Doreen Observations As you know it is not for the service provider to dictate the data use. The data security responsibility sits with the user of that service provider. If the service provider is using personal data from your organisation then they appear to become a data processor. As such the direction as to the uses and disclosures of personal data should be detailed in the written contract a controller is obliged to enter into. However as we know directing and managing security operations of a 'processor' is not at all easy to acheive. ie Exactly how is data erased and the fact adequately evidenced when the service is completed? and How is the processor exercising controls on their support organisations? ie IT Service support for example. I would raise questions with the person contracting for this training service to see what they had considered and covered in the training service contract and see how those services (which should include security services) are to be measured monitored. However it could be the live data being referred to is data about your own employee being trained. In which case the employee as the data subject is disclosing data about themselves direct to the trainer organisations who would in that context become the data controller because of their direct relationship to the individual. Personal data here could be name of employee, home address, qualifications etc. However data items such as employee id number is not data owned by the data subject to disclose as they please. It is part of your own organisations systems and whether it can be disclosed by employees is something your organisation has to direct your employees on possibly via employment or data security policies. Hope this assists David Wyatt ----- Original Message ----- From: "Broom, Doreen" <[log in to unmask]> To: <[log in to unmask]> Sent: Tuesday, November 23, 2004 10:03 AM Subject: [data-protection] Benefits Query ***** This email was sent via the INTERNET ***** All An educational organisation who are providing training to our Benefits staff have approached us with regard to training. They wish our employees to use their web-based system when doing their assessments and they must use "real" data. They also say that "there is nothing to worry about and if anyone were to get into trouble it wouldn't be us and that they have registered it for data protection purposes!". As the famous Scottish saying goes "Do they think I come up the Clyde in a banana boat". I am basically writing to ask if anyone out there has had similar situations but from my point of view, we obtained the information for benefits administration purposes and no other and therefore cannot then decide to use it for training purposes. I also fear that the data may then be sold on to e.g. loan sharks? I honestly cannot see any reason why it must be real data...perhaps some of you educational guys/gals out there can enlighten me.... Doreen Doreen Broom Access to Information Officer Scottish Borders Council Tel: 01835 826516 Fax: 01835 825041 ******************************************************************** * This email is privileged, confidential and subject to copyright. * * Any unauthorised use or disclosure of its content is prohibited. * * The views expressed in this communication may not necessarily * * be the views held by Scottish Borders Council. * ******************************************************************** ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - http://www.jiscmail.ac.uk/help/commandref.htm (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - http://www.jiscmail.ac.uk/help/commandref.htm (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^