Data controllers and data processors
Since the 1984 Data Protection Act we have been a familiar with the idea that, where two or more entities band together to process personal data, one is the data controller and the other(s) works on his behalf as a contractor or data processor (under the old Act more logically called a bureau). This concept was carried into the Data Protection Act 1998 and specifically in the Seventh Data Protection Principle, which establishes the security and to some extent the contractual aspects of this relationship. The contract must be made or evidenced in writing, and the data processor – the ‘servant’ in this master and servant relationship – must process the data only on the instructions of the data controller (the ‘master’).[1]
So far so good. But the Information Commissioner has been having second thoughts about all this, especially in an online context. His Personal information online code of practice was issued in July 2010 and forms one of a number of such Codes promulgated under s 51 of the DPA and enshrining both legislation and good practice. This particular Code is much the most innovative so far, and covers such sticky points as whether IP addresses are personal data (the Commissioner recognises that they can be in some instances and accordingly recommends that they always be treated as personal data, of a type which he characterises as ‘non-obvious’[2]).
Another innovative insight is that it is no longer sufficient to think all the entities in an online transaction are divided neatly into data subject (the customer), a single data controller (the retailer) with data processors at his beck and call. The Information Commissioner suggests that a company operating a payment mechanism which allows a customer to purchase from more than one online retailer can hardly be described as a data processor in respect of each such retailer. The payment company has a direct relationship with the customer outwith the relationship the customer has with the retail company. The customer’s relationship with the payment company may predate or continue long after his relationship with the retailer, and indeed also may concern itself with other retailers. So both retailer and payment company must be data controllers, each processing overlapping personal data sets about the customer. The payment company will be concerned with the customer’s bank account and credit worthiness. The retailer will be concerned with his choice of goods or services (with the hope that he may buy more in the future). Both will be concerned with the customer’s identity and the value of the transaction. And a delivery company, if one is involved, may be a third data controller concerned with his physical address. Yet all will have in common data about the customer’s name and the fact that he purchased goods or services at this time.
The Commissioner comments that the customer may not be aware of the exact nature of these relationships. The lead player (in this case the retailer, whom the Commissioner calls the web site publisher) should take the initiative in dealing with the customer and explaining who will use the information and how.[3] This implies that one of the various data controllers must handle the Privacy Notice for the others.
Data loss and data sharing
But apart from technological innovations in online practice which lie behind this Code, the present Commissioner and his predecessor have been increasingly concerned with quite another recent development: data loss. Ever since the notorious loss by HM Revenue & Customs of substantial personal data, hardly a month goes by without news of some other débacle. The Commissioner now has power to fine for serious breaches of the DPA[4] and all of his first four fines have been for data loss. The heaviest fine to date – £100,000 imposed on Hertfordshire County Council in Nov 2010 – was for sensitive personal data about children at risk which was intended for counsel’s chambers but instead faxed to the wrong recipient. This was a data sharing exercise that went astray.[5]
As a consequence of the accumulation of data loss cases, the Commissioner has also been required to produce a Data sharing code of practice[6] – presumably because the previous Framework Code of practice for sharing personal information, of October 2007, when the flood of data loss cases had just started, is felt to be insufficient. The new Code was issued on 11 May 2011.
The new Code has nothing particularly novel to say about the Commissioner’s new perceptions of data sharing other than data controller/processor relationship. Rather, it effectively takes data sharing as a given with fairly unadventurous examples.[7] But it is breaking new ground when it suggests a data sharing agreement.[8] The Commissioner outlines in section 8 a document which will cover:
- the purpose, or purposes, of the data sharing;
- the potential recipients or types of recipient and the circumstances in which they will have access;
- the data to be shared
- data quality – accuracy, relevance, usability etc;
- data security;
- retention of shared data;
- individuals’ rights – procedures for dealing with subject access requests, queries and complaints;
- review of effectiveness/termination of the data sharing agreement; and
- sanctions for failure to comply with the agreement or breaches by individual staff.
He also recommends a Privacy Impact Assessment (PIA) before entering into such an agreement. He seems to imply that each participant in a proposed data sharing scheme will conduct its own PIA.
He also recommends ironing out any issues of compatibility, checking data accuracy with a mechanism for data correction for all organisations holding the shared data. The agreement of common data retention periods and deletion arrangements is more difficult – indeed it can be argued that the Fifth Data Protection Principle which this refers to is the hardest to implement of all – and the Commissioner does concede that the retention period for the data may be different for different sharers of the data.
Finally he recommends a review of the arrangements on a regular basis.
More detail is given in section 14 – especially on the matter of information governance. Here the Commissioner recommends all participants:
- have detailed advice about which datasets may be shared, to prevent irrelevant or excessive information being disclosed;
- make sure that the data shared is accurate, for example by requiring a periodic sampling exercise;
- are using compatible datasets and are recording data in the same way – the agreement could include examples showing how particular data items (eg dates of birth) should be recorded;
- have common rules for retention and deletion of shared data items and procedures for dealing with cases where different organisations may have different statutory or professional retention or deletion rules;
- have common technical and organisational security arrangements, including arrangements for the transmission of the data and procedures for dealing with any breach of the agreement;
- have procedures for dealing with DPA or FOIA access requests, or complaints or queries, from members of the public
- have a timescale for assessing the ongoing effectiveness of the data sharing initiative and of the agreement that governs it; and
- have procedures for dealing with the termination of the data sharing initiative, including deletion of the shared data or its return to the organisation which supplied it originally.
He also suggests an appendix to cover:
- a glossary of key terms;
- a summary of the key legislative provisions, for example relevant sections of the DPA, any legislation which provides your legal basis for data sharing and links to any authoritative professional guidance[9];
- a model form for seeking individual’s consent for data sharing;
- a diagram to show how to decide whether to share data.
– and probably also
- a data sharing request form; and
- a data sharing decision form.
and he provides templates for the two last items.
So whereas we have been familiar for some time with a data controller/data processor contract made or evidenced in writing, the Commissioner is now moving to a comparable document for data sharing.
Deciding between processing and sharing
I think there is one further tool we need at our disposal in dealing with data sharing and data controller/data processor relationships. It seems to me far from easy always to decide precisely which is data sharing and which is data processing.
Although the data processor must process only ‘on the instructions of the data controller’, in practice there is often a degree of latitude allowed to the data processor as to precisely how he will process the data. Indeed if the data processor has some specialist knowledge or skill that enables him to process the data and which is not available to the data controller, this must always be the case. So rooting around in the detail as to what extent the data processor has such latitude in performing the processing will rarely I think clarify the matter. Instead I suggest the touchstones might include:
- Does Organisation B have a relationship with the data subject independent of that of Organisation A? This could be prior to the transaction that triggers the question to be considered, or subsequent to it, or both.
- Does Organisation B do anything with the data other than in furtherance of the interests of Organisation A?
- Does Organisation B get anything out of working with Organisation B other than payment by A?
Data processors will tend to answer No to each of these. Data sharers will tend to say Yes.
Richard Morgan is an IT Consultant of over 40 years’ experience. He is a Fellow of the British Computer Society. For many years he was Computer Officer at the two Houses of Parliament. He has always been interested in the interaction of IT and Law and is a founder member and a past Chairman of the Society for Computers and Law. He lectures and writes articles on IT and Law. He is the author with Kit Burden of Morgan & Burden on Computer Contracts 8th edition Sweet & Maxwell 2009, and of Legal Protection of Software: A Handbook xpl (formerly EMIS) 2002, and with Ruth Boardman of Data Protection Strategy, Sweet & Maxwell 2003.
[1] DPA, sch 1, Part II, para 12.
[2] Personal information online code of practice, section 2, p 9.
[3] Ibid. p 11.
[4] DPA, s 55A came into force on 6 April 2010.
[5] Details under the ICO Press Release of 24 November 2010 on www.ico.gov.uk.
[6] DPA, ss 52A-52D.
[7] Data sharing code of practice, section 3, p 8.
[8] Ibid. section 8, p 26 and section 14, pp 40-42. It was called a data sharing protocol in the draft Code released for consultation at the end of 2010.
[9] Although he doesn’t say so, surely the Commissioner must have been thinking, inter alia, of his own Codes and other Guidance.