I don't know if its just me but the difficulty here seems to me to be in
the nature of the relationships which organisations have been or are
involved in creating conflicting interests in the light of DP. Surely the
point is that now such arrangements as the one which you describe (with IEM
acting as both data processor and as security consultant), should they
compromise data protection standards, are in need of review in the light of
the legislation.

On the other hand, in your scenario, IEM may be seen as the ideal candidate
for you to use as a data processor as their security standards are trusted.
At the end of the day you will be responsible for seeing to it that you use
a processor whose standards of operations you approve - and you can write
into the contract such clauses as are necessary.

If the processor you want to use won't comply with the law, the law would
say you don't use them - well, you use them at your own risk.






                    Dave Wyatt
                    <Dave_Wyatt@BTINTERNET To: [log in to unmask]
                    .COM> cc:
                    Sent by: This list is Subject: Re: Don't use data processors!
                    for those interested
                    in Data Protection
                    issues
                    <data-protection@JISCM
                    AIL.AC.UK>


                    19/02/2002 01:12
                    Please respond to Dave
                    Wyatt






Re comment

> The bit about purposes I agree with, but my concern stemmed from a
> review of the security of the transmission of personal data. 'A'
> contracts with 'B' to manage personal data. 'B' is a big company, and
> is not going to be told by 'A' how to run it's business and therefore
> makes decisions about its network security and how data is shipped
> around. Because it makes those decisions it is a data controller,

I disagree 'B' is the data controller in the context of the data subjects
of
'A', whose data it is processing.

e.g. A organisation IEM offers lots of computer processing services but
they
carry none of the liability or obligations to the data subjects of their
customers whose personal data they are processing for them. If IEM have a
security breach the data subject has no right of action against them
directly unless the data controllers contract ensures that this can occur.
Now if I also use IEM as Security consultants how do they avoid the
conflict
of interest as part of that service to advise the data controller how to
transfer all costs and liabilities to them when they act my data processor.

This is a bit like the arguments going around conflicts of interests for
auditors also offering accountancy services.

In reality are data subjects rights rights weakened given the way a
processing services really operate. If you are the best security expert in
the world then who is qualified to conduct the appraisal of the processes
you may be offering. (Who audits the auditor argument).

As a data subject according to the Act I am mean't to be informed of the
identity of the 'data processors' used by my controller. Articles 10 and 11
of the EC 95/46 refer to notifying 'recipients' identities to data
subjects.
DPA 98 Sect 70 defines recipients as data processors. DPA 98 Sch1 Part II
2(3d) which links to Articles 10 and 11 has left it all deliberately
woolly.
Check it out. Giving the UK Acts drafting few data subject are likely to
understand their rights under DPA in this respect. I wonder what the OIC
would advise a data subject enquiring if they should be told of which
processors any given controller has choosen to use. Anyone seen any direct
reference to this in existing OIC guidance? If a data subject doubts the
accuracy of a data controllers response can they get any further via a
request for assessment through the OIC in arguing a potential breach of
principle 1?

How many controllers on this list are advising their data subjects who
their
data processors identities are or even what type of processors they are
using.

As an individual I can't remember a single case where I have been advised
this (although I am tending to not look too closely at the small print
these
days). If this is a principle 1 breach does that not allow me to seek
damages for unlawful processing against controllers who may have passed on
to a processor without informing me? What damage can I know I have
suffered
without understanding who is processing my data? e.g. Bank lose credit card
data to hacker - was my data amongst it? It appears a drawn out process to
try to construct an argument if I do not know if a processor is used or
not.

Now if I write to my local council, my university, my bank, my insurer, my
GP, my MP etc as data controllers for my data, what will they advise? I
suspect a full spectrum of responses would occur from an implied '--- off'
to 'Can you explain what you mean by 'data processor'?'

As you say 'dogs breakfast' I wonder who's holding the bone and risking an
arm

Anon
Name and address withheld ;-)



>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^




***************************************************************************
Disclaimer: This e-mail and any file transmitted with it are confidential,
subject to copyright and intended solely for the use of the individual
or entity to whom they are addressed. It may contain privileged
information.
Any unauthorised review, use, disclosure, distribution or publication is
prohibited.
If you have received this e-mail in error please contact the sender by
reply e-mail and destroy and delete the message and all copies from
your computer.
***************************************************************************

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^