I have been following the discussions on sharing staff data with interest. I do not wish to contribute save to say I agree with all of the comments - this is not a consent issue but requires adequate fair processing notice.
But it is an example of how real world situations become surprisingly complex when applying what are in fact fairly simple DP rules. I thought I would share with you a very simple situation I have been working on today which is hard to analyse with certainty, and my conclusions - if anyone disagrees please shoot me down.
A hospital H runs a neo-natal service. For the benefit of both H and parents H offers a service hereby staff may take short videos of babies and posts them on a secure website so that working and absent parents can be kept in touch etc.. This is run and hosted by V. Parents create a unique account with V, are notified of uploads and can view or download videos. H has admin access to the system and will delete the account and all videos after patient discharge. All done by consent and appropriate security is in place.
Service has been running for a while until I spoil the party by asking if the processing agreement has had a GDPR upgrade. There is no agreement. Neither my H nor V nor as far as I know any other H (100s run the system) thought there was any processing of PID going on. I immediately decided H was clearly a controller for the videos - H commission the service, do the filming and decide what to upload. Quickly drafted a processing agreement, threw in the processing of the parent account details as well as the videos, and V is happy to sign - anything for a quiet life.
Quick audit later I discover that on sign up V (a) seeks consent to market other products and (b) asks parents to enter into quite a detailed agreement with V - neither really compatible with V being a processor for H. So perhaps V is controller for the account details and we are a processor when we administer the accounts - so hey, we need a second reverse processing agreement and need to take parent data out of the one I drafted and they agreed. This is getting silly.
Latest conclusion:
H and V are joint controllers for the account information so no second agreement not needed. H primarily because they have the purpose, V because they have to take responsibility for the means for security and verification of accounts and
H is controller and V processor for the videos themselves. V has no possible interest in the videos and is effectively just acting as cloud storage. V has no scope to use the video data for any of its own purposes.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|