My previous advice had been along those lines.  The report made me consider
carefully the data controller definition carefully from both perspectives
which illustrated the anomaly.

The employer is the data controller in that (s)he determines the purpose of
the processessing but cannot determine the manner in which all the
processing is conducted due to the medical ethics issues.
The OHU doctor determines the manner in which some of the processing occurs.
The employer does not have any say over part of the doctors work, hence part
of the manner of processing.

It appears to me now that either both are joint data controllers or possibly
a data processor agreement is required for OHU doctors, which fully
determines the processing and incorporates all the medical confidentiality
issues.  In that way it could be said that the OHU were not controlling the
data, even though the employer was not, and could not directly affect all of
the processing which takes place.

Ian W


----- Original Message -----
From: "Gardiner, A" <[log in to unmask]>
To: "[log in to unmask]" <[log in to unmask]>
Sent: Monday, September 10, 2001 11:47 AM
Subject: RE: Control of OH medical data


> Ian,
>
> Our Doctor/OHU raised this point some months ago after having attended
some
> seminar or other. At the time I presumed the advice was out of date and
> related to registration under the old Act.
>
> My advice was that a legal entity can only hold one notification under the
> new Act, therefore the Chief Officer of Police could not have two separate
> notifications. The Doctor/Nurse etc. may need to have one for their own
> professional consultancy activities outside of their contract with the
> force.
>
> It was my opinion then and still remains (I think) that the OHU staff are
> employees or agents (maybe processors) of the data controller working
within
> their contractual terms to the Chief Officer. Obviously, they have medical
> confidentiality constraints and may collect data not privy to any others
> within the organisation, however, the purpose and manner of the personal
> data collection is determined by the employer, not the Doctor or other OHU
> staff.
>
> The Information Commissioner draft employment code refers to OHU's and
makes
> no suggestion that separate notification might be required. Her main
concern
> was security and fair processing.
>
> If your research comes to a different conclusion I would be interested in
> the results.
>
> Alan Gardiner
> FDPO
> City of London Police
> 020 7601 2209
>
> From: Ian Welton <[log in to unmask]>
> To: [log in to unmask]
> Subject: Control of OH medical data
>
> Having recently read a report on Occupational Health Unit medical data by
a
> Dr. Diana Kloss (Manchester School of Law) in which she advises OH
> departments to hold data protection notifications separately from the main
> organisation they work for, I considered the question of control of OH
data
> with some surprising and supportive conclusions for Dr. Kloss.
>
> When medical ethical guidelines are taken account the position within an
> organisation of an OH doctor certainly appears to meet the definition of a
> data controller.
>
> Having some work to do on the OHU within my organisation the following
> questions arose.
>
> Do the circumstances of the work undertaken by an OH doctor mean they are
a
> joint controller under the DPA 1998?
> or are they the controller of the organisations health data on their own?
> With the organisation having no control?
> Could an OH doctors position be said to be similar to a G.P's data
> protection situation?
>
> How do the other organisations out there deal with this?
>
> Ian W,
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>     If you wish to leave this list please send the command
>        leave data-protection to [log in to unmask]
>             All user commands can be found at : -
>     www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
> all commands go to [log in to unmask] not the list please!
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>
> ----- End Forwarded Message -----
>
>
>
>
> -----------------------------------------------
> Runbox Mail Manager - www.runbox.com
> Free online email application
>

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^