My opinion is with Tim but you may
be interested in the ICO’s opinion with regard to solicitors, accountants
and private investigators.
The ICO is of the opinion that they
are data controllers even when acting in response to the instructions given by
a client.
Unless they have changed their
opinion the Law Society do not agree with the ICO but advise their clients to
err on the side of caution. I am unaware of the
May I develop this discussion a
little further? If when you subcontract/delegate/instruct work to another party
that involves processing personal data and you do not include the data
protection clause is it a lawful contract. He will be processing personal data
for a client and the DPA is quite clear that the legal relationship of
processor and controller has to be in writing. I suggest that this adds a fifth
clause to the common law definition of contract—offer, acceptance,
consideration and legally binding. If I am correct and this is not a valid
contract doesn’t it then open the potential for breaches of DPA as well
as HRA article 8- Right to respect for privacy.
Seems to me that whatever the answer
may be it wise to include the data protection clause in all contracts that
include ethe processing of personal data.
Managing
Director
Security International Ltd
Tel: +44 20 8847 2111 Fax: +44 20
8847 1852
Registered in
Registered Office:
From: This list is for those interested in Data Protection issues
[mailto:
Sent: 06 May 2009 17:31
To:
Subject: Re: Controller or
Processor
You are and remain the sole data controller. Al
sub contractors are data processors. It matters little whether they are
sub-sub contractors, except that you will have a Data Processor Agreement with
your direct subcontractors and will insist in the agreement that anyone
subcontracted to by your subcontractors has a full data processor agreement
with the person to whom they are contracted.
There is a paradox that the presence of a sub-sub contractor may appear to
validate the sub contractor to whom they are contracted as a Data
Controller. In reality, for that sub-sub contractor, they are the data
controller in a legalistic sense, bit you are the absolute overall Data
Controller.
Is the mud any clearer?
You determine what is done with the data. You give the instructions for
processing, and it is your responsibility to safeguard it and destroy or retain
it when the event is finished.
Kevin Tarleton wrote:
I want to make sure we are doing everything we can to
protect the personal information of our attendees, and at the same time I want
to make sure each organisation that processes their information is aware of its
own responsibilities to the attendee and ourselves.
My understanding is that my organisation will remain
the Data Controller no matter who is processing the information for us.
Even so, I have several questions that have been
bugging me that I was hoping list members could help me with:
1. Are the hotel the data processor for us or for our
event-management partner?
2. Is there an argument that our event-management
partner are the data controller and the hotel their data processor
(as they collect information directly)? (Although we should have access to this
information if we require it)
3. Do our event-management partner remain a data
processor because they are collecting the information on our behalf?
All opinions welcome!
All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]
Any queries about sending or receiving messages please send to the list owner [log in to unmask]
(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.325 / Virus Database: 270.12.21/2102 - Release Date: 05/07/09 05:57:00
All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]
Any queries about sending or receiving messages please send to the list owner [log in to unmask]
(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)