Fellow Thinkers
This is a topic that I have raised on more than one occasion with the group, but as we have just completed a series of audits of security departments, both in the public and private sectors, I thought I would share my thoughts with you and seek your input.
Most of the organisations that we audited outsourced some or all of their security functions. Now security is all about people and as soon as you get people you get information about people and you come within the realms of the Data Protection Act, i.e. the processing of personal data. None of the organisations that we audited had in place the Data Protection clause in their contracts with the security companies to whom they had outsourced their processing. None of the persons interviewed who were employed by these security companies:
a) Could tell us who was the Data Protection Officer of the company they were helping to protect;
b) Knew how a Data Subject would go about making a subject access request;
c)Had little or no knowledge of the Data Protection Act.
All this despite the fact that they were processing some or all of the following:
CCTV images
Access Control, both manual and automatic
Investigations/enquiries
None of these operatives had any training in Data Protection or anything remotely related to it. The vast majority of the organisations audited had a Data Protection Officer, or someone who had responsibility for Data Protection. None of the Data Protection Officers interviewed had ever discussed, or considered discussing, the Data Protection issues with their security department. The vast majority of those interviewed thought that Data Protection was a Human Resources issue and did not concern anyone else within their organisation.
Just a few interesting points I wanted to share with you. Now let me ask you the following. If a contract with an organisation to whom the processing of personal data is outsourced, i.e. a security company, does not have within that contract the Data Protection clause, does it mean that the legal entity of Data Controller/Data Processor has not been created? If the answer to that is no, then what condition under Schedule 2 would the security company that is processing the personal data have satisfied in order to do that processing? If the relationship of Data Controller/Data Processor hasn't been lawfully created, then doesn't that put the Data Controller in breach of the 7th Principle, i.e. the personal data for which the Data Controller is responsible is now in the possession of someone who has no justification or authority for having it?
Can I suggest that you might want to visit your security department and just check what, if anything, they are doing about the Data Protection Act. While you are at it, you might also like to visit your Revenues Department to see if they have in place the contractual agreement with the organisation to whom they outsource the revenue collection, i.e. debt collectors, bailiffs, solicitors, etc.
Remember, the Act is quite clear in stating that the contract between Data Controller and Data Processor must be "evidenced in writing!. I would welcome your views.
Chris Brogan
www.securitysi.com
SECURITY INTERNATIONAL LTD
130 St John's Road, Isleworth TW7 6PL, United Kingdom
Tel: +44 (0)20 8847 2111
Fax: +44 (0)20 8847 1852
Email: [log in to unmask]
Registered Office: 7-9 Swallow Street, London W1R 8DT
Registered No:1322074
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|