Hi Judith -
Most offsite box storage companies will have clients such as hospitals
etc. - the majority of whose records will comprise extremely 'sensitive'
data i.e. living patients' full medical files. Unless the company are
doing file level retrievals for you surely there should be no need for
their employees to look in any boxes anyway. This seems a very strange
clause and I quite agree that there is no way you can guarantee that you
won't store 'sensitive' data with them. In fact if you did I'm sure
there wouldn't be much point in having the contract!
All of their staff should be vetted and all should sign confidentiality
clauses. However I am assuming that the company does not know what your
boxes contain. I assume you just give them a reference and they pull
the box?
Kind regards,
Lucy
Lucy Burrow
Records Manager
University of Wales Aberystwyth
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Judith Oak
Sent: 17 September 2003 10:52
To: [log in to unmask]
Subject: [data-protection] Archiving Personal Data
Dear All
I have a problem I'd really appreciate some help with. I'm new to the
list
so please be gentle with me!
I am reviewing some Ts&Cs from our offsite archiving company and they
have
added a Data Protection clause (new since the previous version of Ts&Cs
we
signed up to) which says:
"The parties acknolwedge that the Company may have access to "Personal
Data" .. in providing the Services .. The Customer warrants that the
Personal Data is not Sensitive Personal Data .. and that it has all
necessary consents and authorisations for the Company to process
Personal
Data in the manner and for the purposes ... in accordance with the terms
of
this Agreement".
I have no doubt we will be archiving personal data and some of that
personal data may well be sensitive. I can't possibly allow my company
to
warrant that it isn't. I know that archiving is "processing" under DPA.
But surely companies must be allowed to archive sensitive personal data
without having to obtain consent? Is the archive box even a "relevant
filing system"? Should I ask for a warranty from them that they won't
look
in the boxes?!
I'm at a loss at to what to do about it and hope someone out there can
give
me some guidance!
Thanks very much
Judith
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|