It's the specifics of the service and relationship that matter when deciding how much of the means is left to the contractor, and other have raised some valid points. I would suggest looking at whether the assessors are regulated health care professionals and how much of the service (if any) involves the sort of assessment and decision making akin to an occupational health service.
I don't know about who the subject should/could claim against, but in this situation it's also perhaps of note that the subject seems to have a direct relationship with the DSE assessment contractor.
Dan
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Clay Garland
Sent: 04 April 2019 18:04
To: [log in to unmask]
Subject: Re: [data-protection] Joint Controller or Separate Controllers?
Hi Claire & all,
I am not sure how this could be conceived of as a controller-controller relationship, as that phrase is usually used to describe a situation where two controllers use data for different purposes. Regardless of whether or not the DSE supplier is a processor, there is only one purpose here - i.e. carrying out a DSE assessment for employees. So this is either a joint controller relationship or a controller-processor relationship.
There are several factors which could indicate which it is, many of which people have already covered. I'm less convinced by arguments revolving around "professional expertise" because the expertise in carrying out a DSE assessment is in no way comparable to that of a doctor or lawyer. Owen's comments about the DSE assessment process being largely directed by HSE requirements are relevant here too - if the employer has merely hired the supplier to follow a fairly standard set of instructions (even if those instructions are produced by someone else - the HSE) then it's hard to see how the supplier could be said to have any significant role in determining the means of processing.
Also, I'm not a lawyer (so take this with a pinch of salt) but my understanding is that should an employee wish to claim damages stemming from a failure to carry out the DSE assessment properly, they would claim against the employer, not the supplier. (The employer might be able to claim in turn against the supplier if the employee was successful and it was the supplier's fault, but that's another matter). If that's the case, it's up to the employer to ensure that the appropriate records are kept for the appropriate amount of time.
So in conclusion - I think this is more likely to be a controller-processor relationship.
Clay Garland
Information Governance Officer
Legal and Governance
University of Central Lancashire
Email: [log in to unmask]
-----Original Message-----
From: This list is for those interested in Data Protection issues <[log in to unmask]> On Behalf Of Claire C
Sent: 04 April 2019 17:15
To: [log in to unmask]
Subject: Re: [data-protection] Joint Controller or Separate Controllers?
Thanks everyone who has provided their view so far. Much appreciated.
In this scenario, the employer is engaging the specialist skills and expertise of the DSE assessment supplier (employer determining the purpose). The employer does not design the content of the assessment, this is designed by the DSE assessor (who is determining the means) and the results given to the employee to share with the employer.
I had dismissed it as being a controller - processor relationship on the basis that the DSE assessment supplier is providing professional expertise and in which case is likely to need to retain their own records in case of a claim of negligence. What I am more uncertain about is whether it is a joint controllership or controller - controller scenario.
Would a joint relationship mean the assessment was designed and agreed by both parties? A common retention period agreed?
In which case, I'm now more convinced it's a controller - controller relationship.
Thanks again,
Claire
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[University of Central Lancashire]
Please consider the environment before printing
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
________________________________________________________________________
The information in this email (and any attachment) may be for the
intended recipient only. If you know you are not the intended recipient,
please do not use or disclose the information in any way and please
delete this email (and any attachment) from your system.
The Council does not accept service of legal documents by e-mail.
________________________________________________________________________
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|