If you commission a service, you can specify as part of the required outputs
that the other party/ies communicate with you securely. If they don't, they
don't get paid. If you didn't specify that, and your contract was silent on
the subject of secure communication, then it's not entirely their fault.
I assume the external organisations are the Data Controllers until the data
reaches you; in that case any data loss would be their responsibility. You
can advise them on good practice if you wish, of course, but the judgement
is theirs, and they are entitled to make a different judgement from yours.
Encryption is only required when the consequences of data loss could be
severe, either because of the nature or quantity of the data.
If you feel that any data loss would be your responsibility, then you are
treating them as Data Processors, and your initial contract should have made
this explicit (provided their processing is genuinely on your behalf).
This is the kind of situation that is bound to arise more frequently as the
government encourages, and even forces, statutory agencies to outsource more
and more of their core functions. If they don't get the contracts right,
all sorts of bad things will happen. You heard it here first (probably
not).
Paul Ticher
0116 273 8191
22 Stoughton Drive North, Leicester LE5 5UB
----- Original Message -----
From: "Michelle Peel" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Friday, October 01, 2010 1:22 PM
Subject: Legal basis for not sharing personal data via (unsecure) email
Hi everyone,
Hope someone can help me.
As standard practice it is not recommended for people to exchange personal
data via unsecure email. We know that the health sector absolutely forbid
this, and it is practice that is maintained within our multi-agency Children
and Young People's Service. (We're in the process of getting everyone to
sign up to secure email on nhs.net and gcsx.gov.uk but that's another
story...)
Our current problem concerns the private, voluntary and independent sector.
We have recently commissioned some organisations to provide services via a
Family Engagement Services Project, and our Commissioning Team are provided
with information about how the services operate, which includes some
personal data of the service users (for which they are consenting the
sharing).
The problem is that some of this information is being sent over unsecure
email despite our guidance not to.
Can anyone tell me the best piece of legislation to quote to tell them they
are in breach of a law, or is this simply guidance? I suspect there is
something in the Data Protection Act that we can use, but I couldn't see for
looking!
Thank you in advance!
Michelle Peel
Information Governance Manager
Trafford Children and Young People's Service
Service Development Team
Cherry Manor Centre
Cherry Lane
Sale
Cheshire
M33 4GY
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your
needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|