Re: SAR for social services - redaction

Section 37 / schedule 7 DPA covers various excemptions which are less likely to apply in the case of a LA.

Depending on circumstances one could possibly rely on - https://ico.org.uk/for-organisations...on/exemptions/ :

"Legal advice and proceedings

Personal data is exempt from the non-disclosure provisions where the disclosure of the data is necessary:

• for or in connection with any legal proceedings (including prospective legal proceedings);
• for obtaining legal advice; or
• for establishing, exercising or defending legal rights.

You do not have to disclose personal data in response to a request from a third party simply because this exemption applies. You can choose whether or not to apply the exemption to make a disclosure, and you should do so only if you are satisfied that the disclosure falls within the scope of the exemption. In other words:

• it is necessary for one of the above purposes; and
• applying the non-disclosure provision would be inconsistent with the disclosure.

When faced with a request for disclosure, it can be difficult to decide whether the necessity test can be satisfied. You may also be reluctant to make a disclosure of personal data because of your relationship with the individual. In such circumstances you may decide not to comply with the request, unless obliged to do so under a court order.
Personal data is also exempt from the subject information provisions if it consists of information for which legal professional privilege (or its equivalent in Scotland) could be claimed in legal proceedings in any part of the UK.

"

Re: SAR for social services - redaction

Hi

If its your data ( file ), you should get it without redactions apart from other peoples names, and references to anyone else file and the curcs that [MENTION=37437]JCE[/MENTION] describes. I have had to do SAR for social services years ago, and went through the ICO nd got the full files from 2 councils, unredacted.

Ask them to explain the redactions

Re: SAR for social services - redaction

Thanks CC & would you (or anyone else here on LB) please clarify, what is usually considered "third party" data, as ICO states - https://ico.org.uk/for-organisations...ey-definitions :

“Although a data controller’s employee to whom information is disclosed will be a ‘recipient’, they will usually not be a “third party”.
This is because the employee will usually be acting in their employment capacity, and so will be acting on behalf of the data controller.”

Yet a puplic body redacted recently all employee names in response to a SAR which according to Shamen's old post here they should not ?!: http://legalbeagles.info/forums/showthread.php?23577-banks-and-sars&p=164494#post164494

In this instance ICO declared they would not enforce compliance even though the public body in question failed to respond within the 40 day timeframe and did not provide the comprehensive SAR-information requested.

Which sections of the DPA 1998 would validate a breach of the DPA in case of non-compliance and enforce the un-redacted release of the employee-names if acting in their employment capacity on behalf of the data controller??