Observations on the discussion points of definition and use of processors

1: In todays commercial world I agree you cannot avoid the need for
processors. In DPA terms they are basically those who can 'pile it high and
sell it cheap' in any area of specialism which utilises personal data. There
is no satutory obligation to use a processor simply a controllers choice.
The decision is generally made due to cost efficiencies but cost carefully.
We have not yet seen the Act used in anger by individuals seeking
compensation. Lose one case due to a security failure and you may have 1000
to follow as security breaches often relate to loss of personal data on many
individuals at the same time.
(To err is human to really foul things up you need a computer) If one data
subject can make a case for damages risks may be higher than you anticipate.
All administration has a cost and outsourcing processing inevitably
increases some of the controllers costs in managing personal data held
remotely in line with the Acts principles.

If a controller saves money by using a processor but loses it by being sued
for picking a poor one there was little point in using a processor. Duncans
point I believe.  As my Grandad used to say you generally get what you pay
for.

2: The majority of discussions I see about controllers and processors never
seem to refer to their relationship or responsibility to the data subject.
This is key. Personal data starts somewhere and is owned by someone. (Would
this dubious distinction go to health services where delivering a baby?)  A
definition of controller has to exist in the legislation because they have
the responsibility to protect rights of data subjects. DPA does not allow a
controller to abdicate responsibility for security. If you do not audit your
processors technical and organisational security are you covering your
obligations in In Sch1 Part II Section 11 b. The risks remain with
controllers.

3: Controllers, Joint controllers or controllers in common, are created by
legislative requirements. They may exist due to the legal relationship each
has to the data subject and / or by statute. A controller has to determine
both the purpose and the manner of the processing. Processors (Service
providers) rarely determine the purpose of processing but often determine
the manner of processing given they are offering a service they designed.
Controllers have an obligation to advise data subjects of recipent
catagories one of which is their processors.


David Wyatt



> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]]On Behalf Of Kirsty Gray
> Sent: 19 February 2002 16:15
> To: [log in to unmask]
> Subject: Re: FW: Don't use data processors!
>
>
> >Does anybody really have a relationship with a third party that makes
> >NONE of their decisions about how data are, or are to processed.  If
> >there are, as data controller you must spend a lot of time in their IT&S
> >meetings.
> >
>
> Hi all,
>
> Surely this is only true if you view data processing & security as an ICT
> issue? Anyway, doesn't the data controller decide the what & why of the
> processing and the data processor may or may not decide the how?
>
> The contracting out of services within local government (and
> presumably NHS
> and other public bodies) means that we're often passing on personal data
> about citizens to private or voluntary organisations providing the actual
> service.
>
> So we only want these other organisations to process our
> citizens' personal
> data for the purpose of providing the contracted service. For this we need
> a water-tight contract because as data controller we would carry
> the can if
> the service provider / data processor breached DP principles or used the
> data for a purpose other than specified by us.
>
> Kirsty E Gray
> Information Rights Officer
> Gateshead Council
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>        All archives of messages are stored permanently and are
>       available to the world wide web community at large at
>       http://www.jiscmail.ac.uk/lists/data-protection.html
>       If you wish to leave this list please send the command
>        leave data-protection to [log in to unmask]
>             All user commands can be found at : -
>     www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
>   (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^