[Gllug] OpenChange and SOGo

Tue Feb 1 20:20:40 UTC 2011

On 01/02/11 19:34, Walter Stanish wrote:
> Honestly, my advice would be to get your company to fork the few bucks
> for Google hosting and let the pain of hosting your own email
> infrastructure... <etc snip>

You are quite right of course. However for many of our clients (at least 
- ours do handle 'sensitive personal data') the lack of control of where 
material is hosted and the resulting conflicts resulting with the UK DPA 
and transmission of potentially 'sensitive personal data' is such as to 
make this impossible.

There's a simple intro to the DPA at http://www.out-law.com/page-413

but note particularly the following:

"Data controllers must put in place adequate technical and 
organisational measures to safeguard personal data which they are 
processing from destruction, adequate loss, unauthorised access or 
disclosure. This would include, for example, using a secure server when 
payments are made online.

Furthermore, all data controllers must put in place processing contracts 
with their 'data processors'. A data processor is a third party 
appointed by the data controller to process personal data on its behalf, 
although it will still be the data controller who ultimately decides 
what happens to the data. These processing contracts must be in writing 
and must set out what the data processor may or may not do with the 
personal data, including what security measures should be taken to 
safeguard the data. Data controllers should reserve for themselves the 
right to audit data processors to ensure compliance with the contract.

To give a practical example, if a website collects e-mail addresses, 
this could constitute personal data – so the data controller not only 
has to register with the Commissioner but ensure that security be put in 
place to guard against hacking. If the website is actually hosted by a 
third party on behalf of the data controller, then the data controller 
will have to contractually oblige that third party to put the relevant 
security in place.  Of course, the data controller will also have to 
comply with other principles.
Transfer of data overseas

If personal data is disclosed or made available to a person overseas, 
that is considered a transfer for the purposes of the eighth data 
protection principle above. In the context of the internet, if the 
information is placed on a website without specific consent from the 
individual, this may be in breach of the Act since the data can be 
accessed in countries with less stringent data protection laws."

Of course that does not mean that limited use of Google style solutions 
is impossible, even where such issues are critical...

MeJ
-- 
Stabilys Ltd		www.stabilys.com
244 Kilburn Lane
LONDON
W10 4BA

0845 838 5370
--
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug