Hi Mike,
I agree, the voucher company does appear to be the data controller. They are using the personal data supplied to them for their own purposes not yours or a shared purpose.
Following on from that, it would be the voucher company's responsibility to notify. Saying that, if there was a serious breach and you were aware that the company was not going to notify, I don't believe there would be any reason why you couldn't instead.
For your last point, just in my opinion, either both of you separately or a joint notification should be considered. Rightly or wrongly, when you're talking about deductions from payroll, some employees will not make the distinction between the company and the council and I suspect many will expect to know what the council's response to the incident will be.
Regards,
Andrew Goodfellow-Swaap
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|