Gail
Some thoughts
If you permit your staff to officially use your computing equipment for
their benefit then on the face of it you appear to be a processor and the
staff member the data controller. However I can't see this relationship
argument can be sustained.
The staff member as data controller has a number of problems to overcome.
One being their obligation to create and get the insitutions (as a
processor) to sign up to a written security contract. Can't see how the
employee can direct and monitor their employer in this situation.
It appears therefore that by default the employer institution would have to
accept data controller responsibilties to make the relationship work. The
legal complication here is usually one reason why employers prevent such
informal uses of their computing facilities.
Hope this helps
David Wyatt
----- Original Message -----
From: <[log in to unmask]>
To: <[log in to unmask]>
Sent: 26 November 1999 14:21
Subject: References provided for business contacts
> What do you think is the position where a member of staff is processing
> personal data in connection with providing references for business
contacts
> who are not our employees but employees of other institutions(including
ones
> overseas) with which the person was previously associated? The purpose is
> not personnel administration for this institution but is personal to the
> staff member. Are we a computer bureau for the staff member in question
> under the current Act & concerned therefore only with the security of
the
> data(we are registered both as user & bureau).
> If this is so, presumably we would be a processor under the new Act for
the
> staff member, who as controller would have to notify? This seems bizarre!
> Gail Waters
> DP Coordinator
> Open University
>
>
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|