While you may well be right, I PERCEIVE that I have this right as a data
subject. I would still make life so difficult for a person who indulged in
weasel contracts that they would regret attempting it, where my own data was
concerned :). The amount of cash I can cost an organisation as a data
subject is immense, and job tenure flies out of the window at that point.
The letter of the law and the spirit of the law are two very different
items, and we have yet to have serious case law to advise us, I think.
-----Original Message-----
From: Dave Wyatt [mailto:[log in to unmask]]
Sent: 28 February 2002 23:42
To: Trent,Tim
Cc: Mailbase
Subject: RE: Don't use data processors!
Tim
Regards comment.
> What do you do if your data subjects REFUSE to allow you to pass
> their data to a third party? They have the right to do this, and I, if
one of your
> data subjects would exercise that right.
Not quite factual. If I as a data subject can make a case for damage likely
to occur from such disclosure I can raise an objection to the processing
(disclosure). This is Section 10 of the Act which has qualifications. This
right does not apply to processing legitimised by claiming one of the
Schedule 2 processing conditions 1 to 4. As a general rule many data
subjects are unlikely to have a rights to prevent disclosure by a
controller. But I do have to be informed of the potential recipients or
catagories of recipients. If I am not informed the disclosure can be argued
as unlawful.
The term 'data controller' only exists in relation to the data subject.
Every data controller has to have some relationship with the data subject
and advise them why they hold their data. A processor does not.
David Wyatt
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]]On Behalf Of Trent,Tim
> Sent: 28 February 2002 09:02
> To: [log in to unmask]
> Subject: Re: Don't use data processors!
>
>
> I love it when someone says "last word" and "enough on the
> subject". To me
> it has an amusing significance.
>
> What do you do if your data subjects REFUSE to allow you to pass
> their data
> to a third party? They have the right to do this, and I, if one of your
> data subjects would exercise that right.
>
> Interestingly you proposed "Data Controllership in Common"
> strikes me as an
> entity in its own right which should be registered under the act,
> and have a
> separate registration since it is neither you nor the other party as Data
> Controller, but the new "joint entity".
>
> You cannot evade or weasel your way out of your responsibilities as a data
> controller by clever and smart contracts. By seeking to do so,
> and by being
> extra clever in this way I suspect what you do is attract a closer
> investigation when the time comes. It will make an interesting test case
> and create amusing precedents in the courts. I can think of more pressing
> things to claim business attention than trying to evade responsibilities.
> One of those is to prove and show that one's organisation is in the
> forefront of implementation of the legal requirements and is unafraid to
> take its responsibilities seriously.
>
> _____________________________________________________________
> Tim Trent
> Chief Privacy Officer EMEA
> Gartner
> EMEA Marketing, Tamesis, The Glanty, Egham, Surrey, United Kingdom,
> TW20 9AW
> Switchboard +44 (0)1784 431 611, Direct Line +44 (0)1784 267 335,
> Mobile +44
> (0)7710 126 618
> Visit our home on the web: http://www.gartner.com
>
> The opinions expressed in this message are my own, and may or may not
> reflect those of my employer. They are expressed as a part of the
> discussion on the JISCMail mailing list on data protection and
> for no other
> purpose. They have no legal standing and are offered as part of informed
> and informal discussion. They may NOT be attributed to Gartner
> in any way.
> Any personal data provided is provided expressly for use of discussions on
> the JISCMail Data Protection Discussion list. Under the UK Data
> Protection
> Act 1998 I expressly forbid any individual or organisation to make
> commercial use of my data published either on the email list or in the
> archives of that or other lists whether this message appears or not. This
> includes messages already published in the archives.
>
>
> -----Original Message-----
> From: Duncan Smith [mailto:[log in to unmask]]
> Sent: 27 February 2002 18:16
> To: [log in to unmask]
> Subject: Re: Don't use data processors!
>
>
> Alasdair,
>
> A last word on data processors!?
>
> I agree when you say ..
>
> "You can't evade your responsibilities by calling a processor a
> controller - the test is the terms governing the processing",
>
> ... but could you not limit your responsibility by setting up your
> contracts carefully.
>
> Instead of utilising a data processor, I ensure that any processing of
> personal data I want done by someone else is done as a data controller
> in common. I take all necessary steps with regard to ‘fair processing
> information’ and inform data subjects that their data will be passed to
> another data controller, and accept the fact that 'my' personal data
> once transferred to the other data controller can be used for what ever
> purpose they determine.
>
> As the BSI guide points out ..
>
> Data processors are distinguished from data controllers because
> they do not exercise control over the way in which the personal
> data
> they handle is processed. They do not determine the purposes for
> which data is processed although they may to a certain extent
> determine the manner in which the data is processed.
>
> ... so I am not using a data processor, even though they are processing
> data for me.
>
> When my 'data processor' breaches the Data Protection Act 1998 and the
> Information Commissioner comes looking for me, I can now pass
> responsibility back to the company processing the data for me because
> they are not, by definition, a data processor, but a data controller.
>
> When you read the guidance given by the BSI and the Information
> Commissioner there are clear inconsistencies with the use of terms
> processing and purpose. The quote above is a great example of how those
> who serve to elucidate can confuse; either I exercise control over
> processing or I don't. Why did it not say something like;
>
> Data processors are distinguished from data controllers because they do
> not determine how personal data is to be used i.e. the purposes. This
> is always determined by the data controller who acquired and or provides
> the personal data. Data processors may however determine the manner in
> which data is processed e.g. method of storage, as part of normal
> commercial realities. It remains the responsibility of the data
> controller to ensure that the manner in which personal data are
> processed does not compromise the security of the data.
>
> Enough on data processors.
>
> Duncan
>
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Alasdair Warwood
> Sent: Wednesday, February 20, 2002 5:46 PM
> To: [log in to unmask]
> Subject: Re: Don't use data processors!
>
>
> Tim ,
> You are broadly right - any talk of not using processors is frankly
> silly. What the third party does and is allowed to do defines whether
> they are processors or controllers - think it through properly and
> there will be no doubt.Whether or not the processor is also a controller
> for other data is irrelevant. . By trying to confuse the two concepts
> you will simply multiply the number of breaches you end up committing.
>
> Alasdair Warwood
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|