Hi Duncan No, you are responsible for making appropriate security arrangements. So choosing the courier and the appropriate level of service is down to you. Nothing in this is absolute, think of risk assessment. Regards Jim ************************************************** J.S.M.Whitaker ======================================================================= -----Original Message----- From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Duncan Smith Sent: Thursday, March 09, 2006 10:59 AM To: [log in to unmask] Subject: Re: [data-protection] Missing Payslips Mmm, So on that basis, would any agency or courier I use to physically transfer personal data from point A to point B, be exempt from the 7th principle requirements, or is it just Royal Mail? If it is just the Royal Mail - why do they have special privileges, and if not, how is the 'chain of trust' maintained in the processing of personal data when the responsibility for its security is passed to a 3rd party. Duncan Smith iCompli Ltd. -----Original Message----- From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Simon Howarth (RGC) Interim Information Governance Manager Sent: Thursday, March 09, 2006 10:29 AM To: [log in to unmask] Subject: Re: [data-protection] Missing Payslips I don't agree. So I have just asked the ICO and they state that "the Royal Mail is not a data processor for the transit of information by post". And yes, I got straight through - which is a first! Simon. -----Original Message----- From: Duncan Smith [mailto:[log in to unmask]] Sent: 09 March 2006 10:18 To: [log in to unmask] Subject: Re: [data-protection] Missing Payslips Simon, "Putting information in the post does not make the RM a data processor does it?" As I read the definition of processing I would see Royal Mail as 'holding' the physical data. >From DPA Basic Interpretations ... "processing", in relation to >information or data, means obtaining, recording or **holding** the information or data or carrying out any operation or set of operations on the information or data. To place personal data in the hands of a 3rd party, but not have them (someone) contractually and legally responsible for the security of the data, would surely render 'great chunks' of the DPA useless. I think they are a data processor. Duncan Smith iCompli Ltd. -----Original Message----- From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Simon Howarth (RGC) Interim Information Governance Manager Sent: Thursday, March 09, 2006 9:42 AM To: [log in to unmask] Subject: Re: [data-protection] Missing Payslips Duncan, >From Doreens post I interpret that they merely sent out the payslips in >the post. Putting information in the post does not make the RM a data processor does it? I would be surprised if it did. I don't think the RM being a data processor is an issue in this case. Interesting links though in NINO. Simon Howarth. -----Original Message----- From: Duncan Smith [mailto:[log in to unmask]] Sent: 09 March 2006 09:31 To: [log in to unmask] Subject: Re: [data-protection] Missing Payslips The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The information contained in this correspondence is not intended as legal advice or counsel, and is not represented as such by the sender. iCompli Ltd. makes no warranties or statements regarding the legal acceptability of the information presented in this correspondence. Any actions performed as a result of this information are of the recipient's own choosing. ------------------------------------------------------------------- Doreen, Has similarities with the Citibank/UPS saga in the States, albeit on a smaller scale! Although Royal Mail 'lost' the payslips, Scottish Borders Council are the Data Controller, and you chose to subcontract an element of your data processing to them as a data processor. Do you have a contract (evidenced in writing) whereby RM agree to act in accordance with the DPA?? No, we don't either, but we should according to P7 of the DPA. This is a major problem when dealing with data processors who are much larger than the data controller; it is generally their terms and conditions of sale that apply and NOT you terms and conditions of purchase. Anyone want to take this up in a new thread? Is NINO Fraud a problem? Since 2001 the government have been concerned enough to introduce SNAP (Secure NINO Allocation Process) so 'no smoke without fire'! Read this document http://www.identitycards.gov.uk/library/id_fraud-report.pdf if you need a 'primer' into identity theft. In it you'll find many examples of why loosing NINOs is a 'bad thing' E.g.. "Individuals seeking a NINO (who will in almost all cases have arrived from abroad) may, in particular, be trying to pass one of the hurdles on the road to employment." Don't let the Daily Mail reporters get hold of this! See also http://www.dsdni.gov.uk/fraud_sub_committee_fifth_report.pdf What can you do now? Can you identify all the NINOs that were mislaid? If so you might consider advising DWP, or other 'agencies' that use NINOs, about the loss. From my understanding, these agencies are still not sufficiently 'joined up' to do much with this information, but it is a proactive step on your part. Rgds. Duncan Smith Director iCompli Limited Northampton UK t: 08707 70 48 66 f: 08707 70 48 69 m: 07775 56 81 80 Mailto:[log in to unmask] Web: www.icompli.co.uk "Compliance in your language" -----Original Message----- From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Broom, Doreen Sent: Wednesday, March 08, 2006 12:05 PM To: [log in to unmask] Subject: [data-protection] Missing Payslips All We have lots of rural schools in Borders. Payslips are sent out via Royal Mail. Anyway an envelope containing approx. 20 payslips has gone missing. Royal Mail are looking into it. I have been asked for the Data Protection issues surrounding this. The individuals are concerned as their NI Number, Personnel Number - name etc. appear on these slips. Their money has gone into the Bank but there are no Bank details on payslips. I know there are Identity Fraud implications but this is a very rural area and would be very difficult to get away with this type of thing as everyone knows everyone. Can anyone think of anything major that would be likely to happen - really, what kind of advice can I give - especially afetr the horse has bolted so to speak. We may never retrieve these payslips - are RM libel? Any thoughts would be helpful. Thanks, Doreen Doreen Broom Access to Information Officer Scottish Borders Council Tel: 01835 826516 Fax: 01835 825059 ******************************************************************** * This email is privileged, confidential and subject to copyright. * * Any unauthorised use or disclosure of its content is prohibited. * * The views expressed in this communication may not necessarily * * be the views held by Scottish Borders Council. * * Please be aware that any email sent or received by the Council * * may require to be disclosed by the Council under the provisions * * of the Freedom of Information (Scotland) Act 2002. * ******************************************************************** ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving message please send to the list owner [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ __________ NOD32 1.1433 (20060307) Information __________ This message was checked by NOD32 antivirus system. http://www.eset.com __________ NOD32 1.1433 (20060307) Information __________ This message was checked by NOD32 antivirus system. http://www.eset.com ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving message please send to the list owner [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving message please send to the list owner [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving message please send to the list owner [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving message please send to the list owner [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving message please send to the list owner [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving message please send to the list owner [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^