Under UK data protection laws, an organisation that processes personal data will be either a data controller or a data processor (a party that processes data on behalf of a data controller). The data controller is responsible under data protection laws for ensuring that data processed by it and its data processors is carried out in accordance with data protection laws. This will also include responsibility for any data security breaches by its data processors.
For this reason, it is important that you know what role your organisation plays in the processing of personal data.
Indeed, in commercial contracts, a supplier may seek a contractual statement that it is acting as a data processor of the customer. By doing this, the supplier will seek to contractualise the customer’s responsibility for compliance with data protection laws (including, most crucially, the adequacy of the supplier’s information security measures), and ensure that the supplier has no direct obligations under data protection legislation in relation to the processing that it undertakes under the contract.
However, sometimes it is not clear cut as to whether a party is acting as a data processor, or a data controller in its own right. Simply because you are doing something under a contract with another organisation does not mean that you are always going to be acting as a data processor.
New ICO guidance
To help organisations, the UK Information Commissioner has published a new guide to assist organisations with identifying their role.
As an example, the ICO’s guidance states that lawyers, accountants and doctors will generally be data controllers in relation to the services that they provide, whereas a company providing outsourced services like payroll or mail marketing to another company is likely to be a data processor.
Of course, if the European Commission gets its way, all of this may have less importance. The draft data protection regulation published by the Commission earlier this year proposes that data processors will have direct obligations under data protection laws, reducing some of the benefits of “data processor” status.
This is already the case in some member states within Europe, but will be a substantial change to suppliers and outsourcing vendors servicing clients in the UK.
On April 3, 2012