JISCMail - DATA-PROTECTION Archives

Doreen

Observations

As you know it is not for the service provider to dictate the data use. The
data security responsibility sits with the user of that service provider. If
the service provider is using personal data from your organisation then they
appear to become a data processor. As such the direction as to the uses and
disclosures of personal data should be detailed in the written contract a
controller is obliged to enter into.

However as we know directing and managing security operations of a
'processor' is not at all easy to acheive.

ie Exactly how is data erased and the fact adequately evidenced when the
service is completed? and How is the processor exercising controls on their
support organisations?  ie IT Service support for example.

I would raise questions with the person contracting for this training
service to see what they had considered and covered in the training service
contract and see how those services (which should include security services)
are to be measured monitored.

However it could be the live data being referred to is data about your own
employee being trained. In which case the employee as the data subject is
disclosing data about themselves direct to the trainer organisations who
would in that context become the data controller because of their direct
relationship to the individual. Personal data  here could be name of
employee, home address, qualifications etc. However data items such as
employee id number is not data owned by the data subject to disclose as they
please. It is part of your own organisations systems and whether it can be
disclosed by employees is something your organisation has to direct your
employees on possibly via employment or data security policies.

Hope this assists

David Wyatt
----- Original Message -----
From: "Broom, Doreen" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Tuesday, November 23, 2004 10:03 AM
Subject: [data-protection] Benefits Query


***** This email was sent via the INTERNET *****

All
An educational organisation who are providing training to our Benefits staff
have approached us with regard to training.  They wish our employees to use
their web-based system when doing their assessments and they must use "real"
data.  They also say that "there is nothing to worry about and if anyone
were to get into trouble it wouldn't be us and that they have registered it
for data protection purposes!".  As the famous Scottish saying goes "Do they
think I come up the Clyde in a banana boat".

I am basically writing to ask if anyone out there has had similar situations
but from my point of view, we obtained the information for benefits
administration purposes and no other and therefore cannot then decide to use
it for training purposes.  I also fear that the data may then be sold on to
e.g. loan sharks?

I honestly cannot see any reason why it must be real data...perhaps some of
you educational guys/gals out there can enlighten me....

Doreen
Doreen Broom
Access to Information Officer
Scottish Borders Council
Tel: 01835 826516
Fax: 01835 825041



********************************************************************
* This email is privileged, confidential and subject to copyright. *
* Any unauthorised use or disclosure of its content is prohibited. *
* The views expressed in this communication may not necessarily    *
* be the views held by Scottish Borders Council.                   *
********************************************************************

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
        http://www.jiscmail.ac.uk/help/commandref.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
        http://www.jiscmail.ac.uk/help/commandref.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^