** Reply to note from ANNE LINCOLN <[log in to unmask]> Fri, 26 Nov 1999 09:50:37 -0000


> Are you suggesting that each of our suppliers must be DPA registered for our 
> data?  (I'm thinking here primarily of suppliers of software systems for 
> student records, finance, personnel, library, etc.)  More and more systems 
> seem to be supported by remote access (dial-up or otherwise) so this is a 
> very important issue.  On the face of it, it seems most unlikely that they 
> would all be so registered and the implications alarm me somewhat.  Is the 
> responsibility to ensure that they are registered ours or theirs (or both)? 
> Or have I got hold of the wrong end of the stick?

I'll better be careful on what I know and what I think I know/wish.  I do not
know from the "horse's mouth" if they have to be DP registered, but ... here
is what I think/wish.  (See last sentence if you wish to avoid the waffle ;-)

On all our internal registration forms, box (D206 B.Disclosure)  is ticked
by default.
Box 206 corresponds to "Individuals or Organisations directly associated with
the Data User" and it stands for "suppliers, providers of goods and
services", ie. we state we will disclose data to them.

Effectively, it means that everything we store on a computer we may disclose
to a provider of services/goods relating to the operation of the computer.
Whether the engineer connects via a modem to a main-frame or mini system or
whether we send a computer away to be repaired (I have done with brand name
PCs), and worse, imagine if we send it away to be repaired by this infamous
chain of stores, we will automatically disclose the contents of the PC.

I would LIKE the provider of goods/services (if an EU company) to be
registered and comply with data protection regulations.  If we allow access
to sensitive data which are subsequently abused by a provider, in my view, we
do not have much ground to defend ourselves.  We can counter sue the provider
but what good will it do?

I can see many parallels with the recent case Computer Chain store + state vs 
ex pop star.  The guy was breaking the law etc, but did they have the right
to VIEW the contents of his hard disk?  Computer diagnostics do not require
"viewing" the contents of a hard disk unless the contents relate to Operating
System matters or a particular sogftware. The cache of a browser or data
have nothing to do with the Operating System. (In reality of
course the ex pop star's breaking of the law was obviously more serious than
the breaking of the law by the chain).  If he had nude photos of himself
(proivate + sensitive + stupid really) should they have send them to a
newspaper?

If I send my PC for repair, which because of the nature of my work has a lot
of data which can be interesting to marketeers, can I trust the provider not
to abuse my data.   By sending it to a "bad" provider am I taking enough
care to safeguard the data?  (PC is broken, so I can no longer encrypt
them, protect them or remove them.  And many of these options are not
psossible for a machine that is used as a server).

Does the repairer have to be DP registered?  Unless it is a corner shop, 
I would say Yes.  
Should we make sure they are registered?  Put it as part of the contract next
time you negotiate one, either DP registration or some kind of non-disclosure
clause so you can sue them.
Can I do it for our instituion.  NO.  I am already going backwards hitting 
constantly 12 and 14 hours shifts.
-----------
Finally, is it not the case that we can disclose data to EU companies etc.
because they "have to" obey DP Legislation (ok. we must be registered for
the disclosure etc)? I cannot remember off the top of my head who does not
have to be DP registered (some small outfits, some small charitable
organisations/association  with staff/membership less than x, things which
effectively came down to the level of the local village association).

Regards
Charles



==============================================
Charles Christacopoulos, Secretary's Office, University of Dundee, 
Dundee DD1 4HN, (Scotland) United Kingdom.
Tel: +44+(0)1382-344891. Fax: +44+(0)1382-201604.
WebDad of http://somis.ais.dundee.ac.uk/
Home of the Scottish Search Maestro http://somis2.ais.dundee.ac.uk/
Happily using OS2 Warp.
==============================================


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%