Thank you, Phil and Lawrence.  I think we are all in agreement (except for the Outlaw.com people, which I comment on below).
 
(One minor quibble in the way you put it back to me below though, Philip, I do not necessarily have a Schedule 3 consent.  It is HR data, so for my processing I am likely to be able to rely on para 2 of schedule 3.  But your point still stands.)
 
I agree that the ICO does not even go there in relation to his outsourcing guides or indeed his cloud guide (a form of outsourcing of course).
 
The treatment of the data processor as “part of” the data controller and therefore the actual arrangements for the processing being mere detail seems to me to be perfectly consistent with the DPA and the fundamental principle that the controller takes responsibility for processing by the processor.
 
I like this quote from the outlaw.com article Phil sent through:
 
“The ICO said that when organisations obtain individuals' explicit consent to process sensitive personal data they can then outsource some or all processing activities to others without the need for individuals to consent to those arrangements.”
 
However, the Germans do seem to take a different view of this and the comment made by the German Olswang lawyer in chimes nicely with the view of my colleague that I was discussing this issue with yesterday. 
 
So when it comes to taking my pick, I of course - as a pragmatic English lawyer - choose the ICO’s view.  (And if not, I’d have to re-write some of my cloud law book! (Little plug: 2nd edition on its way in a few months.).)
 
The trouble though in my current situation is that this outsourcing is multi-jurisdictional and it is hard to advise my client (“you can do this with HR data for UK employees, but not for that of German employees”).
 
Thanks again all.
 
 
Renzo Marchini
Special Counsel
Dechert LLP
+44 20 7184 7563 Direct
 
 
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Phil Bradshaw
Sent: 20 January 2015 19:06
To: [log in to unmask]
Subject: Re: [data-protection] Outsourcing and sensitive personal data
 
Yes it is certainly processing, but as Lawrence says, is there really a problem? You are still the DC and presumably have Schedule 3 Condition 1 consent.
 
Consent is not usually expected to cover the minutiae of how you do the job. Would you ask for new consent if you moved from paper to electronic records? Consent to scan ? Consent to move from Windows to Linux ? If you introduce a BYOD policy?
 
Certainly ICO didn't think it worthy of mention in his guide to outsourcing for small and medium businesses. One would have expected a bold warning if he thought there was a problem.
 
Nor does the guidance on Cloud Computing suggest in any way that you need a schedule condition. Closets is a warning about fairness and not having mislead. This would apply here if e.g. you have ever done anything to suggest you would not use a data processor. Check your privacy / FPN's carefully.
 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      https://urldefense.proofpoint.com/v2/url?u=http-3A__www.jiscmail.ac.uk_lists_data-2Dprotection.html&d=AwIFaQ&c=XHgqDMffAkUKcWDgZTAtfA&r=WA4vMljdqTypcda6BHAprb1VUCTP6WWutu0BST87unI&m=cmOztA6D291VuE_SlCtkzXJXDxvSXJxtMGwE3ac417U&s=dBLbpcHG0FzaK24xTCE38uHKhoU8_HX4RsC-W1YRgyU&e=
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask] All user commands can be found at https://urldefense.proofpoint.com/v2/url?u=http-3A__www.jiscmail.ac.uk_help_commandref.htm&d=AwIFaQ&c=XHgqDMffAkUKcWDgZTAtfA&r=WA4vMljdqTypcda6BHAprb1VUCTP6WWutu0BST87unI&m=cmOztA6D291VuE_SlCtkzXJXDxvSXJxtMGwE3ac417U&s=R93UIH3FtH5mXYnUKnd626gjMfR5lABH5C_s-jEnb44&e=
Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
This e-mail is from Dechert LLP, a law firm, and may contain information that is confidential or privileged. If you are not the intended recipient, please delete the e-mail and any attachments, and notify the sender. Dechert LLP is a limited liability partnership registered in England & Wales (Registered No. OC306029) and is authorised and regulated by the Solicitors Regulation Authority. A list of names of the members of Dechert LLP (who are solicitors or registered foreign lawyers) is available for inspection at its registered office, 160 Queen Victoria Street, London EC4V 4QQ.

All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]

Any queries about sending or receiving messages please send to the list owner [log in to unmask]

(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)