With the globalisation of trade 'Groups of companies' can now comprise of several hundred legal entities incorporated for multiple purposes.
Given the DPA makes no recognition of a 'group' but only individual legal entities would we agree that the by default, in the absence of any fair obtaining notice, no personal data sharing across a group should occur.
If the executive board of the parent company in a Group fail to have a policy on cross group data sharing protocols (ie none should occur without evidence of fair obtaining notice delivery) and adequately empower an information security function with being able to veto any data sharing across the individual legal entities where fair obtaining notices are inadequate have they applied appropriate security?
Is a data subject entitled to any evidence of security measures employed from the data controller to whom he gives personal data to enable inappropriate security to be determined?.
Discuss
David Wyatt
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|