Alasdair,
A last word on data processors!?
I agree when you say ..
"You can't evade your responsibilities by calling a processor a
controller - the test is the terms governing the processing",
... but could you not limit your responsibility by setting up your
contracts carefully.
Instead of utilising a data processor, I ensure that any processing of
personal data I want done by someone else is done as a data controller
in common. I take all necessary steps with regard to ‘fair processing
information’ and inform data subjects that their data will be passed to
another data controller, and accept the fact that 'my' personal data
once transferred to the other data controller can be used for what ever
purpose they determine.
As the BSI guide points out ..
Data processors are distinguished from data controllers because
they do not exercise control over the way in which the personal
data
they handle is processed. They do not determine the purposes for
which data is processed although they may to a certain extent
determine the manner in which the data is processed.
... so I am not using a data processor, even though they are processing
data for me.
When my 'data processor' breaches the Data Protection Act 1998 and the
Information Commissioner comes looking for me, I can now pass
responsibility back to the company processing the data for me because
they are not, by definition, a data processor, but a data controller.
When you read the guidance given by the BSI and the Information
Commissioner there are clear inconsistencies with the use of terms
processing and purpose. The quote above is a great example of how those
who serve to elucidate can confuse; either I exercise control over
processing or I don't. Why did it not say something like;
Data processors are distinguished from data controllers because they do
not determine how personal data is to be used i.e. the purposes. This
is always determined by the data controller who acquired and or provides
the personal data. Data processors may however determine the manner in
which data is processed e.g. method of storage, as part of normal
commercial realities. It remains the responsibility of the data
controller to ensure that the manner in which personal data are
processed does not compromise the security of the data.
Enough on data processors.
Duncan
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Alasdair Warwood
Sent: Wednesday, February 20, 2002 5:46 PM
To: [log in to unmask]
Subject: Re: Don't use data processors!
Tim ,
You are broadly right - any talk of not using processors is frankly
silly. What the third party does and is allowed to do defines whether
they are processors or controllers - think it through properly and
there will be no doubt.Whether or not the processor is also a controller
for other data is irrelevant. . By trying to confuse the two concepts
you will simply multiply the number of breaches you end up committing.
Alasdair Warwood
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|