In a message dated 29/01/2001 17:19:34 GMT Standard Time, [log in to unmask]
writes:
<< A data processor when performing certain functions can become a data
controller. e.g. An employment agency that you have employed as part of its
remit checks with the credit reference agency to see if the applicant appears
on the electoral register and has no county court judgements. That employment
agency is your data processor but when they access the credit reference
agency they become joint data controller with the credit reference agency
with regard to that aspect of the processing. I feel that when the courts get
hold of this legislation they will develop further this relation between and
definition of data controller/data processor. >>
--------------------------------
Even if the data processor is operating without a specific contract the
chances are they will have a defence in law by saying they are not the data
controller and they were only doing what was asked by the client
(controller). If the contract with the data processor does not cover methods
of data collection, types of data to be collected, security requirements,
etc., this does not make the processor a controller, it makes the contract
inadequate.
Under the old law, the processor (bureau) had to comply with the security
principle - the new legislation does not contain this requirement and they
have to comply with the security procedures in your contract.
If the data processor is deciding methods of processing and deciding what
information to give to the client they are a data controller and must notify
and comply with the principles as appropriate.
Ian B
Keep IT Legal Ltd
www.keepitlegal.co.uk
|