My view is that there are not 2 data controllers, but that the ALLIANCE is a
data controller per se in its own right, and needs to be declared as such
with statements about how the data is handled made prior to starting
processing.
However this arrangement could probably have been constructed as
Processor/controller.
It seems to me that the breach of the laws is in either the lack of creating
the correct processor/controller relationship, OR in not registering the
alliance as a data controller. Looks like one to keep legal firms in
profit!
_____________________________________________________________
Tim Trent
Chief Privacy Officer EMEA
Gartner
EMEA Marketing, Tamesis, The Glanty, Egham, Surrey, United Kingdom,
TW20 9AW
Switchboard +44 (0)1784 431 611, Direct Line +44 (0)1784 267 335, Mobile +44
(0)7710 126 618, Fax +44 (0)1784 268 932
http://www.gartner.com
[log in to unmask]
The opinions expressed in this message are my own, and may or may not
reflect those of my employer. They are expressed as a part of the
discussion on the JISCMail mailing list on data protection and for no other
purpose. They have no legal standing and are offered as part of informed
and informal discussion. They may NOT be attributed to Gartner in any way.
Any personal data provided is provided expressly for use of discussions on
the JISCMail Data Protection Discussion list. Under the UK Data Protection
Act 1998 I expressly forbid any individual or organisation to make
commercial use of my data published either on the email list or in the
archives of that or other lists whether this message appears or not. This
includes messages already published in the archives.
-----Original Message-----
From: Duncan Smith [mailto:[log in to unmask]]
Sent: 17 October 2002 17:04
To: [log in to unmask]
Subject: Share the work, share the risk?
A bit heavy for the end of the week I know, but someone has to do this
stuff! ...
An HE body (call them X) has a high profile course that it offers
successfully to many students. The overheads in managing all the
administration are however such that it forms an 'alliance' with another
training organisation (call them Y) to manage all of the student
enrolment process and a significant distance learning element. The
course is strongly branded under X's brand, whilst Y beavers away
quietly underneath.
The body managing the enrolment and distance learning processes, 'Y',
has all the processing responsibility to make them a data controller.
There are therefore two data controllers, X and Y, acting in common.
Information passes freely between X and Y, mostly for the right reasons,
but eventually Y decides to use the data for some extra curricula
marketing that gets right up the nose of student Z.
Z is successful in demonstrating a breach of the Act (unfair processing
breach of 1 and 2 ) and claims compensation from X (not Y) because he
knows nothing of the machinations that made his course progress so
smoothly!
As this is not a data controller/data processor arrangement, does Z
carry any liability?
Regards,
Duncan S Smith
Principal Consultant
Mailto:[log in to unmask]
M: +44 (0)777 556 8180
T: +44 (0)1480 461 671
CoProfiles
"The Process of Improvement"
----------------------------------------------------------------
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you
received this in error, please contact the sender and delete the
material from any computer.
The information contained in this correspondence is not intended as
legal advice or counsel, and is not represented as such by the sender.
Company Profiles makes no warranties or statements regarding the legal
acceptability of the information presented in this correspondence. Any
actions performed as a result of this information are of the recipient's
own choosing.
CoProfiles Huntingdon UK
-----------------------------------------------------------------
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|