As you know, sought guidance from Jonathan Bamford over the recent letter
from YJB to YOT – that IOC required them to notify. My original guidance to
YOT manager took account of:
1. The 'Guidance for Youth Offending Teams on Information Sharing' issued
by YJB in March 2001: Within the meaning of the 1998 Data Protection Act
the Youth Offending Team Manager is the Data Controller. This results from
his or her ability to decide how personal data is to be handled, to enter
into contracts with others on behalf of the Team and because of his/her
responsibility for the YOT’s budget.
2. This definition of a data controller is at odds with DPA1998: "data
controller" means, subject to subsection (4), a person who (either alone or
jointly or in common with other persons) determines the purposes for which
and the manner in which any personal data are, or are to be, processed;
3. Crime & Disorder Act 1998 requires the ‘responsible authority for a
local government area’ to undertake crime audit, formulate and implement
strategy for the reduction of crime and disorder.
4. Other appropriate statutory & voluntary bodies may be invited to assist
in this process by becoming participants in partnership working.
5. On this basis the purposes for which and the manner in which any
personal data are, or are to be, processed remains with the responsible
authority (i.e. local council and chief officer of police) who are data
controllers (possibly along with other partners).
The reply from Peter E Clarke (Compliance Manager) on behalf of Jonathan
Bamford states: “I have spoken to Jonathan Bamford on the advice previously
given on this subject. That advice was given on the premise that a Youth
Offending Team was a legal entity in its own right and as such required
notification and a data controller. That position remains unaltered.
However should a YOT not be a legal entity, a status that must be decided
by the organisation or local authority itself, then the data controller may
very well be the local authority. Depending on the contribution to or make-
up of a particular YOT, there might be cases where more than one body is
responsible, resulting in joint data controllers existing. Should an
outside body be the data controller, then an amendment to notification
would have to be addressed where necessary.”
That’s as clear as mud then!!! Doesn’t ease the position on other multi-
agency working either. Surely if YOT really IS the legal entity its also
the data controller – rather than requiring one as Peter suggests or the
YOT manager being one as YLB suggests?
Not making any changes to current position for the time being as can't be
bothered to think about it anymore!
Kirsty E Gray
Information Rights Officer
Gateshead Council
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|