Hi all,
Thanks for getting back to me it has been really useful. I think that it is likely that the Finland case would apply to systems processing special category personal data or sensitive processing - so that if there were no way to investigate access that the use of such a system would probably be in breach of section 6 of the HRA and so the GDPR/DPA in relation to lawfulness.
The Finland case looked at retrospective investigations, does anyone have a view as to whether appropriate security measures includes pro-active monitoring such as detection of the same surname between the employee and the person whose record's have been accessed? I would think that this would not apply to cases involving personal data but I was wondering about the public sector that does process a large amount of special category data etc. but only check about access if they receive a complaint from somewhere.
Bill
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|