 |
 |
Indeed - although I always find the interaction of P7 and P8 around safe harbor problematic and a bit of a trap.
It is easy to see how a small / inexperienced data controller would assume that using a safe harbor company, "recognised by the European Commission as providing adequate protection for the rights of data individuals" would satisfy P7 and not realising that:
(a) you still need a paragraph 12 compliant contract - unlikely on standard terms
(b) "providing protection for the rights of data individuals" is not the same as "comply[ing] with obligations equivalent to those imposed on a data controller by the seventh principle"
Phil Bradshaw
IG Wales
----- Original Message -----
From: Baines, Jonathan
Sent: 04/26/13 01:51 PM
Subject: Re: [data-protection] ICO undertaking for GP Practice
Oo - good one. Because, as has been pointed out to me off-list, cloud providers may well have safe harbor status, so the transfer in itself might not have been a breach.Jonathan Baines
Complaints and Information Rights Officer
Legal and Democratic Services
Buckinghamshire County Council
01296 383681
follow us on twitter: @buckscclegal
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Phil Bradshaw
Sent: Friday 26 April 2013 13:49
To: [log in to unmask]
Subject: Re: [data-protection] ICO undertaking for GP Practice
... and prosecuted (s21(2)) as the practice notification restricts all three categories of processing as "None outside the European Economic Area" ...
----- Original Message -----
From: Baines, Jonathan
Sent: 04/26/13 01:14 PM
Subject: [data-protection] ICO undertaking for GP Practice
The ICO has today published details of a DPA undertaking signed by a GP practice which (prepare yourselves…) was using a free web-based email provider to send patients information about smear tests. Said account was hacked, and although no sensitive data was disclosed, the use of the provider and the hack itself were a breach of the 7th Data Protection principle:What interests me is that most well-known web-based email providers use cloud storage, and most are US firms, where storage is likely to be outside the European Economic Area. If that's the case (and I've asked the ICO if they can provide further details) then the ICO could have found - and enforced against - an 8th principle breach.Jonathan BainesComplaints and Information Rights OfficerLegal and Democratic ServicesBuckinghamshire County Council01296 383681follow us on twitter: @buckscclegalLike Us
Follow Us
Watch Us
Subscribe now for latest news, information and offers.Buckinghamshire County Council
Visit our Web Site : http://www.buckscc.gov.uk
Buckinghamshire County Council Email Disclaimer
This Email, and any attachments, may contain Protected or Restricted information and is intended solely for the individual to whom it is addressed. It may contain sensitive or protectively marked material and should be handled accordingly. If this Email has been misdirected, please notify the author or [log in to unmask] immediately. If you are not the intended recipient you must not disclose, distribute, copy, print or rely on any of the information contained in it or attached, and all copies must be deleted immediately. Whilst we take reasonable steps to try to identify any software viruses, any attachments to this Email may nevertheless contain viruses which our anti-virus software has failed to identify. You should therefore carry out your own anti-virus checks before opening any documents.
Buckinghamshire County Council will not accept any liability for damage caused by computer viruses emanating from any attachment or other document supplied with this email.
All GCSx traffic may be subject to recording and / or monitoring in accordance with relevant legislation.
The views expressed in this email are not necessarily those of Buckinghamshire County Council unless explicitly stated.
This footnote also confirms that this email has been swept for content and for the presence of computer viruses.
All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):
- Leaving this list: send leave data-protection to [log in to unmask]
- Suspending emails from all JISCMail lists: send SET * NOMAIL to [log in to unmask]
- To receive emails from this list in text format: send SET data-protection NOHTML to [log in to unmask]
- To receive emails from this list in HTML format: send SET data-protection HTML to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]
Any queries about sending or receiving messages please send to the list owner [log in to unmask]
(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)
All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):
- Leaving this list: send leave data-protection to [log in to unmask]
- Suspending emails from all JISCMail lists: send SET * NOMAIL to [log in to unmask]
- To receive emails from this list in text format: send SET data-protection NOHTML to [log in to unmask]
- To receive emails from this list in HTML format: send SET data-protection HTML to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]
Any queries about sending or receiving messages please send to the list owner [log in to unmask]
(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)
All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):
- Leaving this list: send leave data-protection to [log in to unmask]
- Suspending emails from all JISCMail lists: send SET * NOMAIL to [log in to unmask]
- To receive emails from this list in text format: send SET data-protection NOHTML to [log in to unmask]
- To receive emails from this list in HTML format: send SET data-protection HTML to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]
Any queries about sending or receiving messages please send to the list owner [log in to unmask]
(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)
All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]
Any queries about sending or receiving messages please send to the list owner [log in to unmask]
(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)
