In a message dated 30/01/2001 17:00:18 GMT Standard Time,
[log in to unmask] writes:

<<  >'but the data processor does not have to comply with the
 Act'

<< Is the last statement technically correct?  All persons processing data,
 registered (notified) or not, have to apply the data protection principles.
 The removal of the link between legal action and registration achieved that,
 did it not? >>
------------------------------
Ian

Data processors cannot be held liable under the DPA for any breach where the
data is not under their control (i.e. it belongs to the client), there are no
offences that can be committed by data processors - except where they are
purporting to act on behalf of a data controller - and therefore (strictly
and technically) they do not have to comply with the law.  Yes we could go
into the fact that they are ALSO data controllers if they have their own data
on their own staff, their own clients, etc, but that is not the point of this
discussion.

In a payroll situation it would be like a council having their own staff
payroll files and also the payroll records of (say) university, police or
fire service staff.  The council could legitimately use their own staff
records in a data matching exercise against benefits data but not the other
records as they are not the data controller, they would need the specific
instruction (not permission) of the Uni, police, fire, or whatever in order
to process that data.

Data controllers must, and let me stress MUST, have contracts in place that
would ensure their contractors' compliance with the legal responsibilities of
the data controller.  The contract should also set out the consequences of
non-compliance, such as immediate termination of the contract.  Although the
controller is responsible for the actions of the data processor, they will
want some civil remedy to recover any fines, costs, compensation, etc.

It is no good having a general clause (as was common under the 1984 Act) that
"the contractor will at all times comply with the requirements of the Data
protection Act."  In fact it wasn't much good under the old Act either
because computer bureau only needed to register as such and comply with the
old Eighth principle (security).  Now they don't even have to do that - only
the data controller has to adhere to the Principles (even if they qualify for
exemption from notification), only the data controller can be prosecuted for
non-notification, only the data controller has to meet the rights of the data
subject under Part II of the Act.

Anyone can, of course, be prosecuted under s55 and s56 but if they are not
acting on instruction from a client, the person (e.g. an investigator) would
be a data controller in their own right and therefore would be liable as such.

Hope this helps to clear up what was, after all, a rather sweeping (and
brief) statement.

Ian B
MD
Keep IT Legal Ltd
www.keepitlegal.co.uk