New guidance on ‘data controllers’ & ‘data processors’
The Information Commissioners Office (ICO), charged with upholding information rights in the UK, recently updated its guidance on the differences between data controllers and data processors.
The Data Protection Act 1998 (the Act) aims to balance individuals privacy rights against the rights of organisations to process personal data fairly and lawfully. Under the Act, a data controller bears ultimate responsibility for complying with the Act by deciding the purposes for and manner in which personal data are processed, while a data processor processes personal data on behalf of a data controller.
Why is the distinction important?
While many businesses will be data controllers in respect of their own business activities (e.g. processing customer orders and managing employee records), it is not possible for an organisation to be both a data controller and a data processor for the same activity.
The issue is one of liability and risk. Data controllers can be fined up to 500,000 by the ICO for breaches of the Act and a series of recent cases demonstrate how easily breaches can occur. Data controllers are also required to register with the ICO every year and pay a fee, unless they are exempt. Failure to do so is a criminal offence.
Some businesses believe that if they merely provide services to other organisations, they will be treated as data processors. However as business models increase in complexity, more business records are digitised and processes outsourced, the distinction will not always be obvious.
What does the guidance say?
As a basic guide, the ICO distinguishes those decisions that can only be taken by a data controller (having control over the why and the how of data processing) from a data processors freedom to use its technical knowledge in deciding how certain activities are carried out on the data controllers behalf.
The distinction very much depends on the respective roles and responsibilities that parties have in relation to data processing. It is for this reason that the ICO provides a number of examples covering professional services firms, market research companies and IT/cloud services providers instead of a set of prescriptive rules.
What’s our view?
“The ICOs guidance is often accused of being too general. However the distinction between data controllers and data processors is a largely factual one requiring careful consideration in each case.
The Act requires a data controller to enter into a written contract with every organisation that it engages to process personal data on its behalf. While a written contract will not always be conclusive, it is a very useful tool in clarifying the respective roles and responsibilities of each party in the course of processing personal data.
The ICO cannot take direct action against data processors. As such, it is vitally important that businesses identify all of their data processing activities, both internally and externally, to identify whether they are a data controller or a data processor.”
How can we help?
The lawyers at Gregg Latchams are experienced in advising businesses on data protection issues generally and in relation to specific projects and activities. The team can undertake on-site data protection audits and risk assessments and deliver data protection training at both management and operational level.
For further assistance please contact Ed Boal on 0117 906 9486.