Downstream control and contracts

Posted on 18 December 2010

Jeff Drummond over at the HIPPA Blog has an unfolding story about a woman who received delivery of a product she ordered only to discover that it was packed with shredded paper that wasn’t shredded well enough. On examination there was clearly visible medical information printed on the paper … with full contract details of the physicians office it came from including details of the patients ailment, treatment etc. While the finger will of course point to the shredding company for not doing a good enough job, ultimately it is the Physicians office that is responsible for the breach (at least under EU legislation). The Data Protection Commissioners frequently say that organisations “can outsource data processing, but cannot outsource their responsibilities”, and here is a clear case illustrating the concept. There has been much press over the last 18 months about contracts for processing outside the EU but in the midst of this the contract between Data Controller and Data Processor is frequently forgotten about. It is critical that if any part of data processing is outsourced (yes, including processing manual data – shredded paper!), that there is a contract in place between the Data Controller and the Data Processor and that where possible that the Data Controller shows some level of control or awareness of the Data Processors own data handling and processing procedures and capabilities.

Responses are closed for this post.

Recent Posts

Tag Cloud

Avast beta business compliance Contracts Data loss Data protection design Dont Click Send Fail Finance fines HIPAA HIPPA ICO Isolate Launch Legislation Medical Outsource Privacy by design secret sauce Security Software UK United States


Isolated comments… is proudly powered by WordPress and the SubtleFlux theme.

Copyright © Isolated comments…