....but the nature of the relationship between data controllers is
different to that between data controller / data processor
BSI have a guide if you've not read it - "Guide to Data Controller and Data
Processor Contracts" which I think makes it pretty clear what the
legislation is getting at.
I'll quote a bit here:
Joint Data Controllers together determine the purposes for which
and manner in which the personal data is to be used and both parties
process the data for the same purposes. For example two companies
within the same group who share the same marketing data base for the
same purpose, marketing the products of the group, are likely to be
joint data controllers. Both could be liable for any breach of the
Act which occurs in relation the the shared set of data.
Data controllers in common share the same set of data for
different purpsoes. In this relationship, each data controller is
responsible for determining the separate purposes for which the data
is used.
An example of data controllers in common is demonstrated by the
relationship whcih exists between credit reference agencies and
financial services organisations.
Data processors are distinguished from data controllers because
they do not exercise control over the way in which the personal data
they handle is processed. They do not determine the purposes for
which data is processed although they may to a certain extent
determine the manner in which the data is processed. The
distinction between a data controller and a data processor is
important because only a data controller has any direct obligation to
comply with the requirements of the Act. In effect it means that the
data controller will be liable for any breach of the Act which occurs
while its data are in the hands of the processor.
There are surely a range of types of relationship which may be entered into
between various types of organisations. I think the thing to remember is
responsibility for the data under the law. If a data controller A enters
into a relationship with another organisation, B, who process data on its
behalf to its specifications then the data controller, A , is responsible
for ensuring compliance with the DP Act and will be the body answerable for
that particular data should there be a challenge. It is its responsibility
to ensure that B has appropriate systems/procedures in place to comply with
the act before entering into an arrangement with them.
Colette
IT Strategy
St Helens Council
Duncan Smith
<[log in to unmask]> To: [log in to unmask]
Sent by: This list is cc:
for those interested Subject: Re: Don't use data processors!
in Data Protection
issues
<data-protection@JISCM
AIL.AC.UK>
18/02/2002 21:55
Please respond to
Duncan Smith
The deeper you get, the darker it gets!
The bit about purposes I agree with, but my concern stemmed from a
review of the security of the transmission of personal data. 'A'
contracts with 'B' to manage personal data. 'B' is a big company, and
is not going to be told by 'A' how to run it's business and therefore
makes decisions about its network security and how data is shipped
around. Because it makes those decisions it is a data controller,
because it's a data controller it is not obliged to act in accordance
with the wishes of the Data Protection Act 1998 as dictated by 'A' (data
processor and all that). So what is the point of having that bit in the
Act about data processors and written contracts? It has to be for every
body, or nobody. 'A's relationship with 'B' should be as tightly bound
as if it were a data controller - data processor relationship - surely?
Dog's breakfast again!
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Ian Welton
Sent: Friday, February 15, 2002 7:51 PM
To: [log in to unmask]
Subject: Re: Don't use data processors!
I spent some time pondering this one too.
The conclusion I came to was that if data controller 'A' was aware that
information they were legitimately supplying to data controller 'B' was
either being used by 'B' outside of the purpose it was provided, or for
a purpose which did not match the purpose(s) the data subject had been
advised of, then 'A' could not continue to disclose the data, without a
breach of principle occuring, unless some schedule 2 or 3 criteria could
be legitimately applied.
Ian W
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]]On Behalf Of Duncan Smith
> Sent: 15 February 2002 15:55
> To: [log in to unmask]
> Subject: Don't use data processors!
>
>
> Is this just plain madness, or what?
>
> If, as a data controller, I ask someone to process personal data on my
> behalf, there appears to be three options for the relationship. The
> other party is either a data processor, a joint data controller, or a
> data controller in common.
>
> My reading of Data Protection Act 1998 indicates that only in the
> first situation, where the other party acts as a data processor, is
> there any
> 'protection' for the data subject. In this situation, the
> [first] data
> controller has an obligation under principle 7 to ensure that further
> down the line any data will be handled in accordance with the Act. If
> however the data is passed to another data controller, then the first
> data controller has NO obligation to ensure the safe processing of the
> data once outside their hands.
>
> Would there be joint & several liability in this instance, or could
> the first data controller simply pass all the blame onto data
> controllers 'down the line'?
>
>
> Duncan S Smith
> Principal Consultant
>
> e-mail: [log in to unmask]
> gsm: +44 (0)777 556 8180
>
> Company Profiles
> "The process of Improvement"
> ----------------------------------------------------------------
> The information transmitted is intended only for the person or entity
> to which it is addressed and may contain confidential and/or
> privileged material. Any review, retransmission, dissemination or
> other use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you
> received this in error, please contact the sender and delete the
> material from any computer.
>
> This footnote confirms that this email message has been swept by
> Norton Antivirus software for the presence of computer viruses.
>
> Company Profiles Huntingdon UK +44(0)1480 461671
> -----------------------------------------------------------------
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|