Under the Data Protection Act, data controllers (those who decide what to do with personal data) are responsible for complying with the Act, whereas data processors (those that only process data on behalf of a data controller) have no direct statutory obligations or responsibilities.
The only mention of data processors is in relation to the Seventh Principle of the Act, which requires data controllers to:
- ensure appropriate security measures are taken to protect personal data (as are commensurate with that data);
- be vigilant to ensure that only trustworthy and reliable staff have access to personal data;
- conduct due diligence to ensure that any data processor which you appoint meets the same standards outline above; and
- have a written contract with any data processor requiring that data processor to comply with your instructions only (and no one else’s) in relation to that data and keep it secure (as well as abiding by the principles outlined above).
Even though you may have a breach of contract claim if your appointed data processor does not comply with its contractual duties, it is your door that the Information Commissioner will be knocking on (as the data controller) if personal data is mislaid. And it is also you who may be fined or face criminal sanction – not the data processor working on your behalf.
Yet most of the high-profile data losses and security breaches in recent times have occurred while data has been in the hands of data processors, such as the Financial Services Authority” after “enforcement authorities. So why aren’t data processors also responsible under the Act for keeping personal data secure?
Making data processors responsible for compliance could enable the Information Commissioner’s Office (and other enforcement authorities) to introduce some sort of licensing system, under which companies who wish to offer their services as data processors are recognised as a safe pair of hands. This, in turn, may enable the European Commission to develop a more sophisticated system of protecting personal data.
In other words, if we can entrust our personal data to the hands of an experienced few, more stringently regulated, data processors, we may achieve greater control and security in relation to the way personal data is handled.
Philip James, senior associate, media, brands and technology, Lewis Silkin