Hi everyone,I have two Friday questionsFirstly on the following scenario, if anyone wants to venture anything about it (we are Company D, our client is Company B), what are the DPA implications and points of difficulty? Hopefully the scenario is of interest.Secondly I am in no uncertain terms recommending that our client needs consult a DPA specialist solicitor / lawyer to obtain legal advice on what the DPA position is, and what B (and D) should do. Here we are looking for focussed pragmatic advice, including, I presume, the construction of the wording for release forms and whose responsibility they are.If you can recommend such a person or firm, I'd really appreciate it, please, if you could contact me (probably off list) with your recommendation.Thanks a millionMark--------------------------------------------------------------------------------------------------------------------------------------CircumstancesCompany A owns and operates maritime vessels and operates in both UK and EU jurisdictions.Company A's vessels are crewed by Company A's employees and employees of other companies who supply services to Company A.We'll call a selection of these crew members X,Y,Z regardless of the company that they work for.Company B employs, on a contractual basis, self-employed nursing staff to provide medical services on Company A's vessels.Company B's nurses maintain medical records detailing aspects of the health of crew members X,Y,Z.Company B has its own full-time-employed on-shore doctor to provide case review and specialised medical assistance to Company B's medics.Company B may also from time-to-time also use doctors supplied by Company A or a third-party company,Company C, to provide case review and specialised medical assistance to Company B's on-board nurses.These doctors, regardless of if they work for Company A, B or C, may also provide medical advice to crew members X, Y, Z in an on-shore clinic.Use of dataNo matter if the doctors are employees of Companies A, B or C, when occasion arises they need to see medical records for sick or injured crew members X,Y, Z.Company B would like to show certain anonymised medical and demographic data to Company A. This anonymised information is derived from Company B's medical records for crew members.[1] Sometimes, for some data shown to company A, there may be circumstances resulting from disclosure of anonymised data that could result in a PII leak,eg there might be only one employee with an extremely high BMI on a particular vessel.If we knew the crew on that vessel we could deduce who that crew member is, and we would know that that person had a BMI, eg, of over 40.[2] Company B would also like to make certain suggestions to Company A, eg identified crew member X is overweight to be working at sea, or identified crew member Y has had an accident on-board.Company B proposes a release form signed by crew to regularise [2]. Problems with [1] may remain, but this problem may disappear if the individual has signed a release form.Processing dataCompany D supplies and maintains data processing facilities for company B in respect of crew member X,Y,Zs' medical records.Directors and employees of D act carefully: They never access any PII.It would be nice to copy, anonymise and also alter the content of existing records and use the resultant mutated records as test data, this could be done using a computer program, without any human seeing seeing any PII that is being anonymised and transformed. One of Company D's staff is somewhat for doing this, another is set against it, so Company D will not do this without legal advice
All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):
- Leaving this list: send leave data-protection to [log in to unmask]
- Suspending emails from all JISCMail lists: send SET * NOMAIL to [log in to unmask]
- To receive emails from this list in text format: send SET data-protection NOHTML to [log in to unmask]
- To receive emails from this list in HTML format: send SET data-protection HTML to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]
Any queries about sending or receiving messages please send to the list owner [log in to unmask]
(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)