Does the US have juristriction over the whole world?
Peter Fairbrother
zenadsl6186 at zen.co.uk
Sun Nov 27 00:09:59 GMT 2011
Ben Liddicott wrote:
> The first principle is it must be "processed fairly and lawfully" and
> "shall not be processed unless(...)".
> But if it is under an exemption, schedule 1 does not apply,
Schedule 1, or part of it, still applies under most exemptions. For
instance, under the Crime and Taxation exemptions, the only part of
Schedule 1 which is exempted is the first principle, and even that is
only partly voided.
However the exemptions are all different. It's verra complicated, Captain.
> and it is
> lawful to process it in any manner whether fair or not and whether the
> conditions are met or not.
No - for instance, under the Crime and Taxation exemption data must
still be processed in accordance with Schedules 2 and 3. And again, it's
different for the different exemptions. None of them are blanket
exemptions however.
>
> The seventh principle requires the data controller to protect the data
> against:
> "unauthorised or unlawful processing of personal data and against
> accidental loss or destruction of, or damage to, personal data"
>
> That does not include "lawful" processing allowed by the exemptions
> listed, if "authorised" by the data controller. So he has to protect
> against MI9 black-cyber-ops hackers,
and that was my point. If the data is in a cloud he can't do that, so he
can't keep personal data in a cloud. QED.
As a sidenote, the DPA does not distinguish between encrypted data and
unencrypted data. Perhaps encrypting data has no legal effect here - cf
the rather unique stance taken about encrypted data in part 2 of RIPA,
where the encrypted data apparently is the data, and if the police etc
have it then demanding a key isn't self-incrimination, as they already
have the evidence/data.
> but if MI9 ask nicely there is nothing stopping him giving it to them.
Actually. there is.
Here I am talking about the national security exemption in S.28, and not
any of the other exemptions - so for instance if MI5 asked for data in a
criminal investigation, as opposed to a national security investigation
(MI5 do both types of investigation), the S.28 exemption would not apply
(though a different exemption, under s.29, which has different
conditions and different exemptions, would).
The exemption in s.28 is only valid if the processing is "required for
the purpose of safeguarding national security". If it isn't, the data
controller would be committing an offence.
Now the minimum standard of how the data controller is supposed to know
whether the processing is required for the purpose of safeguarding
national security isn't addressed in the Act, though a maximum, in the
form of a certificate signed by a minister is.
Presumably if the controller reasonably believes the processing is
required for the purpose of safeguarding national security then he can
take a chance and give out the data - but he might get in trouble for it
if he hasn't seen a certificate.
>
> The data protection act does not provide any obligation on the data
> controller to resist any overreaching on the part of the state.
I rather think it does, as above: a data controller can't give out data
if eg the state are overreaching and falsely claimimg a national
security exemption.
-- Peter Fairbrother
More information about the ukcrypto
mailing list