The ICO’s recent(ish) Data Controller (DC) and Data Processor (DP) guidance has received alot of unfavourable attention and I’m afraid the Policy Department will have to also me to their vodoo doll collection, as I find it a really strange piece of guidance. What’s been presented as a clarification of an area organisations struggle with, infact appears be a significant change to the working understanding of some notable experts within the field.
The guidance starts sensibly enough, noting
“The data controller must exercise overall control over the purpose for which, and the manner in which, personal data are processed. However, in reality a data processor can itself exercise some control over the manner of processing – e.g. over the technical aspects of how a particular service is delivered”
And similarly clarifying
“The fact that one organisation provides a service to another organisation does not necessarily mean that it is acting as a data processor. It could be a data controller in its own right, depending on the degree of control it exercises over the processing operation”
I think that was the general understanding people would have previously worked towards. However, the guidance then headed off in another, perhaps contradictory direction when later explaining that
“activities such as interpretation, the exercise of professional judgement or significant decision making in relation to personal data must be carried out by a data controller”.
The Guidance also helpfully provides a number of examples, but specifically one that I can’t agree with, albeit I’m late to the party on this one
Market research company
A bank contracts a market research company to carry out some research. The bank’s brief specifies its budget and that it requires a satisfaction survey of its main retail services based on the views of a sample of its customers across the UK. The bank leaves it to the research company to determine sample sizes, interview methods and presentation of results.
The research company is processing personal data on the bank’s behalf, but it is also determining the information that is collected (what to ask the bank’s customers) and the manner in which the processing (the survey) will be carried out. It has the freedom to decide such matters as which customers to select for interview, what form the interview should take, what information to collect from customers and how to present the results. This means that the market research company is a data controller in its own right in respect of the processing of personal data done to carry out the survey, even though the bank retains overall control of the data in terms of commissioning the research and determining the purpose the data will be used for.
So, the ICO’s clear conclusion in this example is that the Market research company is a data controller. I don’t contest that they are to a large extent determining the specific manner in which the data is processed, but I cannot see how they are said to be determining the purpose? The purpose is market research and will presumably listed as such in a fair processing notice on the banks original application forms. It’s important to recall that the DPA itself defines a DC as an organisation that
“determines the purposes for which and the manner in which…”.
I’ve added the emphasis because I think this is basically where the ICO have lost their way.
Most outsourcing relationships will rely on the contractor using their expertise to determine the manner in which the data is processed. To me, a Data Controller will always concede some element of the manner of processing when outsourcing, after all you outsource certain functions (and consequently personal data) specifically because of the technical expertise of an outsourcer. Yet the ICO’s guidance appears to lean towards an either/or scenario in terms of the purpose and manner, because even according to their own logic, the bank
“retains overall control of the data in terms of…determining the purpose the data will be used for”.
They recognise the market research company is not determining the purpose for which personal data is processed. They are, as the guidance notes, making some decisions on the specifics of which data is collected in the sense that they are being allowed to use their technical experience (or is professional judgement?) in setting the questions and selecting the sample size etc.
As I understand the guidance, it’s precisely the action of granting this freedom to the market research company to have some control over the manner of the processing that makes the market research company a data controller. The less prescribed the instructions, the more control is exercised by the market research company. However, if one follows that through to it’s logical conclusion, then how would you assess a relationship where there is no written instructions/contract at all? If you don’t tell a contractor exactly what to do and he solely makes decisions on, for example, the deletion of the data, is he not more likely to be considered a data controller? It’s not like loss or misuse of the data would be a breach of contract (only of the DPA).
A final word on that market research company. If they lost the customer dataset providing to them by the bank, does anyone actually think the ICO would turn to the market research company as opposed to the bank who commissioned them on the basis it was the former who had been deciding the same size and were therefore the Data Controller? Even I’d fancy my chances of arguing on behalf of the market research company that the charge falls at the first hurdle because they are not determining the purpose for which the data is processed in accordance with the definitions of the DPA.
The motivation for this blog was my own difficultly in understanding where contractors/partners are DC/DP’s. For example, if I worked for a moneysupermarket type platform and was advising on a contract with a number of insurers who were on a panel to quote for insurance, my biggest concerns when passing them data would be to ensure the data would be kept secure and not processed for additional purposes. I’d look to complete some due diligence around their processes. Id also ensure contractually they were limited to processing data for a specific and limited purpose – i.e. the provision of a quote. To my mind, they have, and always have been, Data Processors because only my organisation decides the purposes for which the data is processed. It’s solely and specifically for providing a quote. Of course they will primarily decide the manner in which it’s done because it’s their own
professional judgement technical expertise that will make a decision about the risk and determine the quote. However, in crude terms, they do as I tell them with the information I give to them. I’m only discussing the provision of the quote – obviously if/when a customer wants to take that up, that’s between them and the provider, at which point they will of course become a controller.
I collect the data, I’m responsible for a fair processing notice and liable for any loss of the data. Well, that’s what I think and although it also seems to be what the Enforcement department think, the policy guys appear to be swimming against the tide. That’s not to say they are wrong, but if they are making significant changes to the ICO’s position, they should perhaps flag that more clearly.
To be honest, when debating some of the above points with partner organisations who were adamant they were Data Controllers in a similar scenario to the above, I quickly reached the point of complete indifference. If I’ve got a contract getting them agree they will process data for the single specified reason I’m giving it to them and I’m happy with their security (et al) processes then what’s left to squabble about? If they lose the data then at worst the ICO regard me as the DC – if the partner company insist they’re a DC then they are simply putting their hand up to the liability. The reputational damage will nearly always sit with the source organisation, but that’s the case irrespective of who is the DC/DP in the ICO’s eyes.
So, whichever way the ICO guidance wind might be blowing, it’s business as usual for me.