In a message dated 27/11/2000 17:07:41 GMT Standard Time, [log in to unmask]
writes:
<< A University outsources its IT department to Company A. The University is
Data Controller, Company A is Data Processor. Company A cannot cope with this
added work and in turn subcontracts part of the assignment to Company B. A
has now become joint data controller with the University. B is made up of a
group of individuals who charge B for the time they work on projects. Some of
the group operate under their own limited companies some are self employed.
Company B is now joint data controller with A and the University. Some
members (C) of the group making up B occasionally use an employment agency to
provide temporary staff and for this scenario do so. C is now joint data
controller with B and A and the University. >>
----------------
Chris
Why do you assume that a data processor who sub-contracts the data processing
becomes a joint data controller?
Surely the data controller is still the Uni, with full responsibility for the
actions of A, B and C companies which are processing their data. If the
contract with company A did not specify they could not sub-contract to B, C,
etc., then the Uni cannot shift the blame for any unauthorised processing or
disclosures.
If the Uni is aware that sub-contracting takes place they should have clauses
in the contract covering this issue and should be able to vet the
sub-contractors for compliance with their DPA and security requirements.
Ian B
MD
Keep IT Legal Ltd
|