The Information Commissioner's Office (ICO) has published updated guidance on the difference between data controllers and data processors under the Data Protection Act 1998 (the "Act"). ICO have produced the guidance because of the increasing difficulty organisations face in determining whether they or the organisations they are working with have data protection responsibility. It is important for organisations to understand their role, especially where there is a data breach.
Under the Act, it is the data controller that must exercise control over the processing and carry data protection responsibility for it. They determine the purpose for which data are processed. The data processor processes data on behalf of the data controller. The guidance acknowledges that the definitions under the Act can be difficult to translate into the complexity of modern business relationships, hence the need for updated guidance.
ICO suggest that organisations establish their roles before processing commences to ensure there are no gaps in organisations' responsibilities. To determine whether you are a data controller you need to ascertain which organisation decides:
- to collect the personal data in the first place and the legal basis for doing so;
- which items of personal data to collect, i.e. the content of the data;
- the purpose or purposes the data are to be used for;
- which individuals to collect data about;
- whether to disclose the data, and if so, who to;
- whether subject access and other individuals' rights apply i.e. the exemptions; and
- how long to retain the data or whether to make non-routine amendments to the data.
These decisions can only be taken by a data controller. A data processor may decide:
- what IT systems or other methods to use to collect personal data;
- how to store the personal data;
- the detail of the security surrounding the personal data;
- the means used to transfer the personal data from one organisation to another;
- the means used to retrieve personal data about certain individuals;
- the method for ensuring a retention schedule is adhered to; and
- the means used to delete or dispose of the data.
Although these lists are not exhaustive, they illustrate that a data processor has the freedom to use its technical knowledge to decide how to carry out certain activities on the data controller's behalf. The key distinction is to determine the degree of independence that each party has in determining how and in what manner the data is processes, as well as the degree of control over the content of personal data.
The new guidance provides useful 'real life' examples of how data are processed in different scenarios, such as at a market research company, in an online retailer/third party payment provider scenario, in a client/solicitor or accountant relationship, using cloud providers or how statutory bodies deal with data. The guidance is helpful in outlining where common difficulties and misunderstandings arise and how the data controller / data processor roles can and should be determined from the outset.
See here for the updated ICO guidance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.