Jon
Have you pointed out to them that if they are data controllers then they have to provide fair processing notices to all data subjects, deal with SARs from the data subjects, etc., etc.?
As a data processor, they can leave all that hassle to you...
Andrew
--
Andrew Cormack, Chief Regulatory Adviser
JANET(UK), Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, OX11 0SG, UK
Phone: +44 (0) 1235 822302
Fax: +44 (0) 1235 822399
JANET, the UK's education and research network
JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Jon Dunster
> Sent: 24 April 2009 09:31
> To: [log in to unmask]
> Subject: Re: Application support companies ...
>
> On Mon, 20 Apr 2009 11:17:23 +0100, Tim Trent
> <[log in to unmask]> wrote:
>
> >On the basis of what you have said I am certain that they are Data
> >Processors within the meaning of the DPA 1998.
> >
> >The agreement between the two of you needs to indemnify you for their
> >actions where those actions are not directly instructed by you. A
> >direct instruction can include "Please do whatever you need to do in
> >order to make this thing work" of course. Obviously it cannot
> indemnify
> >you if your instruction was faulty. Equally you may not lawfully
> >instruct them to break the law.
>
> And now they have said that they are the data controllers for our data
> - I
> don't think so! This has the feeling of going on and on.
>
> For your enjoyment this is what they sent us instead of agreeing with
> our
> processor clauses:
>
> Purposes
>
> As can be seen, our registration covers four Purposes namely 'Staff
> Administration', 'Advertising, Marketing & Public Relations', 'Accounts
> &
> Records' and 'Consultancy and Advisory Services'.
> The fourth of these is described as 'Giving advice or rendering
> professional
> services. The provision of services of an advisory, consultancy or
> intermediary
> nature' and, in particular, 'Software development/demonstration and
> support/processing services (including advice, repairs and/or remote
> processing)'.
>
> Data Subjects/Classes
>
> Data Subjects covered by the fourth Purpose include:
> ° Customers and Clients.
> ° Applicants, employees (and their relatives) of customers and clients.
> ° Relatives, guardians and associates of the data subject.
> ° Data subjects necessary for the development, testing and
> demonstration of
> the data controller's software.
> Data Classes covered for these Data Subjects include:
> ° Personal, Educational, Training, Employment and Financial details.
> ° Racial or Ethnic origin, Religious or other beliefs of a similar
> nature.
> ° Physical or Mental Health or Condition.
> ° Trade Union membership and Pension Scheme memberships.
> ° Any other data necessary for managing and paying staff.
> ° Classes of data necessary for the development, testing and
> demonstration
> of the data controller's software.
>
> The Eight Principles
>
> Anyone processing personal data must comply with the eight enforceable
> principles of good practice, which state that data must be:
> ° Fairly and lawfully processed.
> ° Processed for limited purposes.
> ° Adequate, relevant and not excessive.
> ° Accurate.
> ° Not kept longer than necessary.
> ° Processed in accordance with the data subject's rights.
> ° Secure.
> ° Not transferred to countries without adequate protection.
>
> Service Standards
>
> Under our registration, all our staff, plus customers and clients, are
> Data
> Subjects - and all the data subjects (plus authorised officers of the
> employing
> client or customer) are Recipients. Our internal standards include the
> following
> objectives:
>
> Relevance
>
> A client database should only be used for one of the following specific
> purposes:
> ° As part of the process of creating the initial database for that
> client.
> ° As part of the process of transferring data from another system of
> the client.
> ° As part of the process of designing new facilities specified by the
> client.
> ° As part of the process of investigating problems reported by the
> client.
> ° As part of the process of upgrading a client between versions of our
> systems.
> ° As part of the process of running outsourced procedures for the
> client.
> ° As part of the process of testing any bespoke development for the
> client.
> ° As part of the process of repairing any errors, if so requested by
> the client.
> ° As part of the process of training the client's staff on bespoke
> courses.
> ° If specifically requested by the client, as part of an off-site back-
> up facility.
> ° Any other reason requested by the client, but only if confirmed in
> writing.
> Security
> As well as control of use, any client data should also be physically
> secure. In
> particular:
> ° If not in active use, any client database media must be held in a
> locked
> cabinet.
> ° The database should only be installed on PCs not connected to the
> Internet.
> ° Databases should only be sent over public lines if they are password
> protected.
>
> Confidentiality
>
> All data contained in a client's system is confidential to that client.
> In
> particular:
> ° Contents must only be discussed for one of the reasons described
> under 'Relevance'.
> ° A request for copies of data from a client must be in writing, from
> an
> authorised officer.
> ° Contents must not be revealed to any other person, unless obliged to
> do so
> by statute.
> ° Any breach of the above three items will be treated as gross
> misconduct.
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the
> list owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your
> needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|