Duncan

From your scenario my view would be Bob is not in the clear simply gambling
he is not the chosen target controller.
As all data controllers have to comply with all principles then all Posh's
mate has to do is select Bob as data controller responsible instead of the
hospital as another controller. Bob as a data controller cannot abdicate
responsibility for security. He should have been prudent to cover potential
losses by contracting with the hospital to be his processor so he can claim
back his losses from them. Clearly if security failed at least one data
controller is responsible. Whether a data subject can sue for the same loss
from two controllers would need a lawyers view. The Act itself appears to
allow it.

David Wyatt

> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]]On Behalf Of Duncan Smith
> Sent: 01 March 2002 13:42
> To: [log in to unmask]
> Subject: Re: Don't use data processors!
>
>
> Not sure about Tim T, but "enough on the subject" to me means that the
> thread is now of such convolution that even the original poster
> questions what it is all about! `:o
>
> Perhaps if I add some flesh to the bones.
>
> An NHS surgeon, "Bob", also has privileges to operate at a number of
> private hospitals e.g.  BMI, Nuffield etc.  Bob is a busy man so he
> hires the secretarial services from one of the  private hospitals.  This
> secretary manages all the appointments, medical reports, test results
> etc. for all of his patients who attend his outpatient clinic at the
> private hospital.  Other hospital staff organise and manage test
> results, labs etc etc. Bob is happy.
>
> Bob learns about the Data Protection Act.
>
> Bob is a data controller and has duly notified as such.  He also
> believes that his use of the secretary constitutes the use of a data
> processor and is concerned that he has acquired a lot of responsibility
> for the security of some very sensitive patient identifiable
> information.  Particularly when he read the bit in the DPA 1998 Guidance
> ...
>
> "The data controller retains full responsibility for the actions of the
> data processor and so the definition of data controller has an impact on
> this context"
>
> So, if the hospital allow a breach of security, and the patient claims
> compensation for damages and distress, Bob foots the bill.  And it's not
> likely to be a small bill either, when the whole world finds out about a
> well know footballer's penile implant!
>
> He has a better idea.  The patients have a complex relationship with
> both the surgeon and the hospital, both of which act as data controllers
> at some point, so why not make that the case right from the start.
>
> Bob read on and liked the sound of the bit in the DPA 1998 Guidance that
> said ..
>
> "The determination of the purposes for which, and the manner in which,
> any personal data are, or are to be, processed does not need to be
> exclusive to one data controller.  Such determination may be shared with
> others."
>
> Great; right from the outset all Bob's patients are informed that their
> personal data belongs to both Bob and the private hospital, each of whom
> are fully notified data controllers who can determine (in common) the
> purposes for which any personal data are processed.
>
> Now, when Posh learns the truth from the back pages of the Sun because a
> hospital secretary left a report where it should not have been, Bob's in
> the clear.  Or is he?
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>        All archives of messages are stored permanently and are
>       available to the world wide web community at large at
>       http://www.jiscmail.ac.uk/lists/data-protection.html
>       If you wish to leave this list please send the command
>        leave data-protection to [log in to unmask]
>             All user commands can be found at : -
>     www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
>   (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^