Some observation on Legal relationships on controllers and employees
All employees are recipients. See definition in section 70.
All employees work for an employer. In this context in the absence of any
indication to the contrary all personal data captured by an employee is the
responsibility of the employer. The employer is the data controller
responsible.
The employer could dis-inherit the data by arguing an employee has committed
a section 55 offence as they did not authorise their employee to obtain such
data for them, they would of course have to return it to its owner and
delete it from their systems including the backups if in a computer. (Not
easy if you think about it given the way back-ups for system protection
operate in corporate set ups). The individual can then only defend
themselves as a processor but would need to wave the contract evidencing
this to conclusively prove.
Employee beware, who would wish to work for such an employer. Training we
have given to employees on their personal liability under the Act on section
55 is to ensure they have clear authority from their employer before
collecting data and ensure they identify on whose behalf they are collecting
it. If not they need to be aware they may be exposing themselves for
criminal offences as managers may not necessarily be supporting them given
their first priority is to the company.
If the employer being the NHS permits its employees to work for Private
consultants also then it should be educating its employees on their
potential criminal exposure. This is related to obligations on employers
under employment laws.
I must admit this NHS scenario, if real, would be an eye-opener for me as a
private sector employee. If NHS as employer is exposing its employees in
this manner I can see why morale would be poor. Why would NHS management
permit this, I thought the argument was the NHS was under resourced, not
that it had spare resources to loan to other employers such as private
consultants.
David Wyatt
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]]On Behalf Of Medical Records Mgr
> - Kathy Perkins
> Sent: 04 March 2002 09:36
> To: [log in to unmask]
> Subject: Re: Don't use data processors!
>
>
> In the private sector, particularly in London, the secretary is directly
> employed by the consultant (who is a data controller). If, and I repeat
> if, there is a contract of employment between the consultant and the
> secretary then the confidentiality of data should be an integral part of
> that contract and therefore is accountable for any breach of
> confidentiality.
>
> However, not all private secretaries have contracts of employment (or at
> least, not up to date ones)
>
> I suppose the picture can be muddied if the consultant's secretary is
> working in an NHS hospital but also doing private practice work during her
> 'spare time'or 'after hours'
>
> Kathy Perkins
> Medical Records Manager
> The London Clinic
>
>
>
> -----Original Message-----
> From: Duncan Smith [mailto:[log in to unmask]]
> Sent: 01 March 2002 16:19
> To: [log in to unmask]
> Subject: Re: Don't use data processors!
>
>
> No. The secretary - hired by Bob - is an employee and neither a
> controller
> nor a data processor.
>
> Sorry Ian, the secretary is an employee of the hospital in most cases.
>
> By the way, some consultants do place their own employees into the
> hospital to operate as secretaries. They are bound to use the
> facilities provided for them, and if that includes an unsecured mail
> room, how the plot thickens.
>
> Duncan
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>
> This email, together with any attachments, is for the exclusive and
> confidential use of the addressee(s) and may contain legally privileged
> information. If you have received this message in error please notify the
> sender by email immediately and delete the message from your computer
> without making any copies.
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|