There are several issues here.
I would think that disclosing personal data to the third parties who hire
your facilities is an obvious use of the personal data, and data subjects
would expect this to happen. It would therefore be sufficient to include
the third parties in the list of disclosures in your registration under the
1984 Act. In the interests of transparency, it would do no harm to inform
data subjects that such disclosures are likely.
However, your point about the third party being responsible for the whole
event could indicate that the personal data is also their responsibility and
that you may be providing them with a computer bureau service. If this is
so, you should be registered as a data user and computer bureau, and the
personal data relating to each of the third parties should be clearly
separated from each other and from your own data. Responsibility for
complying with the DP Act would rest with the third party, except for the
8th Principle (relating to security of personal data) which would be your
responsibility.
Under the 1998 Act, the third party would be wholly responsible for
complying with the Act, and they would need to satisfy themselves that you,
as Data Processor on their behalf, have sufficient safeguards in place to
protect their data.
Hope this helps.
-----Original Message-----
From: Gordon Hunt [mailto:[log in to unmask]]
Sent: 27/01/2000 12:49
To: [log in to unmask]
Subject: Box Office Booking Information
Apologies if there's an obvious answer to this one that I'm missing:
We operate several theatres and concert halls which are sometimes hired out
to third parties. When this happens tickets are sold through *our* box
office and personal data (names & addresses) is recorded on our box office
system. We are registered for our own use of this data.
What concerns me is what happens when the third party asks for a list of
names and addresses of the people who bought tickets. We are not registered
for trading in personal information but are we merely an intermediary in
this case (that is, the third party pays for the hall, takes the ticket
money and is clearly responsible for the concert on the publicity and
programmes)? On the other hand, the personal data is on our computer system
not theirs.
My first instinct was not to pass on the information unless we register for
trading in personal information and inform data subjects when they book
their tickets, what do other people advise?
Regards
Gordon
************************************************************
Gordon Hunt
Head of Information Services
Royal Scottish Academy of Music & Drama
100 Renfrew Street
Glasgow G2 3DB
Tel: 0141 332 4101 x269
Fax: 0141 332 5924
***********************************************************
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|