John wrote ..
"The question of joint data controllers then raises the issue to which
Duncan refers as to whether one of the joint controllers can process the
data for an a purpose independent of the joint arrangement"
Of course they can and do (that's commercial reality), but Ian's point
is well taken ..
"In my opinion the determination of the structure under which x and y
should work is entirely down to x and y, provided the structure is DP
compliant and the data subjects are, where necessary, aware."
When Y takes a unilateral course of action and uses the data for
something that poor old student Z knew nothing about, the looser is of
course the data subject. Much howling then ensues between X and Y about
who should have put what words on what forms, and why someone didn't
tell someone else about this malodorous use of student data!
Sooooooooo, registering the Alliance as a data controller (as suggested
by Tim) seems to me to be a non-starter in this case, BUT acting as a
single data controller (with all the appropriate convergent thought
processes) clearly is the right way!
Boy am I looking forward to next week.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|