Dizzy has posted this about the 'privacy policy' of the Teaching and Development Agency For Schools.
As an addendum to his comments, it is worth having a look at Section 16 of the Data Protection Act. Presumably, under the terms of the Act, the TDA is compelled to notify the Information Commissioner's Office that it is a 'data controller'. As such it also has to provide the ICO - and, by extension, its data subjects via the expedient of its privacy policy - with a number of 'registrable particulars' which include (at sub-paragraph (1) (f)): "the names, or a description of, any countries or territories outside the European Economic Area to which the data controller directly or indirectly transfers, or intends or may wish directly or indirectly to transfer, the data,". The logic behind this, correctly identified by the text of the privacy policy statement is that "The data protection and other laws of these countries may not be as comprehensive as those in the UK or the EU..." (In fact, this is one of the primary sources of friction between the US and the EU over PNR (Passenger Name Data) in recent months/years.*) Clearly the privacy policy does not contain the relevant information required by Section 16 (1) (f). On the face of it therefore the TDA is in breach of the DPA.
In the circumstances, I can't help wondering how many other Government Departments, Agencies, &c have an equivalent 'error of omission' in their privacy policy statements, especially because of the burgeoning use of out-sourcing for processing of data.
* I've been meaning to do a post about this for some time - I promise I'll get round to it soon.
No comments:
Post a Comment