We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Apple Charging Policy
Options
Comments
-
thescouselander wrote: »I'm pretty sure the data would subject to the provisions of the data protection act. .
Was the OP registered as a data processor under the Act? If not, the rest of the discussion is moot.
If they were, then it's their responsibility to handle data appropriately, which means getting appropriate contractual agreements with third parties. A maintenance company has no (zero, nada) responsibility for the data on the disks. Yes, I've been the responsible person for a large data controller, since you ask.0 -
Thanks for all the insight - its been extremely interesting
theres a lot of talk of Warrenty - to be clear the Imac was purchased in 2011 so there is no warrenty or Apple Care.
Unless you're party to the terms of the OEM agreement between Apple and Seagate, you don't know what their relationship is.
If you don't like Apple's policy on repairing your machine, pay someone else to do it.0 -
Companies are have no obligation under the Data Protection Act to recover data from a failed device.
The act makes provision that data should not be released or it should be securely wiped from faulty hardware, if this is not possible then the device should be destroyed, or, degaussed to destroy the data so that the hardware can be sold/tested/reused.
Failure can result in fines under, I believe, Section 13.
Was the OP registered under the DPA? I suspect he wasn't. Therefore the rest of the discussion is irrelevant. If he was, then it's his responsibility to discharge his obligations under the Act, not random third parties'.0 -
So, to work with some facts, Apples Ts&Cs an be found here:
http://images.apple.com/legal/sales-support/terms/repair/docs/Retail_Repair_UK_Terms_Conditions.pdf
In particular the relevant clause is a paragraph 4:
4. Apple may use parts or products that are new or equivalent to new in reliability and
performance. Apple will retain the replaced part or product that is exchanged as its property,
and the replacement part will become your property. Apple may repair, exchange or sell the
replaced part if it chooses to do so.
So it is clear that when a piece of hardware is replaced it is done on an exchange basis.
That said I still stand by my previous comments that in taking possession of the drive Apple have also taken possession (or collected) the data on these which still belongs to the OP and as Mr Toad said:
"The act makes provision that data should not be released or it should be securely wiped from faulty hardware, if this is not possible then the device should be destroyed, or, degaussed to destroy the data so that the hardware can be sold/tested/reused. "
To answer Security guys comment the OP doesn't need to be registered as a data processor because they are the requestor - it is Apple who are the data processor. In "collecting" the data on the disk Apple have now become responsible for it within the bounds of the DPA.
The OP could always claim they didn't give permission for their data to be removed and that they want it back (even if it is on a faulty drive). Admittedly its a long shot and an abuse of the legislation but it might work because Apple's T'c&C's only refer to the hardware becoming Apple's property and not the data.
Alternatively it might be that the OP will have to hand over the money.0 -
thescouselander wrote: »Alternatively it might be that the OP will have to hand over the money.
Fixed that for you.
0 -
thescouselander wrote: »To answer Security guys comment the OP doesn't need to be registered as a data processor because they are the requestor - it is Apple who are the data processor. In "collecting" the data on the disk Apple have now become responsible for it within the bounds of the DPA..
Don't be silly.
Firstly, data only falls under the DPA if it is either "Personal" or "Sensitive Personal" data. If the OP is processing either of those categories, and is not subject to the general exemption in S.36 (Domestic Purposes), they should be registered. Whether they are invoking the S.36 exemption or not, they are the data controller.
Secondly, you have no right to make a DPA subject access request against a data processor. Subject access requests are made to the data controller. S.7(1)(c). If the OP believes the disk contains data to which he is entitled to copies under S.7, he should ask the data controller. That will be, er, him.
Thirdly, if a data controller does involve a data processor in the handling of data, the responsibility for compliance with the act remains with the data controller. Schedule 1, Part 2, clause 11Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—
(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and
(b) take reasonable steps to ensure compliance with those measures.
and, crucially, clause 12Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless—
(a)the processing is carried out under a contract—
(i)which is made or evidenced in writing, and
(ii)under which the data processor is to act only on instructions from the data controller, and
(b)the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.
So the OP is perfectly welcome to claim that the data on the disk is subject to the DPA, and to claim that Apple are a data processor. But then they are simply admitting to breaching the act, because they would have released the data to Apple without securing a contract which requires them to comply with the obligations, and without being sure of the technical and organisational security measures.0 -
securityguy wrote: »Don't be silly.
Firstly, data only falls under the DPA if it is either "Personal" or "Sensitive Personal" data. If the OP is processing either of those categories, and is not subject to the general exemption in S.36 (Domestic Purposes), they should be registered. Whether they are invoking the S.36 exemption or not, they are the data controller.
Secondly, you have no right to make a DPA subject access request against a data processor. Subject access requests are made to the data controller. S.7(1)(c). If the OP believes the disk contains data to which he is entitled to copies under S.7, he should ask the data controller. That will be, er, him.
Thirdly, if a data controller does involve a data processor in the handling of data, the responsibility for compliance with the act remains with the data controller. Schedule 1, Part 2, clause 11
and, crucially, clause 12
So the OP is perfectly welcome to claim that the data on the disk is subject to the DPA, and to claim that Apple are a data processor. But then they are simply admitting to breaching the act, because they would have released the data to Apple without securing a contract which requires them to comply with the obligations, and without being sure of the technical and organisational security measures.
How did you work that out? The data in question is clearly the Op's personal data and that of their family and they would collectively make a request as an individual members of the public. As you point out the data was domestic while it was in the Op's hands.
The data only became subject to the DPA when Apple collected and stored it on their IT equipment through acquisition of the drive and the data controller is therefor Apple.0 -
The data only became subject to the DPA when Apple collected and stored it on their IT equipment through acquisition of the drive and the data controller is therefor Apple.
Could you make your mind up? Last posting you were claiming they were a data processor.
Your definition means that every computer maintenance company becomes the data controller of every disk they handle. Why don't you write to the ICO and test your theory out? They could use a laugh.0 -
securityguy wrote: »Could you make your mind up? Last posting you were claiming they were a data processor.
Your definition means that every computer maintenance company becomes the data controller of every disk they handle. Why don't you write to the ICO and test your theory out? They could use a laugh.
Not necessarily. The point here is that Apple have taken ownership of the drive and the data on there which is different to a company having access on a temporary basis for maintenance purposes.
Incidentally last time I had my macbook in for a warranty repair at Apple I had to sign a large agreement on just this issue. As far as I can recall it only covered temporary access to the information as they needed to log into the machine to do the repair.
Companies keeping hold of storage devices containing personal information probably should think about the legal ramifications. Some years ago I was involved in a project that ran into this issue (for different reasons) and we were advised to make sure the data was destroyed ASAP.
The other issue outside of the DPA is that Apple have now probably taken ownership of copyrighted material (downloaded audio tracks, software etc) when transfer of the associated licences is not allowed.0 -
thescouselander wrote: »Not necessarily. The point here is that Apple have taken ownership of the drive and the data on there which is different to a company having access on a temporary basis for maintenance purposes.
[/quote[
I've never seen a maintenance contract which doesn't start from the position that the failed components belong to the maintainer. When I was dealing with protectively marked data I had to get special terms negotiated to cover that precise point.Companies keeping hold of storage devices containing personal information probably should think about the legal ramifications. Some years ago I was involved in a project that ran into this issue (for different reasons) and we were advised to make sure the data was destroyed ASAP.
No, people who have storage devices containing personal information should definitely think about the legal ramifications. The data controller needs to fulfil their responsibilities, and that includes tracking the data through its lifecycle. It's your bizarre claim that Apple become a data controller that I'm slack-jawed at, and your example is precisely my point: _your_ project ran into this issue and _you_ were advised to make sure the data is destroyed. That's because you were a data controller.The other issue outside of the DPA is that Apple have now probably taken ownership of copyrighted material (downloaded audio tracks, software etc) when transfer of the associated licences is not allowed.
Again, if that theory has legs, the problem is the OP's. The license terms don't allow you to transfer data to unauthorised parties. If you think it's a real risk, the OP should not RMA disks under any circumstances.
You appear to believe that people who are passed disks by people who have obligations over the data vicariously acquire the same obligations. They don't: it's the responsibility of the original owner to ensure that they fulfil their legal and contractual obligations.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.6K Spending & Discounts
- 244K Work, Benefits & Business
- 598.9K Mortgages, Homes & Bills
- 176.9K Life & Family
- 257.3K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards