I love it when someone says "last word" and "enough on the subject". To me
it has an amusing significance.
What do you do if your data subjects REFUSE to allow you to pass their data
to a third party? They have the right to do this, and I, if one of your
data subjects would exercise that right.
Interestingly you proposed "Data Controllership in Common" strikes me as an
entity in its own right which should be registered under the act, and have a
separate registration since it is neither you nor the other party as Data
Controller, but the new "joint entity".
You cannot evade or weasel your way out of your responsibilities as a data
controller by clever and smart contracts. By seeking to do so, and by being
extra clever in this way I suspect what you do is attract a closer
investigation when the time comes. It will make an interesting test case
and create amusing precedents in the courts. I can think of more pressing
things to claim business attention than trying to evade responsibilities.
One of those is to prove and show that one's organisation is in the
forefront of implementation of the legal requirements and is unafraid to
take its responsibilities seriously.
_____________________________________________________________
Tim Trent
Chief Privacy Officer EMEA
Gartner
EMEA Marketing, Tamesis, The Glanty, Egham, Surrey, United Kingdom,
TW20 9AW
Switchboard +44 (0)1784 431 611, Direct Line +44 (0)1784 267 335, Mobile +44
(0)7710 126 618
Visit our home on the web: http://www.gartner.com
The opinions expressed in this message are my own, and may or may not
reflect those of my employer. They are expressed as a part of the
discussion on the JISCMail mailing list on data protection and for no other
purpose. They have no legal standing and are offered as part of informed
and informal discussion. They may NOT be attributed to Gartner in any way.
Any personal data provided is provided expressly for use of discussions on
the JISCMail Data Protection Discussion list. Under the UK Data Protection
Act 1998 I expressly forbid any individual or organisation to make
commercial use of my data published either on the email list or in the
archives of that or other lists whether this message appears or not. This
includes messages already published in the archives.
-----Original Message-----
From: Duncan Smith [mailto:[log in to unmask]]
Sent: 27 February 2002 18:16
To: [log in to unmask]
Subject: Re: Don't use data processors!
Alasdair,
A last word on data processors!?
I agree when you say ..
"You can't evade your responsibilities by calling a processor a
controller - the test is the terms governing the processing",
... but could you not limit your responsibility by setting up your
contracts carefully.
Instead of utilising a data processor, I ensure that any processing of
personal data I want done by someone else is done as a data controller
in common. I take all necessary steps with regard to ‘fair processing
information’ and inform data subjects that their data will be passed to
another data controller, and accept the fact that 'my' personal data
once transferred to the other data controller can be used for what ever
purpose they determine.
As the BSI guide points out ..
Data processors are distinguished from data controllers because
they do not exercise control over the way in which the personal
data
they handle is processed. They do not determine the purposes for
which data is processed although they may to a certain extent
determine the manner in which the data is processed.
... so I am not using a data processor, even though they are processing
data for me.
When my 'data processor' breaches the Data Protection Act 1998 and the
Information Commissioner comes looking for me, I can now pass
responsibility back to the company processing the data for me because
they are not, by definition, a data processor, but a data controller.
When you read the guidance given by the BSI and the Information
Commissioner there are clear inconsistencies with the use of terms
processing and purpose. The quote above is a great example of how those
who serve to elucidate can confuse; either I exercise control over
processing or I don't. Why did it not say something like;
Data processors are distinguished from data controllers because they do
not determine how personal data is to be used i.e. the purposes. This
is always determined by the data controller who acquired and or provides
the personal data. Data processors may however determine the manner in
which data is processed e.g. method of storage, as part of normal
commercial realities. It remains the responsibility of the data
controller to ensure that the manner in which personal data are
processed does not compromise the security of the data.
Enough on data processors.
Duncan
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Alasdair Warwood
Sent: Wednesday, February 20, 2002 5:46 PM
To: [log in to unmask]
Subject: Re: Don't use data processors!
Tim ,
You are broadly right - any talk of not using processors is frankly
silly. What the third party does and is allowed to do defines whether
they are processors or controllers - think it through properly and
there will be no doubt.Whether or not the processor is also a controller
for other data is irrelevant. . By trying to confuse the two concepts
you will simply multiply the number of breaches you end up committing.
Alasdair Warwood
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|