I've lurked on this list for a long time and the reason for sending my first
message is that, having listened now to 3 or 4 talks by lawyers and other
experts on the DPA98 in the last 6 months and finally got the hang of it, I
am shortly going to give my first solo talk. I am now certain I *haven't*
mastered it and am panicking! Apologies therefore if the question that
follows is stupidly banal or obvious. I fear there may be more to come like
it.
Is it possible to claim an exemption from the subject access rights under
DPA98 for personal data on our internal accident report forms (marked
'confidential, for possible use in legal proceedings') or insurance claim
forms we send to our insurers where there is the realistic possibility --
but not yet certainty -- of a negligence claim or breach of statutory duty
action against the University ?
I have considered:
1. Since our insurers can exercise subrogation rights to initiate or defend
legal proceedings in our name, is it possible to extend 'legal professional
privilege' to this, and invoke Sch 7 para 10 which exempts the personal data
from the 'subject information provisions'? As our solicitors have been
sceptical of the advice given by the speaker from Masons at Manchester
Airport last May that one simply solves the problem of disclosing
contentious material by getting one's solicitors to store it, I don't have
high hopes of Sch 7 para 10.
2. Alternatively, might it be possible to bring this within the
'Negotiations' exemption (Sch 7 para 7)? My guess would be not. As accident
reports and insurance claim forms are usually factual, I suspect they
wouldn't meet the test that they are 'records of the intentions of the data
controller in relation to any negotiations...'
3. Even though legal proceedings might be contemplated, s. 35 is no good as
that allows us to disclose data that we wouldn't otherwise be allowed to,
but not to keep data to ourselves that otherwise the data subject could see.
4. Our Safety Office and Insurance Officer could aim to complete the
paperwork on every accident investigation within 40 days during which they
pass the data to the University's or insurers' solicitors in order to claim
privilege. Even assuming this would do the trick legally, it's not really
practical given the low reporting threshold and numbers of reports generated
each year. It would also probably affect the present co-operative atmosphere
in which witnesses are prepared to provide information about an incident.
None of these feels right.
This enquiry has been prompted by our Safety Office who, concerned not to
compromise the University's legal position in the event of a claim, have
pointed out that the Safety Reps and Safety Committees Regs currently allow
a trade union safety rep to see any papers about an accident subject to the
written consent of the victim but that there is a get-out clause if the
request is unreasonable. Will the DPA98, they ask, now undermine the
get-out?
Apart from advising them not to let the DPA98 stop them continuing whatever
enlightened but prudent policy on disclosure they now follow which has
fostered a spirit of trust and co-operation with the campus trade unions, I
haven't at the moment got clear authoritative advice to give them.
Has any other Data Protection Officer dealt with this question yet and if
so, what would they advise?
---- Brian Barnard, DPO, University of Surrey
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|