Alternatively, assume that passing data to a Data Processor does fall within
the definition of processing (the simplest option) and agree with the
Information Commissioner that there are so many bits missing from Schedule 3
+ SI2000 no.417 that the provisions for sensitive data are effectively a
dead letter.
Paul Ticher
0116 273 8191
www.paulticher.com
22 Stoughton Drive North, Leicester LE5 5UB
For continuous priority support on Data Protection, sign up to my support
service:
www.paulticher.com/data-protection-services
----- Original Message -----
From: "Marchini, Renzo" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Monday, September 17, 2012 9:46 AM
Subject: Re: Outsourcing
There is another view to that expressed in out-law.com.
Their analysis depends on the passing of data by a controller to a processor
itself being an act of "processing" for which you need to find a legal basis
(schedule 3). If it is, then of course, many, many, many outsourcings which
happen on a daily basis could not take place - since it is almost impossible
to find a schedule 3 condition.
(The problem does not arise for non-sensitive data since you could generally
rely on para 6 of schedule 2).
Instead, one can take the view that that passing (of data from controller to
processor) is not an act of "processing". You then don't need to find a
schedule 3 condition.
There is logic in this view: the controller remains responsible for the act
of the processor, the controller still needs to comply with paras 11 and 12
of schedule 1 and so on, data subject's are not prejudiced since all other
provisions of the DPA apply (including organizational and technical security
and so on - which may be the real issue in this news story).
There is support in the language of the definitions: "processing" doesn't
expressly refer to "passing" data (by any terms) - the closest you get is
"disclosure" in para (c) of Section 1(1) - but giving it to a processor
(acting on a controller's behalf only) can hardly be called "disclosure".
The introductory words before the examples in (a) to (d) are likewise a
little difficult to make clearly fit this situation: giving data to a
processor to act on a controller's behalf is not "obtaining, recording or
holding". (It is true that the processor "holds" the data - but there is no
need to find a schedule 2 or 3 condition in the hands of the processor -
since it is only the controller that needs to have the legitimizing basis).
It might, just, be the "carrying out of an operation" - but that to me
implies some sort of use of the information in the data.
I realize this is a rather pragmatic analysis to get out us of the need to
find a schedule 3 basis, but how else does one do it?
Renzo Marchini
Counsel
Dechert LLP
+44 (0) 20 7184 7563 direct
+44 (0) 20 7184 7001 fax
[log in to unmask]<mailto:[log in to unmask]>
www.dechert.com<http://www.dechert.com/>
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Ray Cooke
Sent: 17 September 2012 08:48
To: [log in to unmask]
Subject: Re: [data-protection] Outsourcing
V. interesting. The reference in the article to "sections 11 and 12 of the
DPA" is not quite right though, is it? This must be a reference to paras 11
and 12 of Schedule 1, Part II which set out the requirements for data
processors relating to the seventh, security, principle. These are
ingrained in my memory because of the need to bang on so much about the
issues relating to outsourcing to data processors.
Ray Cooke
tel: +44 (0)1865 484354
fax: +44 (0)1865 483330
www.brookes.ac.uk<http://www.brookes.ac.uk>
On 17 September 2012 08:15,
<[log in to unmask]<mailto:[log in to unmask]>> wrote:
ICO's 'pragmatic' view of outsourcing rules on sensitive personal data
processing may be without legal basis, claim experts
http://www.out-law.com/en/articles/2012/september/icos-pragmatic-view-of-outsourcing-rules-on-sensitive-personal-data-processing-may-be-without-legal-basis-claim-experts/
Regards
Ibrahim Hasan
Www.actnow.org.uk<http://Www.actnow.org.uk>
________________________________
All archives of messages are stored permanently and are available to the
world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the
email if you are receiving emails in HTML format):
* Leaving this list: send leave data-protection to
[log in to unmask]<mailto:[log in to unmask]&BODY=LEAVE+data-protection>
* Suspending emails from all JISCMail lists: send SET * NOMAIL to
[log in to unmask]<mailto:[log in to unmask]&BODY=SET+*+NOMAIL>
* To receive emails from this list in text format: send SET
data-protection NOHTML to
[log in to unmask]<mailto:[log in to unmask]&BODY=SET+data-protection+NOHTML>
* To receive emails from this list in HTML format: send SET
data-protection HTML to
[log in to unmask]<mailto:[log in to unmask]&BODY=SET+data-protection+HTML>
All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an
otherwise blank email to
[log in to unmask]<mailto:[log in to unmask]>
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]<mailto:[log in to unmask]>
(Please send all commands to
[log in to unmask]<mailto:[log in to unmask]> not the list or the
moderators, and all requests for technical help to
[log in to unmask]<mailto:[log in to unmask]>, the general office
helpline)
________________________________
________________________________
All archives of messages are stored permanently and are available to the
world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the
email if you are receiving emails in HTML format):
* Leaving this list: send leave data-protection to
[log in to unmask]<mailto:[log in to unmask]&BODY=LEAVE%20data-protection>
* Suspending emails from all JISCMail lists: send SET * NOMAIL to
[log in to unmask]<mailto:[log in to unmask]&BODY=SET%20*%20NOMAIL>
* To receive emails from this list in text format: send SET
data-protection NOHTML to
[log in to unmask]<mailto:[log in to unmask]&BODY=SET%20data-protection%20NOHTML>
* To receive emails from this list in HTML format: send SET
data-protection HTML to
[log in to unmask]<mailto:[log in to unmask]&BODY=SET%20data-protection%20HTML>
All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an
otherwise blank email to
[log in to unmask]<mailto:[log in to unmask]>
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]<mailto:[log in to unmask]>
(Please send all commands to
[log in to unmask]<mailto:[log in to unmask]> not the list or the
moderators, and all requests for technical help to
[log in to unmask]<mailto:[log in to unmask]>, the general office
helpline)
________________________________
This e-mail is from Dechert LLP, a law firm, and may contain information
that is confidential or privileged. If you are not the intended recipient,
please delete the e-mail and any attachments, and notify the sender. Dechert
LLP is a limited liability partnership registered in England & Wales
(Registered No. OC306029) and is authorised and regulated by the Solicitors
Regulation Authority. A list of names of the members of Dechert LLP (who are
solicitors or registered foreign lawyers) is available for inspection at its
registered office, 160 Queen Victoria Street, London EC4V 4QQ.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your
needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|