I would like to share the following thoughts with you which I am not aware
have been discussed in this group before.
A University outsources its IT department to Company A. The University is
Data Controller, Company A is Data Processor. Company A cannot cope with this
added work and in turn subcontracts part of the assignment to Company B. A
has now become joint data controller with the University. B is made up of a
group of individuals who charge B for the time they work on projects. Some of
the group operate under their own limited companies some are self employed.
Company B is now joint data controller with A and the University. Some
members (C) of the group making up B occasionally use an employment agency to
provide temporary staff and for this scenario do so. C is now joint data
controller with B and A and the University.
For the relationship of controller and processor to exist there has to be a
contract in which reference should be made to data protection issues.
C does not want B to know how he operates ie using part time staff. B does
not want A to know that they are not large enough to cope with this
assignment. A certainly dont want the University to know they cannot handle
it in-house. For the University to ensure that the personal data in this
scenario is being processed in accordance with DPA 98 they need to know where
it is and who is working on it. By the way I forgot to mention that the
University employed a consultant who advised this outsourcing and as part of
their remit put the arrangements in place.
Far fetched? I think not. Where does it leave the University if there is a
breach of the Act?
Dare I suggest that this is happening all the time and not just in
Universities. It is something that we ignore at our peril.
Chris Brogan
|