aware of personal data - you would be pushed to apply an exemption.
Yes, as far as I am aware, you do have to confirm, do you hold or don't you and secondly if you are withholding you need to provide an exemption under DPA under which you are withholding - in terms of explaining the actual exemption as a rule under the legislation to the applicant (as in the case with FOIA) - no I don't think you do.
Happy to be corrected.
Many thanks
Trish
Trish-louise Bailey
Audit & Assurance (Information Governance)
(IG covers: Data Protection & Privacy, FOI, Information Security, Information Sharing & Confidentiality, Information & Records Management, Information Quality & Assurance)
Telford & Wrekin Council
Civic Offices
Coach Central
Telford
TF3 4HD
www.telford.gov.uk
em: [log in to unmask] or [log in to unmask]
tel: 01952 382537
mb: 07528 969455
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Paul Ticher
Sent: 03 June 2011 14:57
To: [log in to unmask]
Subject: Re: 3rd party data known to SAR applicant
Trish,
Have I misunderstood something? Under FoI you definitely have to specify
your exemption, but does that extend to Data Protection if you are a public
authority? (I work mainly with charities, so this may be an aspect I've not
come across.)
s.7(4) of the DPA says:
Where the Data Controller cannot comply ... without disclosing [third party]
information, he is not obliged to comply ... unless:
(a) the other individual has consented ... or
(b) it is reasonable in all the circumstances to comply ... without ...
consent
s.7(6) sets out how you might decide what is reasonable, but it's not
phrased in terms of exemptions from disclosing, and there is nothing in
s.7(1), for example, that says you have to explain whether or why you are
withholding anything.
In any case I can't see anything that says you have to disclose if it is
something the Data Subject knows already. In fact it implies that you
shouldn't disclose if you have a duty of confidentiality to the third party,
which you would have as an employer towards your employees.
If I'm wrong, I'd be very happy to be put right, but I really do think that
DPA and FoI are fundamentally different on this point.
Paul Ticher
0116 273 8191
22 Stoughton Drive North, Leicester LE5 5UB
----- Original Message -----
From: "Bailey, Trish" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Friday, June 03, 2011 8:25 AM
Subject: Re: 3rd party data known to SAR applicant
Paul
Im sorry but I would have to disagree with you on this with regard to
redacting info. If you were to redact you are required to apply an
exemption to cover the "withheld info". My question is how can you possible
apply an exemption to protect information that is already known to an
applicant - does it not make the exemption null and void?
Many thanks
Trish
Trish-louise Bailey
Audit & Assurance (Information Governance)
(IG covers: Data Protection & Privacy, FOI, Information Security,
Information Sharing & Confidentiality, Information & Records Management,
Information Quality & Assurance)
Telford & Wrekin Council
Civic Offices
Coach Central
Telford
TF3 4HD
www.telford.gov.uk
em: [log in to unmask] or [log in to unmask]
tel: 01952 382537
mb: 07528 969455
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Paul Ticher
Sent: 02 June 2011 15:40
To: [log in to unmask]
Subject: Re: 3rd party data known to SAR applicant
I've noted the comments from others about (a) that the data is not actually
about the Data Subject (plausible argument), and (b) that it's nonsensical
to withhold data the Subject already knows (also plausible). However, it
occurs to me that (b) may not be nonsensical in every case.
Firstly, I can't see anything which says you *must* disclose data if the
Data Subject already knows it. That situation obviously makes it more
likely to be disclosable, but doesn't require disclosure, unless I'm missing
something.
Second, I would distinguish between information which is available to the
Data Subject on the internal e-mail system, and data that they can take away
with them on paper and, presumably, show to other people (who may be legally
privileged, but may just be their mates).
Given that your Data Subject knows who the third party is, I would be
inclined to redact the name, at least, because there is no detriment to the
Data Subject in doing so but there is, at least, a warning that you consider
the name of the third party deserving of protection. They could, of course,
immediately say to their mates "that name they've blanked out is X, Y" but
that would be their choice, not your doing.
So I think there is a good case for redaction.
Paul Ticher
0116 273 8191
22 Stoughton Drive North, Leicester LE5 5UB
----- Original Message -----
From: "Ray Cooke" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Thursday, June 02, 2011 12:03 PM
Subject: 3rd party data known to SAR applicant
> All,
>
> I'd appreciate any thoughts from all you experienced folk out there on
> this
> one.
>
> Scenario is this. Data subject (staff) makes subject access request.
> Emails to and from the data subject deal with 3rd party disciplinary and
> grievance issues sent to data subject in the course of work. Some of the
> stuff is sensitive data. Question is - should the 3rd party data be
> redacted out in responding to the SAR even though the data subject has
> seen
> it and may even still have access to email copies?
>
> I've taken the view that it is not appropriate or reasonable to leave this
> type of 3rd party data unredacted in supplying copies under SAR even
> though
> the data subject will have seen the material and indeed may have retained
> it
> within a work context.
>
> Is this the right approach to take in this particular circumstance?
>
> Grateful for any views on this.
>
> Ray Cooke
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the list
> owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your
> needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>
>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your
needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
--------------------------------------------------------------------------------------------------------------------
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed. If you have received this email in error
please notify the originator of the message.
Any views expressed in this message are those of the individual
sender, except where the sender specifies and with authority,
states them to be the views of Telford & Wrekin Council.
The content of this email has been automatically checked in
conjunction with the relevant policies of Telford & Wrekin Council.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your
needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
--------------------------------------------------------------------------------------------------------------------
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed. If you have received this email in error
please notify the originator of the message.
Any views expressed in this message are those of the individual
sender, except where the sender specifies and with authority,
states them to be the views of Telford & Wrekin Council.
The content of this email has been automatically checked in
conjunction with the relevant policies of Telford & Wrekin Council.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|