Thanks for all posts on this subject.
It would appear I was right to look at it in a bit more depth!
Regards,
Kevin
________________________________
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Chris Brogan
Sent: 07 May 2009 16:02
To: [log in to unmask]
Subject: [data-protection] FW: Controller or Processor
My opinion is with Tim but you may be interested in the ICO's opinion
with regard to solicitors, accountants and private investigators.
The ICO is of the opinion that they are data controllers even when
acting in response to the instructions given by a client.
Unless they have changed their opinion the Law Society do not agree with
the ICO but advise their clients to err on the side of caution. I am
unaware of the Institute of Chartered Accountant's view. The Private
investigators generally know so little about DPA it is difficult to
assess what their view if any is.
May I develop this discussion a little further? If when you
subcontract/delegate/instruct work to another party that involves
processing personal data and you do not include the data protection
clause is it a lawful contract. He will be processing personal data for
a client and the DPA is quite clear that the legal relationship of
processor and controller has to be in writing. I suggest that this adds
a fifth clause to the common law definition of contract-offer,
acceptance, consideration and legally binding. If I am correct and this
is not a valid contract doesn't it then open the potential for breaches
of DPA as well as HRA article 8- Right to respect for privacy.
Seems to me that whatever the answer may be it wise to include the data
protection clause in all contracts that include ethe processing of
personal data.
Chris Brogan MA LLM
Managing Director
Security International Ltd
130 St Johns Road, Isleworth, Middlesex TW7 6PL, UK
Tel: +44 20 8847 2111 Fax: +44 20 8847 1852
Registered in England & Wales No. 1322074
Registered Office: 11 Loveday Road, London W13 9JT
www.securitysi.com <http://www.securitysi.com/>
________________________________
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Tim Trent
Sent: 06 May 2009 17:31
To: [log in to unmask]
Subject: Re: Controller or Processor
You are and remain the sole data controller. Al sub contractors are
data processors. It matters little whether they are sub-sub
contractors, except that you will have a Data Processor Agreement with
your direct subcontractors and will insist in the agreement that anyone
subcontracted to by your subcontractors has a full data processor
agreement with the person to whom they are contracted.
There is a paradox that the presence of a sub-sub contractor may appear
to validate the sub contractor to whom they are contracted as a Data
Controller. In reality, for that sub-sub contractor, they are the data
controller in a legalistic sense, bit you are the absolute overall Data
Controller.
Is the mud any clearer?
You determine what is done with the data. You give the instructions for
processing, and it is your responsibility to safeguard it and destroy or
retain it when the event is finished.
Kevin Tarleton wrote:
As part of the improvement courses and programmes my organisation runs,
we arrange large events at hotels. We have an event-management partner
who collect the personal details of our attendees in order to book the
hotel accommodation.
I want to make sure we are doing everything we can to protect the
personal information of our attendees, and at the same time I want to
make sure each organisation that processes their information is aware of
its own responsibilities to the attendee and ourselves.
My understanding is that my organisation will remain the Data Controller
no matter who is processing the information for us.
Even so, I have several questions that have been bugging me that I was
hoping list members could help me with:
1. Are the hotel the data processor for us or for our event-management
partner?
2. Is there an argument that our event-management partner are the data
controller and the hotel their data processor (as they collect
information directly)? (Although we should have access to this
information if we require it)
3. Do our event-management partner remain a data processor because they
are collecting the information on our behalf?
All opinions welcome!
________________________________
All archives of messages are stored permanently and are available to the
world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of
the email if you are receiving emails in HTML format):
* Leaving this list: send leave data-protection to
[log in to unmask] <mailto:[log in to unmask]&BODY=LEAVE
data-protection>
* Suspending emails from all JISCMail lists: send SET * NOMAIL to
[log in to unmask] <mailto:[log in to unmask]&BODY=SET *
NOMAIL>
* To receive emails from this list in text format: send SET
data-protection NOHTML to [log in to unmask]
<mailto:[log in to unmask]&BODY=SET data-protection NOHTML>
* To receive emails from this list in HTML format: send SET
data-protection HTML to [log in to unmask]
<mailto:[log in to unmask]&BODY=SET data-protection HTML>
All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body
of an otherwise blank email to [log in to unmask]
Any queries about sending or receiving messages please send to the list
owner [log in to unmask]
(Please send all commands to [log in to unmask] not the list or the
moderators, and all requests for technical help to
[log in to unmask], the general office helpline)
________________________________
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.325 / Virus Database: 270.12.21/2102 - Release Date:
05/07/09 05:57:00
________________________________
All archives of messages are stored permanently and are available to the
world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of
the email if you are receiving emails in HTML format):
* Leaving this list: send leave data-protection to
[log in to unmask] <mailto:[log in to unmask]&BODY=LEAVE
data-protection>
* Suspending emails from all JISCMail lists: send SET * NOMAIL to
[log in to unmask] <mailto:[log in to unmask]&BODY=SET *
NOMAIL>
* To receive emails from this list in text format: send SET
data-protection NOHTML to [log in to unmask]
<mailto:[log in to unmask]&BODY=SET data-protection NOHTML>
* To receive emails from this list in HTML format: send SET
data-protection HTML to [log in to unmask]
<mailto:[log in to unmask]&BODY=SET data-protection HTML>
All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body
of an otherwise blank email to [log in to unmask]
Any queries about sending or receiving messages please send to the list
owner [log in to unmask]
(Please send all commands to [log in to unmask] not the list or the
moderators, and all requests for technical help to
[log in to unmask], the general office helpline)
________________________________
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Any requests under the Freedom of Information Act should be directed to [log in to unmask]
Please notify the sender immediately if this email appears to have been sent to you by mistake;
Respect the confidentiality of any information you receive from us;
Remember that emails sent or received by our staff may be disclosed under the Freedom of Information Act;
Let us know straight away if you suspect this email is infected with a virus by ringing 0161 237 2560 [if outside the UK +44 161 237 2560].
(We take all possible steps to ensure that our systems are virus-free but no system is completely secure.)
Please note that the contents of incoming and outgoing emails are automatically scanned for inappropriate content.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
