> 1) I certainly think that anyone who operates a list server
> where the list archive is available on a public Web site
> needs to ensure that anyone who subscribes is aware of the
> implications of this.  Some might argue that JISCmail has not
> done enough on this front (nor mailbase before it).  As a list
> owner I can change the welcome message to highligiht this
> issue, but I think it should be down to the operator of the
> list server system to inform users of this.  After all, this
> is the Data Controller in this instance, yes?

This raises an issue that is of interest to me in another setting and it
concerns the specificity of the determination of the use of the data.
I can see an argument that Jismail and mailbase merely offer so
generic a level of use of the data that they are data processors for
the list owners, who (attempt to) determine the specific use of the
data.  I think this issue overlaps with, but is actually rather distinct
from, the issue of the nature of the data, e.g. Email addresses,
necessary only for transfer cf. message contents...

My example is different but may help make the distinction.  I am part
of a research group who process data for many psychotherapy and
counselling services.  The data that reaches us is anonymised and
nothing in it or anything else we see can unanonymise it.  However,
the services who supply the data, probably can unanonymise it
unless they have taken the rather remarkable, and almost technically
impossible/implausible, decision to throw away any linking info.

Now we set a general spec. for the analyses we return to the
services.  We might, probably will, also sometimes do specific
extensions either because we can see it would make the analyses
more useful, or because services request such extensions.

We also, by agreement with the services and to everyone's
"scientific" benefit, from time to time run analyses on either the
whole accumulating dataset or subsets of it.  Those are mainly, but
may not only be, psychometric.  We determine those and the results
go into the "scientific" literature, i.e. the public domain, though never
with individual data and never, that we can see, with identifiable
service level aggregates (yet).

We also give the raw data in electronic form back to the services
and they may do various sensible analyses for their local needs
where they have the skills on hand.  Those analyses might be
automated but some might also be detailed case discussions of
outliers (i.e. quite specific to a named individual and drawing in data
way above and beyond the anonymised data processed by us).

Now my view is:
a) That we are data controllers in relation to the group summary
analyses sent back to the services and the specifics we do above
and beyond those. (Or, more strictly, the data are simply not within
the remit of the DPA as they don't seem to be "personal data", but
that only dodges rather than answering what seems to me to be an
interesting question!)
b) If we work with an individual service to come up with additional
analyses, we and they are joint controllers?  How do you work out
the balance, often they might say what they want and we might
advise on the statistical and psychometric analyses that seem most
apt.
c) Where they do analyses on the data we send back to them, they
are data controllers.

I _think_ that's sensible. Now for me it illustrates some of the
problems of the DPA coming off the rails with the best of intentions,
because I think that the complexity of explaining all that so there
could be fully informed consent, is way into "disproportionate".

(I know I've tilted this a bit as the true anonymisation of the data that
reach us do seem to put that layer outside DPA ... but the issue
seems to arise for the Jismail situation.)

Any thoughts anyone?

TIA,

Chris

P.S. Please note that the role in which I do this work is not, directly,
one arising from any of the three (!) jobs shown in my signature
though I suspect similar issues are faced in those august bodies or
will be some day!

Chris Evans <[log in to unmask] or [log in to unmask]>
Consultant Psychiatrist in Psychotherapy,
Rampton Hospital; Associate R&D Director,
Tavistock & Portman NHS Trust;
Hon. SL Institute of Psychiatry
*** My views are my own and not representative
of those institutions ***