davidwyatt on Saturday, February 12, 2005 at 11:55 PM said:- > With the globalisation of trade 'Groups of companies' can now > comprise of several hundred legal entities incorporated for > multiple purposes. That any group of companies comprising of many legal entities has been incorporated for multiple purposes would seem to indicate that the controllers and purposes are already known, as those things have somehow been incorporated within a legal framework with the full knowledge of the companies concerned. > Given the DPA makes no recognition of a 'group' but only > individual legal entities What about joint data controllers? > would we agree that the by default, > in the absence of any fair obtaining notice, no personal data > sharing across a group should occur. Fair obtaining is very clearly related to purpose. It is possible for the processing of personal data for a specified purpose by any particular data controller to be ameliorated by various means contained within the DPA. Notwithstanding other legislative, procedural or legal controls, the data subjects control of who gets what can be fairly restricted, which itself rather compromises aspects of privacy and promotes mosaic opportunities. Any tightly structured framework causes much commercial compromise and complexity, equally making it more difficult for data subjects to understand the basically simple DPA principles. The ability of data subjects to understand how and why their personal data are being processed within very complex situations would seem to be dependent upon the time they have available to gain an understanding, and the availability of information in a way facilitating understanding. Many of those things can be affected by the data controller, so fairness to data subjects is clearly a matter which is reflected in information made available to data subjects and most often apparent between, rather than in, the lines of fair obtaining and processing documents. > If the executive board of the parent company in a Group fail > to have a policy on cross group data sharing protocols (ie > none should occur without evidence of fair obtaining notice > delivery) and adequately empower an information security > function with being able to veto any data sharing across the > individual legal entities where fair obtaining notices are > inadequate have they applied appropriate security? If the executive board of any parent company fail to have an appropriate level of policy control of their group can they be said to be exercising their functions effectively? Appropriate could be very loose, or very tight, dependent on the executive board's decisions on any part of the group's needs/abilities. If an appropriate degree of knowledge of what happens with ANY data within any group does not exist, are the executive board able to exercise their functions for the greater good of the group? > Is a data subject entitled to any evidence of security > measures employed from the data controller to whom he gives > personal data to enable inappropriate security to be determined?. Are audit reports not required to be made available (i.e. to the shareholders); Subject to the sensitivities of the audited organisation in not compromising their security? Surely in any case, after a given period of time, during which any serious documented security weakness should be rectified, there would be no reasonable absolute reason not to have security audit reports made fully available to all stakeholders. Debates on security disclosures can more often seem to relate to contextual security material rather than reporting detail, unless of course the vulnerabilities themselves are organisational vulnerabilities which the organisation is unwilling to make freely available to either its shareholders or stakeholders. In which case a real problem exists. Ian W > -----Original Message----- > From: This list is for those interested in Data Protection > issues [mailto:[log in to unmask]] On Behalf Of davidwyatt > Sent: Saturday, February 12, 2005 11:55 PM > To: [log in to unmask] > Subject: Sharing data across a Group > > > With the globalisation of trade 'Groups of companies' can now > comprise of several hundred legal entities incorporated for > multiple purposes. > > Given the DPA makes no recognition of a 'group' but only > individual legal entities would we agree that the by default, > in the absence of any fair obtaining notice, no personal data > sharing across a group should occur. > > If the executive board of the parent company in a Group fail > to have a policy on cross group data sharing protocols (ie > none should occur without evidence of fair obtaining notice > delivery) and adequately empower an information security > function with being able to veto any data sharing across the > individual legal entities where fair obtaining notices are > inadequate have they applied appropriate security? > > Is a data subject entitled to any evidence of security > measures employed from the data controller to whom he gives > personal data to enable inappropriate security to be determined?. > > Discuss > > David Wyatt > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > All archives of messages are stored permanently and are > available to the world wide web community at large at > http://www.jiscmail.ac.uk/lists/data-protection.html > If you wish to leave this list please send the command > leave data-protection to [log in to unmask] > All user commands can be found at : - > http://www.jiscmail.ac.uk/help/commandref.htm > Any queries about sending or receiving message please send to > the list owner > [log in to unmask] > (all commands go to [log in to unmask] not the list please) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving message please send to the list owner [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^