Any thoughts or clarification on the following would be appreciated, depending on the day of the week my thoughts change. Two separate organisations. One acts as the management contractor for the other, both share a large proportion of the staff, employing them under a joint contract. Both are registered with the IOC. Is it legally correct for one simply to adopt the other's DPA policy and guidelines, either by a reference to agreeing to abide by them or by amending the name and logos within these documents, or should they each produce their own. The two organisations also share the same W.A.N. and can access the same databases containing personal information of their clients and staff. As joint controllers must they still draft a protocol or contract, to govern the details of data sharing, or if a central DPA policy etc is legal, will this on its own be sufficient? Just to complicate matters they will be sharing a separate database containg p.d. with at least 2 other organisations, not thankfully any more staff. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - www.jiscmail.ac.uk/user-manual/summary-user-commands.htm all commands go to [log in to unmask] not the list please! ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^