Data Controllers are *responsible* - for the selection, implementation and operation of appropriate controls. The issue revolves around accountability ... to the regulator and to Data Subjects.
In the past year I have advised on and dealt with several 'incidents' that led to complaints to the ICO, ranging from tens of thousands of inaccurate records caused by a systemic error (awaiting decision) to one about three letters erroneously inserted in a mailing where the only personal data were names and addresses ("non-compliant").
The determination and measure of an *incident* is not wholly within the Data Controller's control.
The determination and measure of a "breach" of the Act/Regulations (i.e., a "non-compliance) lies with the ICO.
Regards - Michael Bacon
Grimbaldus Limited
> On 30 Jan 2015, at 11:59, Jonathan Baines <[log in to unmask]> wrote:
>
> You're adopting my "ad absurdum" argument ;-)
>
> My theoretical rogue employee has had training, but has chosen to ignore it. He knows there is a policy requiring encryption of all portable hardware, and banning sending it in the post, but has chosen to ignore that too.
>
> If data controllers were responsible for every data security incident because there mere fact an incident happened meant there had been a failure of controls, then DPP7 (and the interpretative guide in Part II of Sch.1) would be rendered absurd.
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the list owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|