Processor or controller - the data divide
The data protection regime exists to ensure that an individual's personal data, and particularly any sensitive data, is granted adequate protection.
The data protection regime exists to ensure that an individual's personal data, and particularly any sensitive data, is granted adequate protection and that it is only processed, transferred or stored for certain legitimate and justifiable purposes. An important aspect for businesses or public bodies with outsourcing or external service arrangements is to consider the differences between the obligations imposed on data controllers and data processors under the Data Protection Act 1998 ("DPA"). Deciding which one is applicable when negotiating any such contracts is crucial. External providers and outsourcers will often try to identify themselves as data processors which impose significantly less onerous obligations under the DPA than those for controllers.
Whether and in what circumstances an entity should be regarded as a data controller or data processor has often turned on element of speculation and given rise to contentions between contracting parties. In a bid to remove some of the uncertainty and clarify the classification of each concept, the European Parliament in February this year adopted an opinion produced by the Working Party on the Protection of Individuals with regard to the processing of personal data.
Under the DPA a "data controller" means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. An example being any business or public bodies that hold personal information on their employees or customers and who determine how and why such information is to be processed; and
A "data processor" means any person (other than an employee of the data controller) who processes personal data on behalf of the data controller. i.e. generally entities such as an internet service provider, telecoms operator and some outsourcers.
A data controller has statutory duties to data subjects (an individual whose personal data is being held) and is responsible for compliance with the regulatory regime. Data processors on the other hand enter into contractual arrangements with data controllers but are not subjected to similar obligations under the DPA. Their obligations are contractual duties to the data controller on whose behalf they are processing information.
It is imperative that the classification between the two is correct. The SWIFT case involved a company providing a worldwide bank messaging service which assumed it was a data processor. Despite the contracts specifying that it carried out the required functions as a processor it was found to be a data controller regardless of what was written into the contract. In this instance both the messaging service and their customers were regarded as “joint” controllers with the messaging service having primary liability.
The opinion issued by the European Parliament provides guidance on making the correct determination and analyses the differences between the delegations of responsibility and degrees of autonomy given to data processors when processing personal data. A pragmatic approach is needed, and to consider whether the contracting party would have processed the data if it were not asked to by the controller. The following are a few examples given in the opinion in order to assist with making the correct determination.
Where a company provides clear instructions to an organisation to carry out various mail marketing campaigns and to run its payroll, whilst there may be some discretion as to what software the organisation uses or around the dates the material is sent out, there are clear instructions in the contract on what material to send, who to send it to, who to pay, what amounts, and by what date. Therefore, the organisation can be considered a processor on the company's behalf. However, if the organisation were to process the information in any other way or use the databases provided to promote products to any other customers they would be deemed a data controller regardless of what was stipulated in the contract.
A member of the board of a company who decides to secretly monitor the employees of a company not endorsed by the Board means that the company as data controller is in breach of security and confidentiality requirements. This is irrespective of whether or not the member of the Board is criminally or civilly liable (including to the company).
Where a recruitment firm agrees to act on behalf of the company in recruiting new staff and the contract stipulates that it will act as data processor, the recruitment firm is in a blurred position. On the one hand it is a data controller on behalf of the job seekers and on the other hand assumes to be a processor to companies seeking staff through it. The firm also mixes CV's received directly from the company with its existing database in order to fill vacancies. In spite of the contractual terms, specifying that it is a data processor, the recruitment firm will be considered a data controller as controlling the information “jointly” with the company. It is important to look at the purpose for processing the data at a macro level to determine whether or not they are joint controllers pursuant to the same purposes or both data controllers but in respect of separate purposes.
E-portals act as intermediaries between people and the public administration units, the portal transfers the requests and deposits documents with the relevant government unit. Whilst each administration unit is a data controller, the portal may also be considered a data controller as in addition to processing and collecting the relevant information it also may store and regulate access to them by citizens. A person who decides how long data shall be stored and who shall have access to the data processed is acting as a controller.
A company that outsources some of its operations to a call centre and instructs the call centre to present itself using the identity of the client data controller when calling its' clients. These circumstances, and the way the controller presents themselves lead to the outsourcing firm acting as data controller. However, this will not always be the case where a call centre is given greater autonomy on how the information is captured, and processed. The imbalance in contractual power of a small data controller in respect to some big service providers and outsources should not be used to force the controller to accept clauses and terms in contracts which would otherwise not be compliant with data protection laws.
Where accountants provide services to the public such as by doing tax returns on the basis of general instructions, they will be data controllers. However, where more detailed instructions are given such as to carry out a detailed audit of a firm, the clarity of the instructions and limited scope for discretion means the accountant is more likely to be deemed a processor. Where the same accountant however, is then found to have performed any malpractice they will be deemed to be acting independently as a controller. The “margin of manoeuvre” being a crucial factor.
Practical implications and best measures
- Ensure contracts are explicit on duties under the DPA
- Ensure that the entity you are contracting with is treated as a data controller wherever possible and where it is fitting for them to be classed a data processor that there are sufficient warranties and indemnities to cover any potential liability for non compliance by the processor
- Make sure there that a data processor has adequate security measures to protect the data. It is the data controllers responsibility to ensure compliance with the DPA so the controller should ensure it has control over ensuring the processor updates, enhances and modifies security arrangements where necessary
- Make provision for that the data processor co-operates with the data controller and complies in all respects with meeting the controller's obligations under the DPA
- Where there may be joint and several liability between controllers ensure that the contracts are clear as to where the risks and responsibilities fall
- Don't insist that a particular party should be classed as a processor or controller blindly. The distinction in a contract is not binding on the Information Commissioner or Information Tribunal who will look at the actual relationship between the parties and the facts of each case
- Ensure that data controller obligations are not prejudiced by any conflicting intellectual property rights in contracts
- Make sure you adopt a practical and pragmatic analysis to identify who has functional control of and responsibility for the information
- A data controller should make sure that a data processors employees are reliable
- Data controllers should be careful when giving processors rights to be able to appoint sub-contractors as more parties will make DPA compliance harder to deal with