If I read the Commissioner's guidance paper on "adequacy" and the 8th Principle
correctly, no consent is required if the only thing they will be doing is
processing on behalf of a controller in the UK, and I agree with Adrian that a
written contract is in order that specifies exaclty what the controller wants
done with the data, and specifies the security arrangements to protect it from
accidental or intentional loss, destruction, tampering, or other mishap.
Ignorance about the 1998 Act is not so unusual in the United States, even for
quite major companies who do business in the UK. But we're improving the
situation. I suspect you would find a similar level of ignorance on the
Continent.
Adrian Tribe wrote:
> Dear Sally,
>
> At 15:18 11/04/00 +0100, Sally wrote:
> >Our alumni people have contracted with a US based company
> >called IAC for design.managing and hosting our alumni db.
> >Does anyone have experience or advice about this
> >company. I am told they are aware of the DPA 1984 and have indemnity from
> >any upgrading of that legislation?
>
> I had quite a long phone conversation with the boss of this
> company in April last year and was staggered that at that time
> he told me he knew nothing of the 1998 Data Protection Act and
> its restriction on the transfer of personal data beyond the EEA.
> I sent him various URLs to get him up to speed. We decided not
> to use the services of his company (for various reasons). The
> OU (see http://www.openlink.org/), the LSE (http://www.lsealumni.com/)
> and possibly one or two other UK Universities have done so
> though. Incidentally, neither of these sites have any form of
> data protection/privacy statement anywhere that I could find :-(
>
> I had heard from someone (can't remember who!) that IAC now get
> round the problem by hosting the alumni sites that they build
> for UK institutions on servers physically based in the UK, but
> whether this is true or not, and how they then administer them
> without any data moving across to their offices in the US, I
> don't know.
>
> >I assume provided all this is made quite clear in the application form
> >to join the alumni then we can supply this personal data to the US without
> >any any problem.
>
> As long as you have consent, and you have a written contract with
> this external company that requires them to work to the same
> data protection standards as we have to in the UK, you should be
> OK. But what about all those alumni who were 'signed up' years ago?
> Getting retrospective consent could be a fun exercise!!
>
> Best wishes,
> Adrian
>
> Adrian Tribe <[log in to unmask]>
> Web Editor, Birkbeck College, University of London
--
Charles A. Prescott
Vice President, International Business Development
and Government Affairs
Direct Marketing Association
1120 Avenue of the Americas
New York, NY 10036
U.S.A.
Tel. (1) 212-790-1552
Fax. (1) 212-790-1499
e-mail: [log in to unmask]
website: www.the-dma.org
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|