Out-Law / Your Daily Need-To-Know

Level of expertise key factor in determining whether processor is also controller of personal data, ICO says

Out-Law News | 03 Apr 2012 | 4:14 pm | 6 min. read

Professional organisations that think they are merely processing personal data on behalf of other companies may actually be 'data controllers' under the terms of UK data protection laws, according to new guidance published by the Information Commissioner's Office (ICO).

Determining whether firms tasked with processing personal data are also considered as data controllers depends on "how much discretion" a "service provider" has "in providing the service", the watchdog has said. It said the knowledge and expertise of the 'clients' handing out processing instructions and whether or not service providers are regulated or licensed specialists are factors in assessing the extent of firms' data protection responsibilities.

"Where a client instructs a service provider to carry out a service on his behalf (which involves the processing of personal data), in general the client, as the party determining the broad purpose of the processing, will be a data controller in respect of such data," the ICO said in new guidance (17-page / 310KB PDF).

"Where the service provider has little or no flexibility in providing the service and acts entirely on instructions from the client he will be a data processor in respect of the data being processed," it said.

"Where the service provider is either given considerable flexibility or independence in determining how to satisfy the client’s broad instructions or is providing the service in accordance with externally-imposed professional or ethical standards, he will be acting as a joint data controller, rather than a data processor, in relation to the service data," the guidance said.

Organisations that determine the purpose for which and manner in which personal data is or is likely to be processed are responsible for complying with all eight guiding principles of the Data Protection Act (DPA). These organisations are called data controllers. In contrast, data processors – third-parties contracted by data controllers merely to process personal data – only have to comply with certain data protection obligations that are prescribed in the contracts.

"The data controller is the organisation that calls the shots in terms of why and how personal data is processed and has statutory liability for compliance with the DPA," data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said. "Companies merely processing personal data on behalf of others, data processors, are not on the hook for compliance with the DPA but do have contractual obligations relating to data protection that must be imposed on them by data controllers."

"The DPA says that the data processor must act on the instructions of the data controller, put in place appropriate security measures and ensure that staff are reliable if they are involved in the processing of personal data. The data controller has to monitor how data processors are processing that data. Typically this is achieved by giving the data controller the right to audit the data processor," Wynn said.

The ICO acknowledged that it was not always "clear-cut" whether firms would be considered data controllers or data processors and said the problem had resulted because "of the variety of different interrelationships that exist between organisations involved in the processing of personal data to any degree jointly with others".

Expert "service providers" instructed to carry out personal data processing but that have "almost total discretion" over that processing, will probably be deemed to be data controllers, the ICO said.

"A service provider who processes personal data to carry out a service using his expert or professional skill and knowledge (and in the case of many professionals, such as accountants and lawyers, in accordance with professional and ethical standards regulated by a professional body) is likely to be acting as a data controller," the watchdog said.

Other examples where this would apply include if doctors are instructed to compile medical reports for insurance companies or psychologists are instructed to provide a report on individuals for use in court proceedings, it said.

"While the client provides the initial broad instruction to the service provider (and ultimately pays for the service), where the service provider is required to use a considerable degree of independence in determining the way in which he is able to provide the service in accordance with his professional obligations he is likely to exercise a sufficient degree of control over the processing of the personal data to be acting as a data controller," the ICO said.

Even in circumstances where "specialist service providers" are given detailed instructions by professional level clients that outlines closely how personal data should be processed, those providers may be considered 'data controllers', according to the guidance.

'Specialist service providers' are providers that require "specialist qualifications, licences or other authorisations in order to provide certain services" and "is obliged to provide such services in accordance with professional and ethical standards imposed by the body appointed to regulate the provision of those services," the guidance states. The specialists are instructed because of their expertise and generally have "a considerable degree of flexibility and independence in determining how to provide the [processing] service".

"As the professional client determines the activity that gives rise to processing he will be acting as a data controller in relation to the data being processed," the guidance states. "In these circumstances, although the specialist service provider is unlikely to be able to exercise much control in determining how the service will be provided (and consequently how and why personal data will be processed) he is always required to apply professional standards and ethics in the provision of his specialist services."

"Consequently, as the specialist service provider is not acting solely on instructions from the client but also in accordance with his externally imposed standards, the specialist is not operating solely as a data processer but will be a data controller in relation to the provision of the service jointly with the professional client," it said.

In circumstances where there are "joint" data controllers, those parties can legitimately "agree between themselves how to divide responsibilities for complying with the data protection principles." These practical arrangements can be set out in contracts but whilst both controllers would still be liable for compliance with the data protection principles, the ICO said it would only generally punish the party that was contractually responsible for any non-compliance.

"Where the client and the service provider are both (joint) data controllers, while they are both liable for compliance with the data protection principles, they may agree between themselves who is in practice to be responsible for which elements of compliance," the watchdog said.

"It is unwise for data controllers to agree to share responsibility for data protection compliance (particularly for tasks that are time sensitive such as responding to subject access requests). Unless there is a clear understanding as to which party will perform which data controller task there is a real danger of confusion and of non-compliance with the DPA," it said.

"Whilst both joint data controllers are legally responsible for compliance with the data protection principles, where the parties have made reasonable arrangements as to each party’s defined responsibilities, if one party fails in its obligations the ICO would usually only seek to take enforcement action against the party that is in breach of his agreed obligations," the ICO's guidance said.

Kathryn Wynn said the guidance did not confirm already accepted practices and instead turned it on its head.

"The ICO is now suggesting that the more specialised and expert that service providers are, the more likely it is that they will be data controllers," she said. "This suggests that there will be an assumption that accountants, lawyers and any number of other professional organisations providing professional advice are data controllers. The position of businesses regulated by the Financial Services Authority (FSA) remains unclear."

"However, the Information Commissioner does suggest that it is possible to allocate responsibilities for compliance with the DPA between the joint data controllers contractually. In practice it is therefore unlikely to change current arrangements dramatically, because those professional organisations often will simply not have enough information or access to information about a data subject to ensure compliance with the DPA beyond compliance with the security requirements," Wynn said.

"For example, those professional organisations are unlikely to be in direct contact with data subjects and so would not be in a position to verify whether personal data is accurate or up to date, or have the full set of data to respond to a subject access request. Those firms are therefore likely to require clients to take on most of the responsibility for DPA compliance," she said.