When organisations in relationships are data controllers
Under data protection legislation, any individual can ask organisations that are ‘data controllers’ to see (and have copies of) personal data held by the organisation about them, and must be told how their data is being processed and who is entitled to see it. There are also rules about how long data should be kept.
While data controllers are subject to these laws, organisations that are ‘data processors’ are not. However, in some circumstances (for instance, when an organisation outsources the processing of its data to another organisation) it can be unclear which organisation is the ‘data controller’.
The ICO’s guidance Data controllers and data processors: what the difference is and what the governance implications are will help businesses faced with this uncertainty. The key factor is to look at the degrees of independence and control an organisation has over the data processing being carried out. It states, for instance, that to determine whether you are a data controller you need to ascertain which organisation decides:
- to collect the personal data in the first place and the legal basis for doing so;
- which items of personal data to collect, ie the content of the data;
- the purpose or purposes the data are to be used for;
- which individuals to collect data about;
- whether to disclose the data, and if so, who to;
- whether subject access and other individuals’ rights apply, ie the application of exemptions;
- how long to retain the data or whether to make non-routine amendments to the data.
These are all decisions that can only be taken by the data controller as part of its overall control of the data processing operation.
However, decisions about how data is stored, the security measures used to protect it and how to transfer it safely to other organisations and how to delete and/or destroy data that should no longer be retained, are usually decisions for data processors.
It also discusses and gives guidance on specific relationships such as employing a market research company, a third party payment business, a law or other professional service firm and a data storage company.
- Organisations involved in relationships where it may not be clear which is a data controller and which a data processor should enter into a clear, written agreement setting out each party’s rights and duties and making it clear which is a data controller subject to data protection law.
- Download Data controllers and data processors from the ICO website.