ICO respond to questions about Phorm's registration
Alexander Hanff
ukcrypto at chiark.greenend.org.uk
Thu, 9 Apr 2009 17:27:10 +0100
--0016e6d59e1f4d20ba046721b8be
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
First see here:
http://www.whatdotheyknow.com/request/121mediaphorm_registration_as
It would seem that Phorm were not registered with the ICO as Data
Controllers until January 2008 which means they were not registered for the
trials in 2006/2007. ICO claim that BT were the Data Controllers and Phorm
were exempt under the rules for Data Processors but many of the people
campaigning against Phorm's technology feel this is not correct.
Personally, I think that because it was Phorm's product being tested not
BT's and that technology was owned, built, configured, maintained and run by
Phorm as well as the aggregated data being processed by Phorm then it should
be Phorm who are classified as the Data Controller as to my knowledge BT had
no "control" over the data Phorm aggregated.
It is interesting comparing this case with the case of Consulting
Association who were raided by ICO and are being prosecuted simply for
processing personal data (supplied to them by companies with data
controllers) without the consent or knowledge of the data subjects.
The difficulty is how do you argue this with the ICO. I don't recall there
being any clear cut definitions in the DPA which set the ground rules for
classifying who is a processor and who is a controller but I will have a
looksie this weekend when I get a few minutes spare. My concern is that the
legislation is sufficiently vague/broadly worded for the ICO to get away
with this.
I was hoping some of you might have some thoughts and suggestions on this
one?
Regards,
Alexander Hanff
--0016e6d59e1f4d20ba046721b8be
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<span class=3D"gI">First see here: <a href=3D"http://www.whatdotheyknow.com=
/request/121mediaphorm_registration_as">http://www.whatdotheyknow.com/reque=
st/121mediaphorm_registration_as</a><br><br>It would seem that Phorm were n=
ot registered with the ICO as Data Controllers until January 2008 which mea=
ns they were not registered for the trials in 2006/2007.=A0 ICO claim that =
BT were the Data Controllers and Phorm were exempt under the rules for Data=
Processors but many of the people campaigning against Phorm's technolo=
gy feel this is not correct.=A0 Personally, I think that because it was Pho=
rm's product being tested not BT's and that technology was owned, b=
uilt, configured, maintained and run by Phorm as well as the aggregated dat=
a being processed by Phorm then it should be Phorm who are classified as th=
e Data Controller as to my knowledge BT had no "control" over the=
data Phorm aggregated.<br>
<br>It is interesting comparing this case with the case of </span>Consultin=
g Association who were raided by ICO and are being prosecuted simply for pr=
ocessing personal data (supplied to them by companies with data controllers=
) without the consent or knowledge of the data subjects.<br>
<br>The difficulty is how do you argue this with the ICO.=A0 I don't re=
call there being any clear cut definitions in the DPA which set the ground =
rules for classifying who is a processor and who is a controller but I will=
have a looksie this weekend when I get a few minutes spare.=A0 My concern =
is that the legislation is sufficiently vague/broadly worded for the ICO to=
get away with this.<br>
<br>I was hoping some of you might have some thoughts and suggestions on th=
is one?<br><br>Regards,<br><br>Alexander Hanff<br>
--0016e6d59e1f4d20ba046721b8be--