Print

Print


Thanks for all posts on this subject.

 

It would appear I was right to look at it in a bit more depth!

 

Regards,

 

Kevin


From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Chris Brogan
Sent: 07 May 2009 16:02
To: [log in to unmask]
Subject: [data-protection] FW: Controller or Processor

 

 

 

My opinion is with Tim but you may be interested in the ICO’s opinion with regard to solicitors, accountants and private investigators.

 

The ICO is of the opinion that they are data controllers even when acting in response to the instructions given by a client.

Unless they have changed their opinion the Law Society do not agree with the ICO but advise their clients to err on the side of caution. I am unaware of the Institute of Chartered Accountant’s view. The Private investigators generally know so little about DPA it is difficult to assess what their view if any is.

 

May I develop this discussion a little further? If when you subcontract/delegate/instruct work to another party that involves processing personal data and you do not include the data protection clause is it a lawful contract. He will be processing personal data for a client and the DPA is quite clear that the legal relationship of processor and controller has to be in writing. I suggest that this adds a fifth clause to the common law definition of contract—offer, acceptance, consideration and legally binding. If I am correct and this is not a valid contract doesn’t it then open the potential for breaches of DPA as well as HRA article 8- Right to respect for privacy.

 

Seems to me that whatever the answer may be it wise to include the data protection clause in all contracts that include ethe processing of personal data.

 

Chris Brogan MA LLM

Managing Director 

Security International Ltd

130 St Johns Road, Isleworth, Middlesex TW7 6PL, UK

Tel:  +44 20 8847 2111  Fax:  +44 20 8847 1852

Registered in England & Wales No. 1322074

Registered Office:  11 Loveday Road, London W13 9JT

www.securitysi.com


From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]UK] On Behalf Of Tim Trent
Sent: 06 May 2009 17:31
To: [log in to unmask]UK
Subject: Re: Controller or Processor

 

You are and remain the sole data controller.  Al sub contractors are data processors.  It matters little whether they are sub-sub contractors, except that you will have a Data Processor Agreement with your direct subcontractors and will insist in the agreement that anyone subcontracted to by your subcontractors has a full data processor agreement with the person to whom they are contracted.

There is a paradox that the presence of a sub-sub contractor may appear to validate the sub contractor to whom they are contracted as a Data Controller.  In reality, for that sub-sub contractor, they are the data controller in a legalistic sense, bit you are the absolute overall Data Controller.

Is the mud any clearer?

You determine what is done with the data.  You give the instructions for processing, and it is your responsibility to safeguard it and destroy or retain it when the event is finished.

Kevin Tarleton wrote:

As part of the improvement courses and programmes my organisation runs, we arrange large events at hotels. We have an event-management partner who collect the personal details of our attendees in order to book the hotel accommodation.

 

I want to make sure we are doing everything we can to protect the personal information of our attendees, and at the same time I want to make sure each organisation that processes their information is aware of its own responsibilities to the attendee and ourselves.

 

My understanding is that my organisation will remain the Data Controller no matter who is processing the information for us.

 

Even so, I have several questions that have been bugging me that I was hoping list members could help me with:

 

1. Are the hotel the data processor for us or for our event-management partner?

2. Is there an argument that our event-management partner are the data controller and the hotel their data processor (as they collect information directly)? (Although we should have access to this information if we require it)

3. Do our event-management partner remain a data processor because they are collecting the information on our behalf?

 

All opinions welcome!

 




_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Any requests under the Freedom of Information Act should be directed to [log in to unmask]

Please notify the sender immediately if this email appears to have been sent to you by mistake; 
Respect the confidentiality of any information you receive from us; 
Remember that emails sent or received by our staff may be disclosed under the Freedom of Information Act; 
Let us know straight away if you suspect this email is infected with a virus by ringing 0161 237 2560 [if outside the UK +44 161 237 2560]. 
(We take all possible steps to ensure that our systems are virus-free but no system is completely secure.) 
Please note that the contents of incoming and outgoing emails are automatically scanned for inappropriate content. 

All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]

Any queries about sending or receiving messages please send to the list owner [log in to unmask]

(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)


No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.325 / Virus Database: 270.12.21/2102 - Release Date: 05/07/09 05:57:00


All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]

Any queries about sending or receiving messages please send to the list owner [log in to unmask]

(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)



All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]

Any queries about sending or receiving messages please send to the list owner [log in to unmask]

(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)