davidwyatt on Saturday, February 12, 2005 at 11:55 PM said:-
> With the globalisation of trade 'Groups of companies' can now
> comprise of several hundred legal entities incorporated for
> multiple purposes.
That any group of companies comprising of many legal entities has been
incorporated for multiple purposes would seem to indicate that the
controllers and purposes are already known, as those things have somehow
been incorporated within a legal framework with the full knowledge of the
companies concerned.
> Given the DPA makes no recognition of a 'group' but only
> individual legal entities
What about joint data controllers?
> would we agree that the by default,
> in the absence of any fair obtaining notice, no personal data
> sharing across a group should occur.
Fair obtaining is very clearly related to purpose. It is possible for the
processing of personal data for a specified purpose by any particular data
controller to be ameliorated by various means contained within the DPA.
Notwithstanding other legislative, procedural or legal controls, the data
subjects control of who gets what can be fairly restricted, which itself
rather compromises aspects of privacy and promotes mosaic opportunities.
Any tightly structured framework causes much commercial compromise and
complexity, equally making it more difficult for data subjects to understand
the basically simple DPA principles.
The ability of data subjects to understand how and why their personal data
are being processed within very complex situations would seem to be
dependent upon the time they have available to gain an understanding, and
the availability of information in a way facilitating understanding. Many of
those things can be affected by the data controller, so fairness to data
subjects is clearly a matter which is reflected in information made
available to data subjects and most often apparent between, rather than in,
the lines of fair obtaining and processing documents.
> If the executive board of the parent company in a Group fail
> to have a policy on cross group data sharing protocols (ie
> none should occur without evidence of fair obtaining notice
> delivery) and adequately empower an information security
> function with being able to veto any data sharing across the
> individual legal entities where fair obtaining notices are
> inadequate have they applied appropriate security?
If the executive board of any parent company fail to have an appropriate
level of policy control of their group can they be said to be exercising
their functions effectively? Appropriate could be very loose, or very tight,
dependent on the executive board's decisions on any part of the group's
needs/abilities.
If an appropriate degree of knowledge of what happens with ANY data within
any group does not exist, are the executive board able to exercise their
functions for the greater good of the group?
> Is a data subject entitled to any evidence of security
> measures employed from the data controller to whom he gives
> personal data to enable inappropriate security to be determined?.
Are audit reports not required to be made available (i.e. to the
shareholders); Subject to the sensitivities of the audited organisation in
not compromising their security?
Surely in any case, after a given period of time, during which any serious
documented security weakness should be rectified, there would be no
reasonable absolute reason not to have security audit reports made fully
available to all stakeholders.
Debates on security disclosures can more often seem to relate to contextual
security material rather than reporting detail, unless of course the
vulnerabilities themselves are organisational vulnerabilities which the
organisation is unwilling to make freely available to either its
shareholders or stakeholders. In which case a real problem exists.
Ian W
> -----Original Message-----
> From: This list is for those interested in Data Protection
> issues [mailto:[log in to unmask]] On Behalf Of davidwyatt
> Sent: Saturday, February 12, 2005 11:55 PM
> To: [log in to unmask]
> Subject: Sharing data across a Group
>
>
> With the globalisation of trade 'Groups of companies' can now
> comprise of several hundred legal entities incorporated for
> multiple purposes.
>
> Given the DPA makes no recognition of a 'group' but only
> individual legal entities would we agree that the by default,
> in the absence of any fair obtaining notice, no personal data
> sharing across a group should occur.
>
> If the executive board of the parent company in a Group fail
> to have a policy on cross group data sharing protocols (ie
> none should occur without evidence of fair obtaining notice
> delivery) and adequately empower an information security
> function with being able to veto any data sharing across the
> individual legal entities where fair obtaining notices are
> inadequate have they applied appropriate security?
>
> Is a data subject entitled to any evidence of security
> measures employed from the data controller to whom he gives
> personal data to enable inappropriate security to be determined?.
>
> Discuss
>
> David Wyatt
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving message please send to
> the list owner
> [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
