Sarah is right. This is obviously a case of the data processor letting you
know they do not have the facilities for securing sensitive data (remember the
security measures must be "appropriate") and is asking you to confirm you will
not require them to meet the higher level of security.
This is an unusual approach on the part of both parties to such a contract.
If I was seeking an archiving facility off site I would first draw up a list
of the security measures I want for my data and then offer it to tenders - I
would not allow the archiving company to set the agenda. I have to remember I
am the data controller with the legal responsibilities (most disclaimers and
indemnities are pointless when it comes to DPA issues) and it is up to me to
dictate the terms of any processing contract. Gone are the days when a contract
can say "both parties agree to meet their legal requirements under the DPA"
because data processors do not have any.
Ian B
Ian Buckland
Managing Director
Keep IT Legal Ltd
Please Note: The information given above does not replace or negate the need
for proper legal advice and/or representation. It is essential that you do not
rely upon any advice given without contacting your solicitor. If you need
further explanation of any points raised please contact Keep I.T. Legal Ltd at
the address below:
55 Curbar Curve
Inkersall, Chesterfield
Derbyshire S43 3HP
(Reg 3822335)
Tel: 01246 473999
Fax: 01246 470742
E-mail: [log in to unmask]
Website: www.keepitlegal.co.uk
----
Original message:
In a message dated 18/09/03 09:40:45 GMT Daylight Time, [log in to unmask]
wrote:
> Contractual issues aside, I'm not sure that as a data subject I'd be
> entirely happy with my sensitive data being shipped to a 3rd party, where
> access is pretty much out of the hands of the data controller. It sounds as
> though the storage company is telling you (indirectly) that it can't
> guarantee the data won't be accessed by it's personnel.
>
> Are your data subjects fully aware that their sensitive data may be passed
> to a third party? I'm not sure I would consent to this if asked, and I
> certainly wouldn't recommend to my own employer that they store this type
> of information offsite. If space is a problem I'd look at media conversion
> (e.g. microfilming).
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|