Data Protection/Privacy Query

Discussion in 'Finance, Property, Law' started by CaptainPlume, Jun 14, 2012.

Welcome to the Army Rumour Service, ARRSE

The UK's largest and busiest UNofficial military website.

The heart of the site is the forum area, including:

  1. Not something I'm getting my knickers in a knot about, but I'm interested in a certain aspect of data protection & privacy. I deal with confidentiality a lot at work & the following just doesn't seem right.

    I was dealing the other week with a volunteer who administers access passes for a shared leisure facility for a building on behalf of a voluntary mangement committee. The volunteer mentioned that they'd caught out someone abusing the facility because they could tell from a computerised record when the person had entered & left the area.

    It appears each access device is linked to an individual user & when the device is used this is logged. My query is, is this legal? I asked the volunteer who said words to the effect of, "oh don't worry about privacy or data protection, only the committe & I can access these records unless the police or someone asks for them".
  2. Entirely legal. It is a normal
    Means of security and ad long as the information logged is being used as intended and not for other means (stalking, harassment) then no probs.
  3. Is this a security breach or abuse of facilities,or both, CP? Maybe the Information Commissioner's Office would know the answers, especially if the DPA has been breached. Or perhaps abuse of corresponding terms and conditions, fraud by permitting fraudulent use of a card, facilities or equipment. In house rules usually cover this stuff.
  4. It'll be on the 'terms of use' agreement for the pass.
    • Like Like x 1
  5. Cheers, thanks for the input.
  6. msr

    msr LE

    Building pass records access?
  7. It's a group of residential buildings with a shared facility in the middle. One can get to the entrance of the facility without pasing any other security.

    As I said, it's not of great consequence. It's just the relish with which the volunteer was going on about how everyone's movements were tracked was a bit creepy, almost in a "Big Brother Is Watching You" style. I had a squint at the paperwork & don't remember any agreement being required to the Committe knowing all this.
  8. It is unlawful if those about whom data is being collected have not given their consent. Data may only be processed with the consent of the data subject, excepting in instances of the prevention of crime etc.

    Data subjects are entitled to issue a requirement for a data controller to cease processing data in a particular way or for particular purposes. Failure to do so may prompt investigation by the Information Commissioner.

    Have you checked whether the organisation in possession of this data is registered with the Information Commissioner's Office on the Register of Data Controllers?
  9. The organisation is a bunch of well-intentioned amateurs running a communal facility for the good of a group of people at a series of addresses. It has the typical British thing of several control freaks with nothing better to do now they are retired or while their husbands are out at work, so spend their time cooking up various rules & regulations.

    Strangely enough many of these rules & regulations are ignored (and indeed we have been told that certain rules & regulations do not apply to the committee) by the vast majority of users of the facility. It's just I have an enduring sense of fairness & sticking by what I have been asked to abide by so it sticks in the craw

    As I said I'm not particularly concerned. Use of the facility is of more importance to me than the committee's adherence or not to the various legislation. My query was academic & I'm not going to go rattling any cages!
  10. Dullard!
  11. I suppose it would have only been a breach if they told you who it was.

    Data protection, why not write to them and ask for all their records on yourself.
  12. It depends on what data is being held in the first instance, and what is being processed. Is a cross-database lookup? An ID Card serial, plus a date/time stamp, does not constitute identifiable personal data on its own merits.
  13. For what reason was the log being checked? If the records were being looked at without prior cause or permission then it is potentially a breach. However depending on the size and type of the organisation it may not have to register with the ICO. This does not mean they are not bound by the regulations as laid down.

    The system probably logs the card number and this would have to be compared against the issue records to find out who has the card. This is probably automatic given the way so many databases are run. Interrealtional databases without proper fiilters in place usually show far too much information.

    There are a couple of good books about this area published through the British Computer Society. One is about IT law for managers and the other about the Data Protection Act and implementation.
  14. The key point is: "For what purpose is the date and time of access and egress recorded" Has the volunteer breeched those purposes?