outsourcing GP appointments to India: is this legal under DPA?

Roland Perry lists at internetpolicyagency.com
Sun Jan 16 11:42:51 GMT 2011

In article <5EB321E3-D50E-47FD-8E51-2D43CA19DDBE at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes
>> In article <AANLkTim08VD1xv9b_AF2JaHuMpsXvBMkJE7tbk6qWjm8 at mail.gmail.com>, Adrian Midgley <amidgley at gmail.com> writes
>>> Data is data, and if it is accessed in India data has reached India
>> And the exact opposite theory (to the one you are critiquing) is used to prosecute people who administer offshore child porn sites from the
>That's a really good point.  I had tried to construct some similar counter-argument to the NHS's position involving logging in to classified
>servers via a thin client to view material in breach of the Official Secrets Act, but came up against the Computer Misuse Act.    Your example
>"solves" that: the NHS argument would appear to mean that if a Bad Person offers a Citrix, RDP, VNC or similar remote login solution so that UK
>residents can log in to a server located in (for the sake of argument) international waters and then view child pornography residing on that
>server, no offence will have taken place.
>If the argument is made by the prosecution, as it would be, that the transient copy created in memory as part of displaying the image
>constitutes "making" an image, then a fortiori the NHS's position collapses.  If the NHS's position is sustained, then provided a consumer of
>child pornography can show the images were only transiently present on their machine, they have an arguable defence.    Child Pornography
>legislation is closer to strict liability than Data Protection, so the arguments aren't symmetrical, but
>I suspect no-one has thought this through in enough detail to know...

On the other hand, I read an article this week about BYOC (bring you own 
computer), which is a scheme to outsource the supply of thin clients to 

http://www.bbc.co.uk/news/business-12181570 [1]

And the "global law firm" (and their supplier) which was quoted must 
have done a proper audit of the security issues of data leaking off[2] 
Citrix PCs and into the local (potentially hostile and unsafe harbour) 
environment. I don't pretend to understand the details of how that 
security is implemented though. But if it's good enough for them, would 
it be good enough for the NHS?

Digressing slightly, I'm not a great fan of thin clients due to seeing 
various industry colleagues struggling to read their emails over dodgy 
connectivity in far flung parts of the world; whereas all I need is a 
whiff of port 110 now and again.

[1] "we see the uptake of virtual desktop technology, given that the 
data never leaves your data centre..."

[2] "...you can't store it or save it remotely."
Roland Perry

More information about the ukcrypto mailing list