Re points raised by Chris  27/11/00

From a security view A still has the data controller responsibility and
liabilities under the Act if permitting B to sub contract and security
failures occur.
A should cover the uses and security levels in its contract with including
permitting sub-contracting.

Personally as a data subject I do not believe a contract assists me regards
the security of my data as my concern is over who can access and read it not
over whether security responsibility defined in a contract works.  I have no
direct control over who a data controller releases my data to if they set
them up as a processor. If I wish to stop my data being disclosed I have to
be able to argue the potential damage such a disclosure could give rise to.
This is unlikely as I do not know the identity of processors a controller
may contract with.  A contract will simply help to identify where
responsibility lies after failures.

I have wondered however whether the Contract (Rights of Third Parties) Act
1999 ( http://www.hmso.gov.uk/acts/acts1999/19990031.htm ) would allow a
data subject as potential member of a 'class group' as defined in Section 1
(3) of that Act (the group of individuals whose data should be secured) to
take action directly against a data processor for any damages caused by
security failures should a data controller choose not to do so. Any views
here on application of this Act in relation to DPA from those on the list
with a working knowledge of legal matters?

In my experience with everyone focussing on budgets the scenario portrayed
of data flows as defined is fairly common. It can also be difficult to
identify due to use of product brands. Subject Access service level
agreements as well as security need to be considered. I have administered
subject access requests where on approaching our processors for data
extracts I have met with resistance due to the employees of the processor
not being advised of the existence of the contract or the DPA relationships.
In an attempt to avoid this I tend now to recommend that contracts define
points of contacts for DPA issues to enable a sensible dialogue to occur
when subject accesses arise. However unless those drafting contracts are
trained on the subtleties of DPA such issues are commonly missed. The
problem does not tend to fall back to them but to the unfortunate DP
administrator trying to meet the organisations 40 day subject access
targets. Not easy where data is dispersed to processors.

David Wyatt

-----Original Message-----
From: The aims of this list are to encourage an exchange of information for
those [mailto:[log in to unmask]]On Behalf Of [log in to unmask]
Sent: 27 November 2000 16:24
To: [log in to unmask]
Subject: Data Controller-Data Processor

I would like to share the following thoughts with you which I am not aware
have been discussed in this group before.
A University outsources its IT department to Company A. The University is
Data Controller, Company A is Data Processor. Company A cannot cope with
this
added work and in turn subcontracts part of the assignment to Company B. A
has now become joint data controller with the University. B is made up of a
group of individuals who charge B for the time they work on projects. Some
of
the group operate under their own limited companies some are self employed.
Company B is now joint data controller with A and the University. Some
members (C) of the group making up B occasionally use an employment agency
to
provide temporary staff and for this scenario do so.  C is now joint data
controller with B and A and the University.
For the relationship of controller and processor to exist there has to be a
contract in which reference should be made to data protection issues.
C does not want B to know how he operates ie using part time staff. B does
not want A to know that they are not large enough to cope with this
assignment. A certainly dont want the University to know they cannot handle
it in-house. For the University to ensure that the personal data in this
scenario is being processed in accordance with DPA 98 they need to know
where
it is and who is working on it. By the way I forgot to mention that the
University employed a consultant who advised this outsourcing and as part of
their remit put the arrangements in place.
Far fetched? I think not. Where does it leave the University if there is a
breach of the Act?
Dare I suggest that this is happening all the time  and not just in
Universities. It is something that we ignore at our peril.
Chris Brogan