What does the contract say about who is the DC and who advises whom.
In terms of notifying employees, I would suggest a "statement of the facts" letter from their employer and if and only if the voucher company is the/a DC, it be accompanied by an explanatory letter from them. Any costs (e.g. Credit monitoring, if offered) should fall upon the DC.
M
Sent from my iPad
> On 11 Nov 2015, at 09:39, Mike Whitehead <[log in to unmask]> wrote:
>
> A Wednesday morning question for the collective.
> The council has an arrangement with a company to provide child care vouchers on behalf its staff.
> The process works as follows: the council makes known to staff that child care vouchers are available and if they are interested to contact this particular company. Staff who contact this company are set up with an account with them; the admin for producing and sending out the vouchers is done by them, with the council playing no part in its day to day administration; however, the company, when the voucher scheme is up and running, contacts the council's payroll department in order that deductions can be made from the salaries of those participating.
>
> There has been a recent data incident whereby the company administering the voucher scheme mistakenly sent the details of 92 members of staff: Name, Employee Number, NiNo, salary band and Tax Code, to the wrong payroll department. We have established that the incident was reported by the payroll department, erroneously in receipt of the data, immediately to the voucher company who in turn immediately notified us. The data has now been thoroughly deleted from the payroll company's account.
> Questions:
> We consider the voucher company to be a data controller in its own right. Are there any views to the contrary.
> Although contained, whose responsibility would it be to notify the ICO in this instance, the voucher company as data controller (assuming you agree with this) or the council who has a duty to its staff.
> Similarly the 92 members of staff; should they be told by the voucher company or the council.
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the list owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|