What do you think is the position where a member of staff is processing personal data in connection with providing references for business contacts who are not our employees but employees of other institutions(including ones overseas) with which the person was previously associated? The purpose is not personnel administration for this institution but is personal to the staff member. Are we a computer bureau for the staff member in question under the current Act & concerned therefore only with the security of the data(we are registered both as user & bureau). If this is so, presumably we would be a processor under the new Act for the staff member, who as controller would have to notify? This seems bizarre! Gail Waters DP Coordinator Open University %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%