Not sure about Tim T, but "enough on the subject" to me means that the
thread is now of such convolution that even the original poster
questions what it is all about! `:o
Perhaps if I add some flesh to the bones.
An NHS surgeon, "Bob", also has privileges to operate at a number of
private hospitals e.g. BMI, Nuffield etc. Bob is a busy man so he
hires the secretarial services from one of the private hospitals. This
secretary manages all the appointments, medical reports, test results
etc. for all of his patients who attend his outpatient clinic at the
private hospital. Other hospital staff organise and manage test
results, labs etc etc. Bob is happy.
Bob learns about the Data Protection Act.
Bob is a data controller and has duly notified as such. He also
believes that his use of the secretary constitutes the use of a data
processor and is concerned that he has acquired a lot of responsibility
for the security of some very sensitive patient identifiable
information. Particularly when he read the bit in the DPA 1998 Guidance
...
"The data controller retains full responsibility for the actions of the
data processor and so the definition of data controller has an impact on
this context"
So, if the hospital allow a breach of security, and the patient claims
compensation for damages and distress, Bob foots the bill. And it's not
likely to be a small bill either, when the whole world finds out about a
well know footballer's penile implant!
He has a better idea. The patients have a complex relationship with
both the surgeon and the hospital, both of which act as data controllers
at some point, so why not make that the case right from the start.
Bob read on and liked the sound of the bit in the DPA 1998 Guidance that
said ..
"The determination of the purposes for which, and the manner in which,
any personal data are, or are to be, processed does not need to be
exclusive to one data controller. Such determination may be shared with
others."
Great; right from the outset all Bob's patients are informed that their
personal data belongs to both Bob and the private hospital, each of whom
are fully notified data controllers who can determine (in common) the
purposes for which any personal data are processed.
Now, when Posh learns the truth from the back pages of the Sun because a
hospital secretary left a report where it should not have been, Bob's in
the clear. Or is he?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|