Sign Up

What is 5 + 2?

Have an account? Sign In Now

Sign In

What is 5 + 2?

Forgot Password?

Don't have account, Sign Up Here

Forgot Password

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.

What is 5 + 2?

Have an account? Sign In Now

Please type your username.

Please type your E-Mail.

Please choose an appropriate title for the question so it can be answered easily.
Please choose the appropriate section so the question can be searched easily.

Type the description thoroughly and in details.

What is 5 + 2?

Sign InSign Up

Watercooler by DPOrganizer

Watercooler by DPOrganizer Logo Watercooler by DPOrganizer Logo

Watercooler by DPOrganizer Navigation

Search
Ask A Question

Mobile menu

Close
Ask a Question
  • Home
  • Categories
    • GDPR
    • Privacy Management
    • Professional Development
    • Software tips and tricks
    • Polls
  • Help
  • About Watercooler
Home/ Questions/Q 6157
Next
In Process
Anonymous
  • 0
Asked: April 14, 20212021-04-14T13:10:58+01:00 2021-04-14T13:10:58+01:00In: GDPR, Privacy Management

SAR & Conflict of Interest

  • 0

Hello, if an ex-employee submits a SAR requesting data relating to a grievance that involved the DPO/Caldicott Guardian and Access to information Lead, how would it not be a conflict of interest that the parties involved were responsible for redaction and submission? Is there anything in DPA2018/GDPR?

  • 4 4 Answers
  • 0 Followers
  • 0
Answer
Share
  • Facebook

    4 Answers

    • Voted
    • Oldest
    • Recent
    1. Yorkie82

      Yorkie82

      • 0 Questions
      • 19 Answers
      • 0 Best Answers
      • 19 Points
      View Profile
      Yorkie82 Bronze contributor
      2021-04-14T13:59:51+01:00Added an answer on April 14, 2021 at 1:59 pm

      If you have a two-step internal review process in place that should be easily avoidable that the same person is involved in the disclosure process that has been involved in the grievance procedure. But it should be very unlikely that if the data protection professional of the company has been involved in the grievance process that there is unnecessary or inappropriate data stored that would be needed to be disclosed anyway…
      There is no such thing as a conflict of interest, but it would be prudent to adapt the process slightly to have a stronger case for a fair process and independent review if a complaint with the ICO will be filed. Let the DPO still advise on what should be redacted, but let e.g. the HEad of HR make the decision based on the advice.

      • 1
      • Reply
      • Share
        Share
        • Share on Facebook
        • Share on Twitter
        • Share on LinkedIn
      • HellenB

        HellenB

        • 2 Questions
        • 83 Answers
        • 0 Best Answers
        • 79 Points
        View Profile
        HellenB Silver contributor
        2021-04-14T17:26:22+01:00Replied to answer on April 14, 2021 at 5:26 pm

        This is a really thoughtful answer
        Your point about the DPO advising what should be redacted rather than making the final decision is something that should be a general practice, not least where there may be legal implications for a business. The practice of redaction could possibly be considered an ‘operational decision’ which some might suggest is outside the remit of a DPOs advisory role.

        • 0
        • Reply
        • Share
          Share
          • Share on Facebook
          • Share on Twitter
          • Share on LinkedIn
    2. Stephen Lark

      Stephen Lark

      • 2 Questions
      • 29 Answers
      • 0 Best Answers
      • 26 Points
      View Profile
      Stephen Lark Bronze contributor
      2021-04-16T13:10:59+01:00Added an answer on April 16, 2021 at 1:10 pm

      You need to be careful and consider the actual data required. A SAR is a request for information contained on that data subject. It does not mean they have access to the content of all the communications that took place….only those that involved their personal data.

      The DSAR procedure should specify exactly what type of data is being sent and the rest should be redacted.

      Anything more may require a legal challenge by the data subject.

      • 0
      • Reply
      • Share
        Share
        • Share on Facebook
        • Share on Twitter
        • Share on LinkedIn
    3. Simon

      Simon

      • 1 Question
      • 18 Answers
      • 0 Best Answers
      • 19 Points
      View Profile
      Simon Bronze contributor
      2021-04-14T13:58:07+01:00Added an answer on April 14, 2021 at 1:58 pm

      Potentially, yes. I would recommend that those individuals have zero involvement with the SAR other than as data subjects as necessary. You may need to find a new ‘home’ for the data you’re redacting while processing the SAR.

      I would discuss it with them, and/or the level of seniority above them (even if that’s the CEO) and request another individual of equal seniority provides the sign-off. You may need to train that new person so they can make an informed decision.

      • 0
      • Reply
      • Share
        Share
        • Share on Facebook
        • Share on Twitter
        • Share on LinkedIn

    Leave an answer
    Cancel reply

    You must login to add an answer.

    What is 5 + 2?

    Forgot Password?

    Sidebar

    Ask A Question

    Trending contributors

    Smurf333

    Smurf333

    • 7 Answers
    Rising star contributor
    Magnus T

    Magnus T

    • 7 Answers
    Rising star contributor
    CRodica

    CRodica

    • 3 Answers
    JeremyClarkson

    JeremyClarkson

    • 3 Answers
    d9d9d9

    d9d9d9

    • 9 Answers
    Rising star contributor

    Recent questions

    • Anonymous

      Automated Decision Making and profiling

      • 1 Answer
    • CRodica

      Distribution list data breach

      • 2 Answers
    • Anonymous

      What is a data processors legal basis for using data ...

      • 1 Answer
    • Alex

      CCTV warning signs

      • 2 Answers
    • Alex

      Cookies consent and contact form consent

      • 0 Answers

    Explore

    • Home
    • Categories
      • GDPR
      • Privacy Management
      • Professional Development
      • Software tips and tricks
      • Polls
    • Help
    • About Watercooler

    Footer

    Your privacy

    • Cookie notice
    • Privacy notice

    Terms and policy

    • Acceptable Use Policy
    • Terms of Use

    © 2021 DPOrganizer. All Rights Reserved. With Love by DPOrganizer.