JISCMail - DATA-PROTECTION Archives

Ill put myself up to be shot at re the first part of the scenario David
Logan presents and the joint data controller concept.

The term 'joint data controllers' does not exist in the Act itself. (Wrong -
I hear you shout). Getting technical I read the 'data controller' definition
in section 1 as singular. It simply appears to indicate the one or more
persons can decide on the manner of purpose of a data controllers'
processing. The drafting appears to indicate you have to start with a single
controller. Clearly the 'manner of the processing' may include a decision to
disclose to the other via some form of agreement on data sharing thereby
making them both data controllers. However that disclosure (processing)
surely has to be legitimised under the Act from the first to second
controller.

Examining the scenario presented.

Council is a data controller using a third party (processor) to presumably
view (process) the data to provide a service. This could be some form of
manned guarding service as defined in the Private Security Industry Act 2001
under which the service provider must be licenced. As part of the councils
obligation for a written contract, DPA principle 7, they as data controller
are obliged to set the security standard expected of the third party
processor. One of their contract clauses may have been that the service
provider must follow a Code of Practice (COP) issued by the Chief Constable
of Strathclyde Police. David's scenario does not indicate what this COP is.
Presumably however a COP is simply that and cannot by itself create a legal
relationship to permit a claim ownership to the data. The Council in
upholding their DPA security obligations would presumably have to authorise
any disclosures their processor was allowed to make. Under this scenario it
is difficult to see how the Police become a legitimate data controller
sharing data ownership.

However isn't the position a little different. I suggest the argument may be
that the Police are provided with the data by the council as a 'recipient'
under DPA either directly or from their service provider. The council may be
accepting a Police argument that their access is valid via public order
powers under the Police Act (I haven't researched this argument personally
yet but am given to understand such things exist in that Act  - Anyone on
list care to comment on if/where this exists in the Police Act?). Under DPA
this would be a 35(1)(rule of law) disclosure. Using such a disclosure
argument the council are exempt from the first 5 principles of the DP Act
via non-disclosure exemption and do not have to notify the data subject of
the disclosure (unless via a subsequent subject access request). The Police
force concerned as a recipient presumably become a data controller and take
it from there re their DPA obligations. Both Council and Police become data
controllers. (arguably via 'joint decision' as this could all be negotiated
in a few minutes between the two parties)

OK Shoot

David Wyatt

> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]]On Behalf Of David Logan
> Sent: 19 September 2001 14:51
> To: [log in to unmask]
> Subject: re : Subject Access to CCTV
>
>
> Sorry I can't help with request for form.
>
> I'm interested, however, in the fact that Police and Council are
> joint data
> controllers.
>
> This Council likewise has equipment it owns. Some of these images are
> transmitted to a third party which views them on behalf of the
> Council. This
> third party has bound itself to observe the Code of Practice and
> Guidelines
> issued by the Chief Constable of Strathclyde Police. In terms of these the
> Police claim copyright in the images. There is no agreement as to
> who is the
> data controller. It would be useful, therefore, to know how the Police
> agreed that they were joint data controllers.
>
> Another issue of interest is the extent to which the Council can
> competently
> monitor images for purposes other than prevention or detection of
> crime and
> the on what basis the Police can release images of crime prevention or
> detection to third parties who may not have a locus to enforce sanctions
> caused by breaching criminal law.
>
> Any comments would be appreciated.
>
> David Logan
> Principal Solicitor
> West Dunbartonshire Council.
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>     If you wish to leave this list please send the command
>        leave data-protection to [log in to unmask]
>             All user commands can be found at : -
>     www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
> all commands go to [log in to unmask] not the list please!
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^