Several people in this debate have said that you can't really have joint
Data Controllers. I disagree.
For any organisation, the question is 'are we a Data Controller in respect
of this particular personal data?' And the answer is yes if that
organisation 'determines' the 'purposes' and the 'manner' of processing
'either alone or jointly or in common ...'. (s1(1))
So if you are part of a consortium or partnership where the members only do
things that they agree on, you are acting jointly. And I think (though the
lawyers may like to correct me) that if you are in a consortium or
partnership where you share out the work for a common purpose and then let
everyone get on with their bit, you are acting in common.
Now, you may like to argue that the act says 'determine the purposes ...
*and* the manner ... ' What happens if you determine the purposes but not
the manner or vice versa? I think that would bring you under the 'in
common' part. I determine the purposes, you determine the manner; we are
therefore both Data Controllers.
Each member of the consortium or partnership must decide whether they are
also a Data Controller in respect of that same personal data, and the test
is whether they play any part in making the decisions.
Each Data Controller then has to decide (a) whether to notify, and (b) how
to comply with the Principles. The fact that someone else is also
contributing to the processing is neither here nor there. If you're a Data
Controller, you may get it in the neck if the Act gets breached.
Normally where people act jointly (and again I'll defer to the lawyers), you
are jointly and severally liable. In other words, if I need to sue the
group I can choose the richest target, or the one with the worst lawyer, and
they have no choice about carrying the can for everyone. I think the same
applies to joint Data Controllers. A SAR would be equally valid made to any
of them, as would a claim for compensation, etc, regardless of who actually
held the data or who had actually made the mistake. It would be up to the
Data Controllers to make arrangements between themselves to help each other
discharge their duties or, possibly, meet any liabilities.
I agree that in the specific case mentioned, it is possible that the council
is sole Data Controller, acting after taking advice from the police. If the
police hold the data on the council's behalf they are Data Processors; if
they subsequently use it for their own purposes it is a disclosure. But it
is surely possible to think of many situations where you do genuinely have
joint Data Controllers.
What I don't understand is the reported ACPO decision not to be Data
Controllers. It's not a matter of choice; it's a matter of fact. If you
'determine ... etc.' then you *are* a Data Controller, like it or not.
Paul Ticher
Information Management
0116 273 8191
22 Stoughton Drive North, Leicester LE5 5UB
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|