My opinion is with Tim but you may be interested in the ICO’s opinion with regard to solicitors, accountants and private investigators.

 

The ICO is of the opinion that they are data controllers even when acting in response to the instructions given by a client.

Unless they have changed their opinion the Law Society do not agree with the ICO but advise their clients to err on the side of caution. I am unaware of the Institute of Chartered Accountant’s view. The Private investigators generally know so little about DPA it is difficult to assess what their view if any is.

 

May I develop this discussion a little further? If when you subcontract/delegate/instruct work to another party that involves processing personal data and you do not include the data protection clause is it a lawful contract. He will be processing personal data for a client and the DPA is quite clear that the legal relationship of processor and controller has to be in writing. I suggest that this adds a fifth clause to the common law definition of contract—offer, acceptance, consideration and legally binding. If I am correct and this is not a valid contract doesn’t it then open the potential for breaches of DPA as well as HRA article 8- Right to respect for privacy.

 

Seems to me that whatever the answer may be it wise to include the data protection clause in all contracts that include ethe processing of personal data.

 

 

You are and remain the sole data controller.  Al sub contractors are data processors.  It matters little whether they are sub-sub contractors, except that you will have a Data Processor Agreement with your direct subcontractors and will insist in the agreement that anyone subcontracted to by your subcontractors has a full data processor agreement with the person to whom they are contracted.

There is a paradox that the presence of a sub-sub contractor may appear to validate the sub contractor to whom they are contracted as a Data Controller.  In reality, for that sub-sub contractor, they are the data controller in a legalistic sense, bit you are the absolute overall Data Controller.

Is the mud any clearer?

You determine what is done with the data.  You give the instructions for processing, and it is your responsibility to safeguard it and destroy or retain it when the event is finished.

Kevin Tarleton wrote:

As part of the improvement courses and programmes my organisation runs, we arrange large events at hotels. We have an event-management partner who collect the personal details of our attendees in order to book the hotel accommodation.

 

I want to make sure we are doing everything we can to protect the personal information of our attendees, and at the same time I want to make sure each organisation that processes their information is aware of its own responsibilities to the attendee and ourselves.

 

My understanding is that my organisation will remain the Data Controller no matter who is processing the information for us.

 

Even so, I have several questions that have been bugging me that I was hoping list members could help me with:

 

1. Are the hotel the data processor for us or for our event-management partner?

2. Is there an argument that our event-management partner are the data controller and the hotel their data processor (as they collect information directly)? (Although we should have access to this information if we require it)

3. Do our event-management partner remain a data processor because they are collecting the information on our behalf?

 

All opinions welcome!