The definition of data processors under the '98 Act excludes employees of the of the data controller. The question arose in my mind as to whether consultants are employees for this purpose or whether they are processors and if the latter whether we should be incorporating specific clauses in their contracts about security. We would expect them to take the same care as employees but is there a higher duty imposed on us? The DPR's office suggest writing in to their legal department which I am doing(and will report back). It seems that the numbers of consultancy contracts are growing in some areas and that the group may be one where dp awareness may need to be raised? Gail Waters DP Coordinator Open University %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%