On 21 January 2011 08:12, Mary Hawking <span dir="ltr"><<a href="mailto:maryhawking@tigers.demon.co.uk">maryhawking@tigers.demon.co.uk</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>GPs are always being reminded of the importance of confidentiality and<br>
observing the Data Protection Act - which forbids the export of personally<br>
identifiable data to countries outside the EU with data protection laws<br>
which do not match EU standards.<br>
Both India and the USA fall into this category.<br></blockquote><div><br>Not quite - if there isn't an equivalent (& approved) legal standard, you can still export provided you ensure adequate protection:<br><br>
(from the ico site)<br><br><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote"><p>Yes, if you are satisfied that in the particular circumstances there is an adequate level of protection. You can: </p>
<ul><li>assess adequacy yourself; </li><li>use contracts, including the European Commission approved model contractual clauses; </li><li>get your Binding Corporate Rules approved by the Information Commissioner; or </li>
<li>rely on the exceptions from the rule. </li></ul></blockquote><br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Assuming I am right in this, where will legal liability for the possible<br>
breach of confidentiality and the breach of Data Protection regulations lie?<br></blockquote><div><br>With the Data Controller - which I assume is usually the GP partnership.<br> <br></div></div>M.<br clear="all"><br>-- <br>
Matthew Pemble<br><br><br>