Paul Ticher on Wednesday, January 26, 2005 at 9:59 AM said:-
> The parties to a data sharing protocol are - as Ian says -
> bound to be Data Controllers in their own right, and almost
> bound to have to Register, though it's possible to come up
> with a hypothetical situation in which one or more might be exempt.
If the different partners, process the pooled data for the same purpose the
situation is relatively simple. If the purposes differ, and different data
sets are required to meet those needs, the situation becomes a little more
complex. Additional complexity can be created by various other factors.
(e.g. trans-border data flows)
> In addition, though, you have to work out which of the
> following applies:
> * The data sharing agreement is just that, with each
> Data Controller
> making disclosures to others as and when required.
> * The data sharing involves some pooling of data - a
> common set of
> core data, for example - which might make all the partners
> joint Data Controllers of the pooled data, and jointly liable
> for compliance. The organisation hosting the pooled data
> might then be a Data Processor as well. (Two or more
> organisations can also be Data Controllers in common, but
> someone else will have to explain what that means.)
A good example of a situation clearly justifying joint data controllers
would be where the same initially collected data is processed for entirely
different purposes by the different data controllers, where each one could
not legitimately process the data for the purpose(s) the others do.
> * The data sharing arrangement is run on behalf of the
> partners by
> some central organisation which has enough of an independent
> existence to make it a Data Controller in its own right.
That merely creates an additional level of complexity. e.g. Data Processors
often determine and manage many back-up, maintenance and security tasks,
without any effective voice or direction from the originating data
controller. An issue which can be overlooked yet which can turn them into
joint data controllers.
Now FOI is operative, I imagine that all data sharing protocols the public
sector are party to can be obtained as examples, so you could make enquiries
to gather some as a means of gaining familiarity with the various forms.
Information relating to those protocols would certainly be of public
interest, and available as a result of the DPA data subjects rights
regarding processing of personal data.
The privacy of data subjects can be more difficult to maintain in
circumstances of data sharing, so I would expect the security and DPA
principle compliance issues to be more structured and developed in the older
protocols, which will probably have contained clauses regarding trial
periods/review/development to assure those factors are improved as
experience is gained.
Ian W
> -----Original Message-----
> From: This list is for those interested in Data Protection
> issues [mailto:[log in to unmask]] On Behalf Of
> Paul Ticher
> Sent: Wednesday, January 26, 2005 9:59 AM
> To: [log in to unmask]
> Subject: Re: Data Sharing Protocols
>
>
> The parties to a data sharing protocol are - as Ian says -
> bound to be Data Controllers in their own right, and almost
> bound to have to Register, though it's possible to come up
> with a hypothetical situation in which one or more might be exempt.
>
> In addition, though, you have to work out which of the
> following applies:
> * The data sharing agreement is just that, with each
> Data Controller
> making disclosures to others as and when required.
> * The data sharing involves some pooling of data - a
> common set of
> core data, for example - which might make all the partners
> joint Data Controllers of the pooled data, and jointly liable
> for compliance. The organisation hosting the pooled data
> might then be a Data Processor as well. (Two or more
> organisations can also be Data Controllers in common, but
> someone else will have to explain what that means.)
> * The data sharing arrangement is run on behalf of the
> partners by
> some central organisation which has enough of an independent
> existence to make it a Data Controller in its own right.
>
> That's how I understand the theory, anyway. Other people may
> be able to give more useful practical examples.
>
> Paul Ticher
> 0116 273 8191
> 22 Stoughton Drive North, Leicester LE5 5UB
>
> I hereby require any recipient of this message not to use my
> personal data for direct marketing purposes.
>
>
> ----- Original Message -----
> From: <[log in to unmask]>
> To: <[log in to unmask]>
> Sent: Wednesday, January 26, 2005 9:14 AM
> Subject: Re: Data Sharing Protocols
>
>
> > 1) Yes, all parties to a data sharing protocol must be
> registered data
> > controllers and you should make that a condition of membership. The
> signing-up form
> > should require the parties to state their notification number.
> Incidentally,
> > data processors have no legal obligations under the DPA.
> >
> > 2) Except in cases involving children at risk and maybe some
> > vulnerable adults, I would suggest that the basis of the
> data sharing
> > should be
> consent. How
> > that consent is obtained and at what stage is something you should
> establish
> > prior to the partnership operating. As the data is likely to be
> > classed
> as
> > sensitive personal data, I would think the consent should be in
> > writing.
> >
> > Ian B
> >
> >
> > Ian Buckland
> > Managing Director
> > Keep IT Legal Ltd
> >
> > Please Note: The information given above does not replace or negate
> > the
> need
> > for proper legal advice and/or representation. It is essential that
> > you do
> not
> > rely upon any advice given without contacting your
> solicitor. If you
> > need further explanation of any points raised please
> contact Keep I.T.
> > Legal
> Ltd at
> > the address below:
> >
> > 55 Curbar Curve
> > Inkersall, Chesterfield
> > Derbyshire S43 3HP
> > (Reg 3822335)
> > Tel: 01246 473999
> > Fax: 01246 470742
> > E-mail: [log in to unmask]
> > Website: www.keepitlegal.co.uk
> >
> > -----
> > In a message dated 25/01/05 08:29:29 GMT Standard Time,
> > [log in to unmask] writes:
> >
> >
> > > 1> Do all Data sharing parties need to be registered as
> independant
> > > 1> Data
> > > Controllers or do we just register the interests as DP
> processors
> > > with the IC?
> > >
> > > 2> I understand te fair-processing code needs to reflect
> > > 2> data-sharing
> > > activity - however can we use the Health & SS exemptions
> to process
> > > / share information?
> >
> >
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > All archives of messages are stored permanently and are
> > available to the world wide web community at large at
> > http://www.jiscmail.ac.uk/lists/data-protection.html
> > If you wish to leave this list please send the command
> > leave data-protection to [log in to unmask]
> > All user commands can be found at : -
> > http://www.jiscmail.ac.uk/help/commandref.htm
> > Any queries about sending or receiving message please send
> to the list
> owner
> > [log in to unmask]
> > (all commands go to [log in to unmask] not the list please)
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving message please send to
> the list owner
> [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|