Does the US have juristriction over the whole world?
Roland Perry
lists at internetpolicyagency.com
Sun Nov 27 15:45:16 GMT 2011
In article <4ED25014.1050200 at zen.co.uk>, Peter Fairbrother
<zenadsl6186 at zen.co.uk> writes
>>> Hmmm, "imposing suitable controls on their chain of supply" sounds
>>>very much like "a degree of micro-management of the supplier (and
>>>their subcontractors etc) far in excess of a normal contractual
>>>relationship".
>> Their suppliers are one stage removed compared to yourself. So while
>>they should be expected to check out the people they rent rackspace
>>from, you shouldn't need to.
>
>Perhaps you shouldn't (though I very much think you should). But a data
>controller is *required* to do so by the DPA.
I don't think it can require a one man self employed plumber to vet
every component in the chain of supply for his website, which collects
personal data in the form of people leaving a message for him to come
round and give them a quote.
Obviously, if you are running a large enterprise (such as whatever a
hypothetical Australian version of the NHS is called) you'll be doing
more due diligence on suppliers, but everyone can't be doing everything.
>The rackspace people are data processors, and the data controller is
>required to "choose a data processor providing sufficient guarantees in
>respect of the technical and organisational security measures governing
>the processing to be carried out" and to "take reasonable steps to
>ensure compliance with those measures".
No, the rackspace people are just providing an empty rack, power, aircon
and physical security. (The PCs and what runs on them is provided by the
cloud computing vendor, but physical security of the data is
nevertheless mainly in the hands of the rackspace people, who give keys
to the cleaners etc etc).
>That is not something he can subcontract out. It's his responsibility
>to choose _each and every one_ of the data processors in this way. See
>DPA Sch.1 part2 s.11.
That's something you take account of in your contract, not by grilling
your supplier's suppliers.
http://www.out-law.com/page-10763
(Which discusses even data sent outside the EU, although I had in mind
situations where the data controller was more risk averse than that and
in addition made it a contractual requirement that the data stayed in
the EU).
--
Roland Perry
More information about the ukcrypto
mailing list