In a message dated 30/08/2000 12:15:05 GMT Daylight Time,
[log in to unmask] writes:
<< I am at present trying to draw up a statement for IT Suppliers/Contractors
to ensure that they treat my Council's personal information in complete
confidence when they are working for the Council either on site or in their
own offices testing data/data conversion or are acting as temporary support
officers for the Council. Do you think it would be suffice to get the
Company/sole Contractor to sign a Confidentiality Agreement or would you
draft a Third Party Contract to this effect? Anyone any ideas/examples?
I have already drawn a statement up to this effect for our own IT Staff
where they are able to take over employees' pcs and have access to their
personal directories etc. >>
-------------------------------------
Doreen, et al
Contracts with any third party to supply a processing service (data
processors - formerly computer bureaux - and short term contractors, IT or
otherwise) should be specific in HOW the data processor must comply with your
requirements.
It is no longer sufficient to have a contract term that requires the data
processor to "comply with the Data protection Act" because, as you know,
there is no requirement for them to comply with the Act - they don't even
have to notify!!
The data controller alone has responsibility (and liability) for the data and
they must therefore issue contracts that will ensure the controller complies
with the Act. The data processor must not obtain data from unauthorised
sources, they must not use or disclose it for unauthorised purposes, they
must not even look at it without your say-so. "Unauthorised" in this sense
means not included in the contract or the associated SLA (Service Level
Agreement).
In terms of security, you should specify what you deem necessary for
protection of the data and the data processor should be required in contract
to supply that level of security.
Your contract should make clear the consequences of breach of the terms (e.g.
contract termination) but you should not lose sight of the fact that if the
processor does something wrong, your organisation will be the one having to
justify its actions under data protection law and it will be your
organisation that is sued for damages where appropriate.
If your contract is good enough, you might be able to recoup fines and costs
after your own case is resolved.
Ian Buckland
MD
Keep IT Legal Ltd
Please Note: The information contained in this document does not replace or
negate the need for proper legal advice and/or representation. It is
essential that you do not rely upon any advice given without contacting your
solicitor. If you need further explanation of any points raised please
contact Keep I.T. Legal Ltd at the address below:
55 Curbar Curve
Inkersall, Chesterfield
Derbyshire S43 3HP
(Reg 3822335)
Tel: 01246 473999
Fax: 01246 470742
E-mail: [log in to unmask]
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|