Thanks for all posts on this subject.
It would appear I was right to look at it
in a bit more depth!
Regards,
Kevin
From: This list is for those interested in Data
Protection issues [mailto:[log in to unmask]] On Behalf Of Chris Brogan
Sent: 07 May 2009 16:02
To: [log in to unmask]
Subject: [data-protection] FW:
Controller or Processor
My opinion is with
Tim but you may be interested in the ICO’s opinion with regard to
solicitors, accountants and private investigators.
The ICO is of the
opinion that they are data controllers even when acting in response to the
instructions given by a client.
Unless they have
changed their opinion the Law Society do not agree with the ICO but advise
their clients to err on the side of caution. I am unaware of the
May I develop this
discussion a little further? If when you subcontract/delegate/instruct work to
another party that involves processing personal data and you do not include the
data protection clause is it a lawful contract. He will be processing personal
data for a client and the DPA is quite clear that the legal relationship of
processor and controller has to be in writing. I suggest that this adds a fifth
clause to the common law definition of contract—offer, acceptance,
consideration and legally binding. If I am correct and this is not a valid contract
doesn’t it then open the potential for breaches of DPA as well as HRA
article 8- Right to respect for privacy.
Seems to me that
whatever the answer may be it wise to include the data protection clause in all
contracts that include ethe processing of personal data.
Managing
Director
Security International Ltd
Tel: +44 20 8847 2111
Fax: +44 20 8847 1852
Registered in
Registered Office:
From: This list is for those interested in Data
Protection issues [mailto:
Sent: 06 May 2009 17:31
To:
Subject: Re: Controller or
Processor
You are and remain the sole data
controller. Al sub contractors are data processors. It matters
little whether they are sub-sub contractors, except that you will have a Data
Processor Agreement with your direct subcontractors and will insist in the
agreement that anyone subcontracted to by your subcontractors has a full data
processor agreement with the person to whom they are contracted.
There is a paradox that the presence of a sub-sub contractor may appear to
validate the sub contractor to whom they are contracted as a Data
Controller. In reality, for that sub-sub contractor, they are the data
controller in a legalistic sense, bit you are the absolute overall Data
Controller.
Is the mud any clearer?
You determine what is done with the data. You give the instructions for
processing, and it is your responsibility to safeguard it and destroy or retain
it when the event is finished.
Kevin Tarleton wrote:
I want to make sure we are doing
everything we can to protect the personal information of our attendees, and at
the same time I want to make sure each organisation that processes their
information is aware of its own responsibilities to the attendee and ourselves.
My understanding is that my
organisation will remain the Data Controller no matter who is processing the
information for us.
Even so, I have several questions
that have been bugging me that I was hoping list members could help me with:
1. Are the hotel the data processor
for us or for our event-management partner?
2. Is there an argument that our
event-management partner are the data controller and the hotel their data processor (as they collect information directly)?
(Although we should have access to this information if we require it)
3. Do our event-management partner
remain a data processor because they are collecting the information on our
behalf?
All opinions welcome!
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Any requests under the Freedom of Information Act should be directed to [log in to unmask] Please notify the sender immediately if this email appears to have been sent to you by mistake; Respect the confidentiality of any information you receive from us; Remember that emails sent or received by our staff may be disclosed under the Freedom of Information Act; Let us know straight away if you suspect this email is infected with a virus by ringing 0161 237 2560 [if outside the UK +44 161 237 2560]. (We take all possible steps to ensure that our systems are virus-free but no system is completely secure.) Please note that the contents of incoming and outgoing emails are automatically scanned for inappropriate content. |