Does the US have juristriction over the whole world?

Roland Perry lists at internetpolicyagency.com
Sun Nov 27 15:45:16 GMT 2011 

In article <4ED25014.1050200 at zen.co.uk>, Peter Fairbrother 
<zenadsl6186 at zen.co.uk> writes

>>> Hmmm, "imposing suitable controls on their chain of supply" sounds 
>>>very much like "a degree of micro-management of the supplier (and 
>>>their subcontractors etc) far in excess of a normal contractual 
>>>relationship".
>>  Their suppliers are one stage removed compared to yourself. So while 
>>they should be expected to check out the people they rent rackspace 
>>from, you shouldn't need to.
>
>Perhaps you shouldn't (though I very much think you should). But a data 
>controller is *required* to do so by the DPA.

I don't think it can require a one man self employed plumber to vet 
every component in the chain of supply for his website, which collects 
personal data in the form of people leaving a message for him to come 
round and give them a quote.

Obviously, if you are running a large enterprise (such as whatever a 
hypothetical Australian version of the NHS is called) you'll be doing 
more due diligence on suppliers, but everyone can't be doing everything.

>The rackspace people are data processors, and the data controller is 
>required to "choose a data processor providing sufficient guarantees in 
>respect of the technical and organisational security measures governing 
>the processing to be carried out" and to "take reasonable steps to 
>ensure compliance with those measures".

No, the rackspace people are just providing an empty rack, power, aircon 
and physical security. (The PCs and what runs on them is provided by the 
cloud computing vendor, but physical security of the data is 
nevertheless mainly in the hands of the rackspace people, who give keys 
to the cleaners etc etc).

>That is not something he can subcontract out. It's his responsibility 
>to choose _each and every one_ of the data processors in this way. See 
>DPA Sch.1 part2 s.11.

That's something you take account of in your contract, not by grilling 
your supplier's suppliers.

http://www.out-law.com/page-10763

(Which discusses even data sent outside the EU, although I had in mind 
situations where the data controller was more risk averse than that and 
in addition made it a contractual requirement that the data stayed in 
the EU).
-- 
Roland Perry

More information about the ukcrypto mailing list