I have given a number of presentations to Debt Collection organizations over the years and what was quite apparent was there lack of knowledge, with some exceptions, of the privacy laws in general and DPA specifically.

My first comment is to ensure to your satisfaction that they have an acceptable knowledge level of DPA and not just a passing acquaintance ship with it.

My second comment is with regard to whether the debt collection company, if they buy the debt become Data Controller. It is a question that I have raised with their association on a number of occasions and never in my view come to any conclusion or been convinced that it is an issue that they have addressed. I have no problem in accepting that the debt can be sold on. It is an asset after all. I have difficulty accepting that a company can sell on their responsibility re DPA. I would suggest and welcome any comments that the buyer and seller become; joint data controller or data controller in common. If I am correct then the first data controller at the very least owes a duty of care to the data subject that their personal data will not be transferred to an organization that; has not notified the IC that they are processing personal data; have not sufficient knowledge of the DPA to protect the rights and interests of the Data Subject.

It follows that DPA should figure prominently in the due diligence process regardless of whether the debt is collected for commission or sold.

Paul I would be interested in seeing a copy of "very brief checklist for assessing the compliance of Data Processor".
Regards     

Chris Brogan MA LLM FSyI
Managing Director 
Security International Ltd
130 St Johns Road, Isleworth, Middlesex TW7 6PL, UK
Tel:  +44 20 8847 2111  Fax:  +44 20 8847 1852
Registered in England & Wales No. 1322074
Registered Office:  11 Loveday Road, London W13 9JT
www.securitysi.com 
Please visit my blog 
https://chrisbroganassociates.wordpress.com/
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Paul Ticher
Sent: 18 March 2011 10:00
To: [log in to unmask]
Subject: Re: Debt Collection Agencies

This will depend on the contractual arrangement.  Are you proposing to 
engage them to collect your debts, and pay them a fee, or to sell the debt 
to them?

If the former, they are likely to be a Data Processor.  I can send you my 
very brief checklist for assessing the compliance of Data Processor 
contracts, if that would help.  The key thing is to ensure that the data is 
kept secure and used for nothing other than your purposes.

If the latter, you would probably need to inform the data subjects that this 
data transfer was taking place, and for what purpose.  After that, it would 
be up to the debt collection agency, I think, as they would be the Data 
Controller.


Paul Ticher
0116 273 8191
22 Stoughton Drive North, Leicester LE5 5UB


----- Original Message ----- 
From: "Terry Hutchinson" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Thursday, March 17, 2011 1:31 PM
Subject: Debt Collection Agencies


Hi



I have been asked to look at the 'pitfalls' of using a debt collection
agency to assist with pursuing unpaid fees/invoices etc. with regard to
data protection.



I have had a look on the ICO website and identified some issues that
would need to be considered but I was wondering if anyone has any quick
views or a concise guide (or could point me in the direction) that would
assist in clarifying what we can do and what security
measures/agreements/contracts we should have in place?



Any comments/views/assistance would be gratefully received!



Thanks & Regards



Terry







Terry Hutchinson

Head of Registry

Registry S.4.900



Doncaster College

The Hub

Chappell Drive

Doncaster

DN1 2RF



Tel: 01302 553967

Fax: 01302 553520



Information & Guidance: 0800 358 7575

Website: www.don.ac.uk <http://www.don.ac.uk>











Breach of confidentiality & accidental breach of confidentiality

All emails and any files transmitted with them are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received an email in error please notify your
system manager. The message in the email you have received contains
confidential information and is intended only for the individual named.
If you are not the the named addressee you should not disseminate,
distribute or copy the email. Please notify the sender immediately by
email if you have received an email by mistake and delete the email from
your system. If you are not the intended recipient you are notified that
disclosing, copying, distributing or taking any action in reliance on
the contents of the information is strictly prohibited.



Transmission of viruses

Warning: Computer viruses can be transmitted by email. The recipient
should check all email and any attachments for the presence of viruses.
The sender accepts no liability for damage caused by any virus
transmitted by this email. Email transmission cannot be guaranteed to be
secure or error-free as information can be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses. The sender
therefore does not accept liability for any errors or omissions in the
contents of the message, which arise as a result of email transmission.




^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at 
http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list 
owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your 
needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^