There was a discussion on LinkedIn yesterday on a similar area. IT Helpdesk using an ITSM tool – controller or processor.

 

The discussion split out to consider if the IT Helpdesk was outsourced (Carl Gottlieb raised an example of maybe Fujitsu using Zendesk on behalf of Sports Direct).

The camps were split on whether Fujitsu was the controller or Sports Direct, primarily due to who makes the decisions about what is processed and how.

 

As this is something which has been coming up in schools I asked ICO several times about this as well as several traded services sections at Las, and the core line from https://ico.org.uk/media/for-organisations/documents/1546/data-controllers-and-data-processors-dp-guidance.pdf (p4 - top bullet point) was “depending on the degree of control it exercises over the processing operation” as to whether a company is processor or controller.

 

For schools, where they had a choice of what systems and services they use from the market, they are making a choice when entering the arrangement with a service provider. If an LA school is in a managed service setup (BSF/PfI?) then it gets grey … as the school (the legal entity) has little or no power on the decision on the service used. If the school is an academy and the managed service is directed by the parent trust (the trust is generally the legal entity at this point) then a choice has been made. Ultimately, it comes down to what the school views as a decision it has made.

 

 

-- 

Tony Sheppard

Operations Manager

GDPR in Schools

 

 

 

Morning all,

 

I am wondering whether I’m overthinking this (hence the Friday question!) – if your organisation buys a “system” from a supplier which requires users (employees) to log in to manage access, and this is a standard feature of this system (e.g. not part of your specification), who is the data controller for that data? And would this be different if the system were hosted by a supplier rather than if it were hosted by your organisation?

 

Best wishes,

 

Michelle

 

Michelle Brown

Information Manager

Transport for Greater Manchester

 

2 Piccadilly Place, Manchester M1 3BG

Direct line: 0161 244 1123, Extension 701123

www.tfgm.com

 

Please do not print this email unless you really need to.

 

This email and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and may contain confidential and/or privileged information. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by individuals or entities other than the intended recipient is prohibited. If you are not the intended recipient please notify the sender immediately and delete the email and any attachments. As a public body, Transport for Greater Manchester may be required to disclose this email or any response to it under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act.
This email has been scanned for all viruses and passed through Content Control by the iCritical Email Security System.

All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

• Leaving this list: send leave data-protection to [log in to unmask]
• Suspending emails from all JISCMail lists: send SET * NOMAIL to [log in to unmask]
• To receive emails from this list in text format: send SET data-protection NOHTML to [log in to unmask]
• To receive emails from this list in HTML format: send SET data-protection HTML to [log in to unmask]

All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html and are sent in the body of an otherwise blank email to [log in to unmask]

Any queries about sending or receiving messages please send to the list owner [log in to unmask]

(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)

The information in this email and any attachment(s) is confidential and intended solely for the use of the addressee. If you are neither the addressee nor an authorised recipient for the addressee, please notify the sender and delete the email from your system immediately. Unauthorised use, dissemination, distribution, publication or copying of this communication or attachments is prohibited and may be unlawful. Our messages are checked for viruses but please note that we do not accept liability for any viruses which may be transmitted in or with this message. Views expressed by an individual in this email do not necessarily reflect the views of GDPR in Schools Ltd.

GDPR in Schools Ltd is a private limited company registered in England and Wales. 
Registered office: 11 Kingsley Lodge 13 New Cavendish Street, London, United Kingdom, W1G 9UG.
Company registration number: 10699302.
ICO registration number: ZA248932.