Thank you, Phil and Lawrence. I think we are all in agreement (except for the Outlaw.com people, which I comment on below).
(One minor quibble in the way you put it back to me below though, Philip, I do not necessarily have a Schedule 3 consent. It is HR data, so for my processing I am likely to be able to rely on para
2 of schedule 3. But your point still stands.)
I agree that the ICO does not even go there in relation to his outsourcing guides or indeed his cloud guide (a form of outsourcing of course).
The treatment of the data processor as “part of” the data controller and therefore the actual arrangements for the processing being mere detail seems to me to be perfectly consistent with the DPA
and the fundamental principle that the controller takes responsibility for processing by the processor.
“The ICO said that when organisations obtain individuals' explicit consent to process sensitive personal data they can then outsource some or all processing activities to others without the need
for individuals to consent to those arrangements.”
However, the Germans do seem to take a different view of this and the comment made by the German Olswang lawyer in chimes nicely with the view of my colleague that I was discussing this issue with
yesterday.
So when it comes to taking my pick, I of course - as a pragmatic English lawyer - choose the ICO’s view. (And if not, I’d have to re-write some of my cloud
law book! (Little plug: 2nd edition on its way in a few months.).)
The trouble though in my current situation is that this outsourcing is multi-jurisdictional and it is hard to advise my client (“you can do this with HR data for UK employees, but not for that of
German employees”).
Thanks again all.
Renzo Marchini
Special Counsel
Dechert LLP
+44 20 7184 7563 Direct
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Phil Bradshaw
Sent: 20 January 2015 19:06
To: [log in to unmask]
Subject: Re: [data-protection] Outsourcing and sensitive personal data
Yes it is certainly processing, but as Lawrence says, is there really a problem? You are still the DC and presumably have Schedule 3 Condition 1 consent.
Consent is not usually expected to cover the minutiae of how you do the job. Would you ask for new consent if you moved from paper to electronic records? Consent to scan ? Consent to move from Windows
to Linux ? If you introduce a BYOD policy?
Certainly ICO didn't think it worthy of mention in his guide to outsourcing for small and medium businesses. One would have expected a bold warning if he thought there was a problem.
Nor does the guidance on Cloud Computing suggest in any way that you need a schedule condition. Closets is a warning about fairness and not having mislead. This would apply here if e.g. you have
ever done anything to suggest you would not use a data processor. Check your privacy / FPN's carefully.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
If you wish to leave this list please send the command
Any queries about sending or receiving messages please send to the list owner
To receive these emails in HTML format send the command:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^