Ultimately the Data Controller has the responsibility for all these things,
but the Data Processor has a specific legal responsibility to provide
adequate security. Part II of Schedule 1 to the Act says (and they don't
exactly make this easy to find):
"Where processing ... is carried out by a data processor ... the data
controller is not to be regarded as complying with the seventh principle
[security] unless ... the processing is carried out under a contract ... and
the contract requires the data processor to comply with ... the seventh
principle."
It would be interesting to see a copy of the contract between TV licensing
and each electrical retailer in the country. On the assumption that such a
thing doesn't exist, if I pay cash for a TV and the shop demands my address
(because the law says they must), they must be a Data Controller in their
own right and they would have to be able to show that their actions complied
with all eight principles, not just security. I think I can see how they
would comply with Principle 1 (Schedule 2, third condition - legal
obligation) and Principle 2 (as long as they specify the purpose), but if
they collect false information they are not complying with Principle 4. In
that case, someone who ended up being fined or hassled wrongly could claim
damages against the shop. (Principle 4 says that personal data 'shall' be
accurate, full stop. Not 'as accurate as you can make it'.)
Paul Ticher
0116 273 8191
22 Stoughton Drive North, Leicester LE5 5UB
I hereby require any recipient of this message not to use my personal data
for direct marketing purposes.
----- Original Message -----
From: "Roland Perry" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Friday, January 11, 2008 11:32 AM
Subject: Re: Buying a TV - who is the data contoller
> In message
> <[log in to unmask]>,
> at 11:05:29 on Fri, 11 Jan 2008, Lee Gardiner <[log in to unmask]>
> writes
>>Surely the shop would be classed as a Data Processor on behalf of the TV
>>Licensing Authority who they are collecting the data for?
>
> If that's the case, which has the greater responsibility for ensuring
> accuracy, correcting mistakes and keeping it safe? After all, we don't
> want the shop posting the data on a couple of unencrypted CDs, do we :)
>
> And what if identical data also appears in the shop's own database as a
> record of the sale (rather than being sent to TVL somehow without touching
> the sides)?
>
> I don't particularly want to point a finger at any particular electrical
> shed, but I'm sue we've all shopped at ones which insist they *must* have
> a name and address before they can sell us anything, let alone a TV.
> --
> Roland Perry
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the list
> owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your
> needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|