Paula:
I am not a lawyer but have worked with Data Protection compliance within a
legal services function of a major Financial Services group for a
substantial period, providing advices to lawyers as a DP specialist.
Some observations:
A warranty is open to negotiation between the parties. Some warranties can
be pointless to attempt but are a start point for negotiation. The services
company may not want to be associated with companies who choose to take DPA
risks in place of compliance. If they are big enough to be able to cherry
pick their customers then they can drive issues in this way.
If a company signs up to a warranty without challenging they may have a
contractual problem as it gives the contracting partner an opening to
attempt to void a contract via arguments of breach of contract. This your
lawyers should be aware of but they may not be aware of the technicalities
of your Data Protection responsibilities as controller and how difficult
compliance with them can be. This could mean they miss the potential risk in
accepting the clause.
The archiving company may be hoping you will accept the warranty without
challenge as they may also see it as a way of potraying their company in a
good light. e.g. They might be trying to market themselves as an excellent
company in terms of Corporate Social responsibility (CSR) a popular activity
today. In this respect its not a bad move on their part.
The issue you need to examine is the relationship between that company and
yourself. At first glance it would appear you are the data controller and
they are your selected processor. If that is the relationship you direct the
security of the data processing via a written contract and as controller
carry the responsibility in your fair obtaining notice to ensure your data
subjects know you use processors. The amount of detail you give a data
subject can vary. Its your choice in terms of risk and relationship to the
data subjects. As controller you should be able to direct processing
standards of service providers.
The Data Protection advisor to the archiving company is possibly trying to
minimimise perceived risks for his company and any admin overheads. Such
warranties should be challenged but the person signing up to the contract at
your end needs a good eye for DPA to spot risks given it is a specialist
legal discipline. You've seen it so let them know. There is nothing
directly in the DP Act which states a processor must obtain warranties from
those wishing to use their services. As you indicate DPA liabilities sit
with the controller to manage. If you are uncomfortable with the warranty
you should challenge this, given a processor has no direct role to audit the
compliance standards of the controller. There is nothing however to stop
them from attempting to promote better standards via this method.
A case of 'caveat emptor' - buyer beware
Good luck
David Wyatt
----- Original Message -----
From: "Paula Owen" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Wednesday, September 17, 2003 3:56 PM
Subject: Re: [data-protection] Archiving Personal Data
> I have just looked at the T&Cs for my external storage company and have
> found them to be the same as Judith's! As this company is, I'm led to
> believe, one of the biggest in the country I would suggest that this could
> be an issue for a substantial number of organisations represented on this
> list.
>
> I find it ridiculous that they can put that type of statement into their
> T&Cs, as it is not their problem if there is sensitive data stored. It is
> purely the data controller's problem if the correct explicit consent (or
> other justifiable Sch.3 criteria) has not been achieved.
>
> As a data processor for other data controllers, do they have the right to
> insist on this? Can the lawyers among the group give us the legal
position?
>
> Paula
>
> -----Original Message-----
> From: Judith Oak [mailto:[log in to unmask]]
> Sent: 17 September 2003 10:52
> To: [log in to unmask]
> Subject: Archiving Personal Data
>
>
> Dear All
>
> I have a problem I'd really appreciate some help with. I'm new to the
list
> so please be gentle with me!
>
> I am reviewing some Ts&Cs from our offsite archiving company and they have
> added a Data Protection clause (new since the previous version of Ts&Cs we
> signed up to) which says:
>
> "The parties acknolwedge that the Company may have access to "Personal
> Data" .. in providing the Services .. The Customer warrants that the
> Personal Data is not Sensitive Personal Data .. and that it has all
> necessary consents and authorisations for the Company to process Personal
> Data in the manner and for the purposes ... in accordance with the terms
of
> this Agreement".
>
> I have no doubt we will be archiving personal data and some of that
> personal data may well be sensitive. I can't possibly allow my company to
> warrant that it isn't. I know that archiving is "processing" under DPA.
> But surely companies must be allowed to archive sensitive personal data
> without having to obtain consent? Is the archive box even a "relevant
> filing system"? Should I ask for a warranty from them that they won't
look
> in the boxes?!
>
> I'm at a loss at to what to do about it and hope someone out there can
give
> me some guidance!
>
> Thanks very much
> Judith
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> http://www.jiscmail.ac.uk/help/commandref.htm
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> This email and any files transmitted with it are confidential and intended
> solely for the use of the addressee. The contents may not be disclosed or
> used by anyone other than the addressee. If you are not the intended
> recipient, please notify the sender immediately and delete the message
from
> your system.
> The Energy Saving Trust cannot accept any responsibility for the accuracy
or
> completeness of this message as it has been transmitted over a public
> network. If you suspect that the message may have been intercepted or
> amended please contact the sender. Any opinions expressed in this message
> are those of the sender and may not be binding on the Energy Saving Trust.
> Incoming and outgoing e-mail messages are routinely monitored for
compliance
> with the Energy Saving Trust's policy on the acceptable use of electronic
> communications.
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> http://www.jiscmail.ac.uk/help/commandref.htm
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|