Hi Duncan

I know you were hoping for this to be the last word but I have to comment
on your idea of using the term "data controllers in common" to describe a
relationship with an organisation you use to do processing for you.

The status of the relationship is not determined by the title you give it
in the contract but is what it is, as it were, no matter what you call it.

It is the purposes for which the data in question are processed that
determine the nature of the relationship between yourself and the other
body, and no matter what your contract says I think you may find this is
the way it would be viewed in the courts.

I think you should perhaps look at what kind of contracts you are drawing
up (especially if any sensitive data is involved) and maybe think again
about the safeguards you are taking about data another organisation is
processing on your behalf.

Cheers
Colette Healiss
IT Strategy and Regulation
St Helens Council





                                                                       
                    Duncan Smith
                    <[log in to unmask]> To: [log in to unmask]
                    Sent by: This list is cc:
                    for those interested Subject: Re: Don't use data
                    in Data Protection processors!
                    issues
                    <data-protection@JISCM
                    AIL.AC.UK>
                                                                       
                                                                       
                    27/02/2002 18:15
                    Please respond to
                    Duncan Smith
                                                                       
                                                                       




Alasdair,

A last word on data processors!?

I agree when you say ..

"You can't evade your responsibilities by calling a processor a
controller - the test is the terms governing the processing",

... but could you not limit your responsibility by setting up your
contracts carefully.

Instead of utilising a data processor, I ensure that any processing of
personal data I want done by someone else is done as a data controller
in common. I take all necessary steps with regard to 'fair processing
information' and inform data subjects that their data will be passed to
another data controller, and accept the fact that 'my' personal data
once transferred to the other data controller can be used for what ever
purpose they determine.

As the BSI guide points out ..

Data processors are distinguished from data controllers because
     they do not exercise control over the way in which the personal
data
     they handle is processed. They do not determine the purposes for
     which data is processed although they may to a certain extent
     determine the manner in which the data is processed.

... so I am not using a data processor, even though they are processing
data for me.

When my 'data processor' breaches the Data Protection Act 1998 and the
Information Commissioner comes looking for me, I can now pass
responsibility back to the company processing the data for me because
they are not, by definition, a data processor, but a data controller.

When you read the guidance given by the BSI and the Information
Commissioner there are clear inconsistencies with the use of terms
processing and purpose. The quote above is a great example of how those
who serve to elucidate can confuse; either I exercise control over
processing or I don't. Why did it not say something like;

Data processors are distinguished from data controllers because they do
not determine how personal data is to be used i.e. the purposes. This
is always determined by the data controller who acquired and or provides
the personal data. Data processors may however determine the manner in
which data is processed e.g. method of storage, as part of normal
commercial realities. It remains the responsibility of the data
controller to ensure that the manner in which personal data are
processed does not compromise the security of the data.

Enough on data processors.

Duncan

-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Alasdair Warwood
Sent: Wednesday, February 20, 2002 5:46 PM
To: [log in to unmask]
Subject: Re: Don't use data processors!


Tim ,
You are broadly right - any talk of not using processors is frankly
silly. What the third party does and is allowed to do defines whether
they are processors or controllers - think it through properly and
there will be no doubt.Whether or not the processor is also a controller
for other data is irrelevant. . By trying to confuse the two concepts
you will simply multiply the number of breaches you end up committing.

Alasdair Warwood

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^