AustLII Home | Databases | WorldLII | Search | Feedback

Privacy Law and Policy Reporter

Privacy Law and Policy Reporter (PLPR)
You are here:  AustLII >> Databases >> Privacy Law and Policy Reporter >> 1994 >> [1994] PrivLawPRpr 37

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

Greenleaf, Graham --- "Data Protection Registrar v Griffin" [1994] PrivLawPRpr 37; (1994) 1(3) Privacy Law & Policy Reporter 53


Unreported, Rose LJ and Waller J, High Court (Queens Bench Division (Crown Office List)), England,

The Times, 5 March 1993; Lexis Data Protection Act 1984 (UK), s1(5) - meaning of ''data user' - meaning of ''control' of personal data

''Data users' are required to be registered in respect of personal data that they hold, by s5 of the Data Protection Act. s1(5) defines ''data user' as including a person who holds data if (inter alia) ''that person (either alone or jointly or in common with other persons) controls the contents and use of the data comprised in the collection'. The respondent, an accountant, was not registered. He prepared spreadsheets from accounting records provided by his clients, and used them to prepare accounts for submission to taxation and other authorities on their behalf. The appeal against the magistrates' decision that the respondent did not ''control' the data was by way of a case stated by the Data Protection Registrar.


The respondent did control ''the contents and use of the data comprised in the collection' because, although he necessarily acted on his clients instructions in preparing their accounts, he was the only person who controlled all of the information he held on computer for multiple clients, and also because he decided in what way the data would be manipulated. On the second question stated, the fact that he was restricted, by contract or otherwise, to using the data solely for purposes dictated by the clients, meant that the respondent exercised joint control with the client. Although the Registrar's appeal succeeded, he did not seek for the matter to be remitted to the magistrates for a conviction for non-registration to be recorded.


Australia's Privacy Act 1988 (Cth), s10 provides that ''an agency that is in possession or control of a record' is the record-keeper, with resulting obligations under the IPPs. s12 provides that ''where an agency has possession but not control of a record' then, in effect, it is not subject to the IPPs merely because of that non-controlling possession. If the same approach was taken here as in Data Protection Registrar v Griffin, agencies that process records on behalf of various other agencies could find that they are regarded as ''controlling' those records, and therefore subject to all the IPP obligations of a record-keeper.

This case also illustrates the pointless diversion of resources involved in the enforcement of the registration requirements of the UK Act: accountants are prosecuted for mere non-registration, where no abuse of client records is involved.

Graham Greenleaf

AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback