Data Controllers are *responsible* - for the selection, implementation and operation of appropriate controls. The issue revolves around accountability ... to the regulator and to Data Subjects. In the past year I have advised on and dealt with several 'incidents' that led to complaints to the ICO, ranging from tens of thousands of inaccurate records caused by a systemic error (awaiting decision) to one about three letters erroneously inserted in a mailing where the only personal data were names and addresses ("non-compliant"). The determination and measure of an *incident* is not wholly within the Data Controller's control. The determination and measure of a "breach" of the Act/Regulations (i.e., a "non-compliance) lies with the ICO. Regards - Michael Bacon Grimbaldus Limited > On 30 Jan 2015, at 11:59, Jonathan Baines <[log in to unmask]> wrote: > > You're adopting my "ad absurdum" argument ;-) > > My theoretical rogue employee has had training, but has chosen to ignore it. He knows there is a policy requiring encryption of all portable hardware, and banning sending it in the post, but has chosen to ignore that too. > > If data controllers were responsible for every data security incident because there mere fact an incident happened meant there had been a failure of controls, then DPP7 (and the interpretative guide in Part II of Sch.1) would be rendered absurd. > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > All archives of messages are stored permanently and are > available to the world wide web community at large at > http://www.jiscmail.ac.uk/lists/data-protection.html > If you wish to leave this list please send the command > leave data-protection to [log in to unmask] > All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm > Any queries about sending or receiving messages please send to the list owner > [log in to unmask] > Full help Desk - please email [log in to unmask] describing your needs > To receive these emails in HTML format send the command: > SET data-protection HTML to [log in to unmask] > (all commands go to [log in to unmask] not the list please) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving messages please send to the list owner [log in to unmask] Full help Desk - please email [log in to unmask] describing your needs To receive these emails in HTML format send the command: SET data-protection HTML to [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^