As was the case with our breach!
Doreen
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Andrew Cormack
Sent: 02 October 2013 08:35
To: [log in to unmask]
Subject: Re: WP29 Opinion on data processors
Worth making sure that your contractor knows that having signed a contract as Data Processor they *can't* then independently determine purposes and means. I've come across too many situations where a contractor asserted they were a data processor, but nonetheless went off and did their own thing with the data or refused to follow the Data Controller's instructions in other ways :(
Andrew
--
Andrew Cormack
Chief Regulatory Adviser, Janet
t: +44 1235 822302
b: https://community.ja.net/blogs/regulatory-developments
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No.2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Grimbaldus
> Sent: 02 October 2013 03:40
> To: [log in to unmask]
> Subject: Re: WP29 Opinion on data processors
>
> Surely the test in s.1(1) applies. Is the PSO "a person who
> determines the purposes for which and the manner in which any personal
> data are to be processed" [abbreviated definition]?
>
> It would seem that your PSO will "determine the purpose", so the
> question is: will it "determine the manner"?
>
> If 'yes', then the PSO is a data controller, and the supplier is a
> data processor and possibly a data controller too ... depending on the
> contract requirements.
>
> In 'no', then the PSO is not a data controller. Both requirements
> must be satisfied.
>
> That said, in general I advise my clients not to split hairs in
> determining their role (that of a data controller) and the role of a
> supplier (stated in the contract to be that of a data processor).
>
> M
>
> =====
>
> On 30 Sep 2013, at 16:20, Lawrence Serewicz
> <[log in to unmask]> wrote:
>
>
>
> Renzo and others,
>
>
>
> Thank you for the quick response with the relevant link.
>
>
>
> By contracts, I was trying to consider a situation where a public
> sector organisation would have a contract to provide a service that
> did not have the public sector organisation be a joint data controller
> at a minimum.
>
>
>
> For example, following the ICO guidance on determining whether
> someone is a data controller or a data processor, a public sector
> organisation may arrange with a supplier to deliver a service where by
> young children, at the age of 8, are assessed for their reading
> capacity and a suitable reading plan be developed and at least 85% of
> children show an improved reading score as assessed by their
> respective schools. (completely hypothetical to illustrate the point
> that the PSO is setting very broad parameters no details on how it is
> to be achieved).
>
>
>
> The public sector organisation commissions a service provider, sets
> up a contract, and pays them to deliver the service. All that is
> asked, (drawing an extreme example) is that the supplier arrange to
> meet the targets. The handling of the reading, selecting the 8 year
> olds, assessing them, and contacting them is down to the supplier.
>
>
>
> In that relationship, would the PSO still be a data controller or at
> a minimum be a joint data controller? My reading of the ICO guidance
> is that at a minimum the PSO would be a joint data controller because
> the supplier would not be processing the personal data of the 8 year
> olds except for the contract provided by the PSO. Even thought the
> supplier does all the work, and may be a data controller, because of
> their expertise and specific professional obligations (as the ICO
> guidance sets out), at a minimum, the PSO is a joint data controller.
>
>
>
> Is this correct, or is it possible in that relationship that the PSO
> is not a data controller at all?
>
>
>
> If it is a joint data controller, rather than a data controller- data
> processor arrangement, then the supplier is responsible for the
> security of the data and associated principles. However, I would still
> suggest that depending on the service being provided, ie what is being
> done with the data, it is still a data controller-data processor
> relationship rather than a data controller-data controller
> relationship.
>
>
>
> Best,
>
>
>
> Lawrence
>
>
>
>
>
>
>
>
>
>
>
> From: Marchini, Renzo [mailto:[log in to unmask]]
> Sent: 30 September 2013 15:40
> To: Lawrence Serewicz; [log in to unmask]
> Subject: RE: WP29 Opinion on data processors
>
>
>
> This one:
> http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_en.
> pdf
> <http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_e
> n
> .pdf>
>
>
>
> I don’t understand the question re contracts, sorry. A contract with
> a supplier would ordinarily be one of data controller to data
> processor (and so having a supplier as a joint controller – possible,
> I admit – would be unusual and not a “minimum”.)
>
>
>
> Best
>
>
>
>
>
> Renzo Marchini
>
> Counsel
> Dechert LLP
> +44 (0) 20 7184 7563 direct
> +44 (0) 20 7184 7001 fax
> [log in to unmask] <mailto:[log in to unmask]>
> www.dechert.com <http://www.dechert.com/>
>
>
>
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Lawrence Serewicz
> Sent: 30 September 2013 15:17
> To: [log in to unmask]
> Subject: [data-protection] WP29 Opinion on data processors
>
>
>
> Dear All,
>
> I read in the Rosemary Jay’s Data Protection Law and Practice p.
> 189 that the WP29 issued an opinion on determining a data processor.
> However, I cannot find the guidance note after searching. (My
> searching skills are getting rusty it would appear.)
>
>
>
> Does anyone know this opinion and if so, I would be grateful if you
> send it to me.
>
>
>
> Also, is it possible to have a contract with a supplier and to not be
> at least a joint data controller? I have read the ICO guidance and it
> would appear that if an public sector organisation has a contract with
> a supplier, that involves the processing of personal data on their
> behalf, that at a *minimum* the organisation is a joint data
> controller.
>
>
>
> Can anyone suggest a situation where a public sector organisation
> creates contracts with suppliers in which the supplier is the sole
> data controller?
>
>
>
> Any guidance, such as case law, on defining a data processor would be
> appreciated.
>
>
>
> Thanks
>
>
>
> Lawrence
>
>
> ________________________________
>
>
>
>
>
> ________________________________
>
>
>
>
> Help protect our environment by only printing this email if
> absolutely necessary. The information it contains and any files
> transmitted with it are confidential and are only intended for the
> person or organisation to whom it is addressed. It may be unlawful for
> you to use, share or copy the information, if you are not authorised
> to do so. If you receive this email by mistake, please inform the
> person who sent it at the above address and then delete the email from
> your system. Durham County Council takes reasonable precautions to
> ensure that its emails are virus free. However, we do not accept
> responsibility for any losses incurred as a result of viruses we might
> transmit and recommend that you should use your own virus checking
> procedures.
>
>
> ________________________________
>
>
> All archives of messages are stored permanently and are available to
> the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
>
> Selected commands (the command has been filled in below in the body
> of the email if you are receiving emails in HTML format):
>
> * Leaving this list: send leave data-protection to
> [log in to unmask]
> <mailto:[log in to unmask]&BODY=LEAVE%20data-protection>
> * Suspending emails from all JISCMail lists: send SET *
> NOMAIL to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET%20*%20NOMAIL>
> * To receive emails from this list in text format: send SET
> data-protection NOHTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET%20data-protection%20NOHTML>
> * To receive emails from this list in HTML format: send SET
> data-protection HTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET%20data-protection%20HTML>
>
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm
> <http://www.jiscmail.ac.uk/help/commandref.htm> and are sent in the
> body of an otherwise blank email to [log in to unmask]
>
> Any queries about sending or receiving messages please send to the
> list owner [log in to unmask] <mailto:data-
> [log in to unmask]>
>
> (Please send all commands to [log in to unmask] not the list or
> the moderators, and all requests for technical help to
> [log in to unmask], the general office helpline)
>
>
> ________________________________
>
>
>
> This e-mail is from Dechert LLP, a law firm, and may contain
> information that is confidential or privileged. If you are not the
> intended recipient, please delete the e-mail and any attachments, and
> notify the sender. Dechert LLP is a limited liability partnership
> registered in England & Wales (Registered No. OC306029) and is
> authorised and regulated by the Solicitors Regulation Authority. A
> list of names of the members of Dechert LLP (who are solicitors or
> registered foreign lawyers) is available for inspection at its
> registered office, 160 Queen Victoria Street, London EC4V 4QQ.
>
>
> ________________________________
>
>
>
> Help protect our environment by only printing this email if
> absolutely necessary. The information it contains and any files
> transmitted with it are confidential and are only intended for the
> person or organisation to whom it is addressed. It may be unlawful for
> you to use, share or copy the information, if you are not authorised
> to do so. If you receive this email by mistake, please inform the
> person who sent it at the above address and then delete the email from
> your system. Durham County Council takes reasonable precautions to
> ensure that its emails are virus free. However, we do not accept
> responsibility for any losses incurred as a result of viruses we might
> transmit and recommend that you should use your own virus checking
> procedures.
>
> ________________________________
>
> All archives of messages are stored permanently and are available to
> the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
>
> Selected commands (the command has been filled in below in the body
> of the email if you are receiving emails in HTML format):
>
> * Leaving this list: send leave data-protection to
> [log in to unmask] <mailto:[log in to unmask]&BODY=LEAVE
> data-protection>
> * Suspending emails from all JISCMail lists: send SET *
> NOMAIL to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET * NOMAIL>
> * To receive emails from this list in text format: send SET
> data-protection NOHTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection NOHTML>
> * To receive emails from this list in HTML format: send SET
> data-protection HTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection HTML>
>
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body
> of an otherwise blank email to [log in to unmask]
>
> Any queries about sending or receiving messages please send to the
> list owner [log in to unmask]
>
> (Please send all commands to [log in to unmask] not the list or
> the moderators, and all requests for technical help to
> [log in to unmask], the general office helpline)
>
> ________________________________
>
> ________________________________
>
> All archives of messages are stored permanently and are available to
> the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
>
> Selected commands (the command has been filled in below in the body of
> the email if you are receiving emails in HTML format):
>
> * Leaving this list: send leave data-protection to
> [log in to unmask] <mailto:[log in to unmask]&BODY=LEAVE
> data-protection>
> * Suspending emails from all JISCMail lists: send SET * NOMAIL to
> [log in to unmask] <mailto:[log in to unmask]&BODY=SET *
> NOMAIL>
> * To receive emails from this list in text format: send SET data-
> protection NOHTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection NOHTML>
> * To receive emails from this list in HTML format: send SET data-
> protection HTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection HTML>
>
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body
> of an otherwise blank email to [log in to unmask]
>
> Any queries about sending or receiving messages please send to the
> list owner [log in to unmask]
>
> (Please send all commands to [log in to unmask] not the list or
> the moderators, and all requests for technical help to
> [log in to unmask], the general office helpline)
>
> ________________________________
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
"**********************************************************************
This email and any files transmitted with it are privileged, confidential and subject to copyright. Any unauthorised use or disclosure of any part of this email is prohibited. If you are not the intended recipient please inform the sender immediately; you should then delete the email and remove any copies from your system.
The views or opinions expressed in this communication may not necessarily be those of Scottish Borders Council.
Please be advised that Scottish Borders Council's incoming and outgoing GSX email is subject to regular monitoring and any email may require to be disclosed by the Council under the provisions of the Freedom of Information (Scotland) Act 2002. **********************************************************************"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|