Who: Information Commissioners Office (the “ICO”)
When: 27 May 2014
Law stated as at: 6th June 2014
The ICO has published their latest guidance on how to determine the difference between controllers and processors under the title: “Data controllers and data processors: what the difference is and what the governance implications are.”
The intention is to help controllers fully understand their obligations, recognising the difficulties organisations face in determining whether the organisations they work with are acting as a processor or a controller and hence their respective responsibilities for data protection law compliance.
The ICO highlights that it is important for organisations to be aware of their responsibilities, particularly in the event of a data breach and the fact that an organisation provides a service to another does not necessarily mean that it is automatically acting as a data processor.
The world has changed. Many years ago the respective roles of controllers and processors was much clearer with one entity clearly responsible and directing what happens to the data and the service provider acting purely on instructions, with no right to independent thought or action.
This is no longer the case and many hours are spent pondering on complex contractual arrangements trying to work out who is the controller or processor or joint controller or controller in common or none of the above. If you get a room full of lawyers and present them with a number of different scenarios you will get a number of different interpretations and conclusions over respective roles.
The ICO guidance is therefore a helpful reminder of the assessment which needs to be carried out and gives some useful examples where it can be difficult to determine where responsibility for data protection lies e.g. market research, payment services, solicitors and accountants, IT and cloud providers.
Controller or Processor?
The data controller exercises control over the “why” and “how” of data processing activity and decides to collect the data in the first place and the legal basis for doing so, which data , the purposes, whether to disclose the data, how long to retain data and whether to respond to subject access requests.
The processor may decide what systems to use, how to store, detail of security, means to retrieve and delete data. The processor has the freedom to use its technical expertise to decide how to carry out certain activities for the controller. In practice the ICO recognises it is more common for controllers to allow processors a considerable degree of discretion over how the processing takes place using its own expertise. Organisations should have systems to distinguish between its own data (e.g. employees) and data it processes on behalf of a controller.
The ICO states that it is good practice for the processor to seek consent from the controller prior to subcontracting a third party although it is not a legal requirement to do so and the fact that the processor subcontracts does not make it a controller.
Professional Advisors and consultants
The Guidance recognises that in many cases responsibility will lie with the service provider to determine what information to obtain to do the work and therefore the client may not be the sole data controller.
Examples of where this could occur include a lawyer or accountant, a doctor preparing a report for an insurance claim, a recruitment agency or a counselling service employed by emergency services.
Where such service providers have their own responsibilities for record keeping and confidentiality this further supports the contention that such professionals are controllers in their own right.
• Market research company conducting a survey for a client. If the research company determines for a client the information to collect (what to ask) , how the survey will be carried out , which customers of client to interview and how to present the results it will be a controller in its own right of the personal data that is processed in order to carry out the survey even though the client commissioned the research.
• Payment services – online retailer works with a payment company to process transactions. Both entities are controllers because the payment company decides which information it needs , has control over other purposes for using data such as marketing ; has its own legal requirements such as retention of data , and own terms directly with the retailer’s customers.
• Specialist service providers – lawyers and accountants. As they will also be processing data in accordance with their own professional obligations they will be acting as a controller as well as the client and both will have controller responsibilities.
• IT services – e.g car hire company contracts vehicle tracking company to track company cars via devices in cars, and send back location data to the client. Tracking company is a controller in its own right as it determines what information is collected and decides how the information is captured.
• Cloud Providers storing data for clients. Likely to be a processor as has no scope to use the data for its own purposes, and does not collect any data itself and all information is provided by the client.
Controller to Controller responsibilities.
• each has full data protection responsibilities as both exercise control over the purposes for which the personal data is processed;
• a data sharing agreement should be entered into where sharing is systemic , risky , or large scale. This should specify how the data can be used, any further disclosure of data and allocate responsibilities. The organisation that holds most of the data should take responsibility for the practical elements such as responding to subject access requests.
• if data sharing is one off, small scale and low risk then a more informal approach can be used.
Why this matters:
The distinction between controller and processor is key, particularly as the controller remains responsible for the personal data and the ICO cannot take enforcement action against a processor. In practice, in the event of a security breach caused by a processor, the ICO may not take enforcement action if it is satisfied that the controller has done all it could to protect the data and to ensure the reliability of the processor e.g. via a detailed written contract and appropriate due diligence.
The Guidance is helpful in giving some practical examples and emphasises the need to have a data sharing agreement in place for high risk controller to controller transfers. This is consistent with proposals in the draft EU Data Protection Regulation (“DPR”) which is intended to supersede EU Data Protection Directive 95/46/EC. The DPR recognises the concept of joint controllers and the need to document respective responsibilities. The examples in the Guidance also illustrate, however, that this is not a science and the responsibilities will still need to be looked at on a case by case basis as illustrated by the IT services example.
ICO also demonstrates that it will probably expect to see the respective responsibilities set out in contracts rather than, as is often seen today, very general wording to cover all potential options e.g. where acting as a controller certain clauses apply and as a processor other clauses apply. The Guidance is also consistent with the proposals in the DPR which recognise that joint controller arrangements are common and the parties should document in a contract their respective responsibilities.
While the guidance is helpful it does not provide all the answers. Clearly one size will not fit all and the contract needs to reflect the reality, so early consideration should always be given of the parties’ respective roles when handling personal data.