The changes to data protection law last year got charities thinking about how and when they share personal data with third parties – whether it’s sharing beneficiary information with another charity or sharing a marketing list with an external events company.
Controllers and processors
In legal terms, we use the terms ‘controller’ and ‘processor’ to describe how and why organisations use personal data. The definitions in the General Data Protection Legislation (the GDPR) are deceptively simple:
- A controller is the person or organisation that determines the purposes and means of processing personal data
- A processor is the person or organisation that processes personal data on behalf of the controller
But applying them to the diverse array of working arrangements and practices in the charity sector can be challenging.
More than one controller
By far the most common error that we come across is the assumption that, if one party is obviously the controller of personal data, any third party they share information with must be a processor. This isn’t necessarily the case.
Data protection law has long recognised that there will be situations where parties use shared personal data for their own purposes. Guidance from the Information Commissioner’s Office (the ICO) gives the example of a contract between a business and its professional advisers such as accountants or lawyers. Because professionals are subject to regulatory requirements, they cannot always act on their client’s instructions and are therefore controllers in their own right. The same is likely to apply to charities that carry out work under contract from a Local Authority in regulated areas such as social care or education.
In situations like this, there is no legal requirement to have binding contract in place but it is best to enter into some form of Data Sharing Agreement that sets out what data will be shared and for what purposes. Depending on the circumstances, the Agreement might also contain warranties about the quality and accuracy of the personal data and indemnities covering losses arising from data protection claims or breaches.
The GDPR introduced a new concept of ‘joint controllers’ where two or more controllers jointly determine the purpose and means of processing shared personal data. For example, two charities that jointly run a drop-in service or a charity that puts on an event in partnership with a corporate partner. In these cases, the GDPR says the joint controllers must agree who will be responsible for complying with certain data protection obligations (for example, responding to data subject access requests and providing privacy notice information). There’s no requirement for the agreement to be legally binding (or even for it to be in writing) but, again, it is a good idea to put something in place to demonstrate accountability and avoid uncertainty.
Unlike the controller who makes the decisions about why and how to process personal data, a processor must only use personal data in line with the controller’s instructions. The GDPR says there must be a binding contract in place between a controller and processor and it sets out specific information that must be included in the contract.
Why does it matter?
Controllers are responsible for complying with the data protection principles, including the requirement to identify a lawful basis for processing personal data and the requirement to provide privacy information. Controllers are also responsible for reporting data breaches to the ICO and for ensuring that people can exercise their individual rights (including the right to access personal data and the ‘right to be forgotten’).
Processors have much narrower rights and obligations as they have less autonomy over the personal data that they process. Their main obligation is to only act on the instructions of the controller – if a processor makes its own independent decisions about how personal data is used, they will automatically become a controller and will inherit all the obligations that go along with that role.
You can see that if a charity is operating under the mistaken assumption that they are a processor but, because the nature of the work they do means they have to make their own decisions about how personal data is used, they are in fact a controller, they may inadvertently be breaching the data protection legislation and could find themselves on the receiving end of a complaint or even a penalty fine.