Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

A Quick Question Regarding Data Protection Obligations

  • 16-05-2011 9:40pm
    #1
    bobbytables
    Registered Users, Registered Users 2 Posts: 498 ✭✭


    Quite a few businesses keep records of clients/leads/etc using everything from paper record filing to complex or custom CRM software tools. Within these records you would typically find information on named people, with contact information to various degrees, other relevant information, etc. Now in the majority of cases (one would hope) the purpose of storing/processing this data is clear, ethical, fair and for a specific authorized purpose.

    What I want to know is if someone creates software that enables business users store data regarding their customers (again people), who is the data controller? The software user or the software vendor?

    What if the software stores this data in the "cloud"?. Aside from the technical protection of this data, what obligations would a software vendor have in terms of compliance with regulation?. If the onus is on the user, what would the software need to be able to do in order to ensure compliance is possible on their part.

    For example I am aware of PCI Compliance, for a vendor that "stores, processes or transmits cardholder data" in the context of e-commerce. However most businesses don't need to keep a record of that sort of thing, but perhaps other or what could be deemed sensitive information about people/clients/etc.

    Any advice you can offer from your own experiences would be great. Naturally I'll be going through the legal docs myself in the mean time. Many Thanks.


Comments

  • #2
    bobbytables
    Registered Users, Registered Users 2 Posts: 498 ✭✭bobbytables


    Typical, I post a question and immediately find an answer.

    Right in the above case from my interpretation (please correct me if I'm wrong), the software vendor is a data processor and the users are data controllers. There is less obligations on behalf of the processor than the controller. However if the controller must register their business with the data commissioner, then the processor of that data must also.

    ...from dataprotection.ie:
    if you hold or process personal data, but do not exercise responsibility for or control over the personal data, then you are a 'data processor'. Examples of data processors include payroll companies, accountants and market research companies, all of which could hold or process personal information on behalf of someone else.
    Unlike data controllers, data processors have a very limited set of responsibilities under the Data Protection Act. These responsibilities concern the necessity to keep personal data secure from unauthorised access, disclosure, destruction or accidental loss. In addition all data processors, whose business consists wholly or partly in processing personal data on behalf of data controllers who are required to register, are also required to register with the Data Protection Commissioner as a data processor.
    Anyone have anything else to add, I'd welcome any comments.


Advertisement