Joined-up data for better decisions: Guiding Principles for Data Linkage

These principles accompany the associated publication 'Joined-up data for better decisions: A Strategy for Improving Data Access and Analysis'. The guiding principles are a key element of the Data Linkage Framework for Statistical and Research Purposes. They are designed to support data custodians, researchers and other stakeholders in taking decisions about safe and effective data linkage and sharing.


Functions, Roles and Responsibilities of Data Controllers

The following is taken from the SHIP Blueprint Appendix 6 08/12/2011
http://www.scot-ship.ac.uk/sites/default/files/Reports/Appendix_6.pdf .
See also ICO guidance on Identifying 'data controllers' and 'data processors' Data Protection Act 1998.

All UK individuals and organisations must ensure that their use and disclosure of personal data complies with the requirements of the Data Protection Act (DPA).

Identifying the Data Controller

The DPA confers the responsibility and liability for compliance with the requirements of the DPA on the Data Controller. Identifying the Data Controller(s) in relation to a set of personal data and its processing operations is therefore key to ensuring that data protection obligations are known and adhered to. It is sometimes challenging to identify the Data Controller where a number of actors and processing operations are involved.

The opinion of the Article 29 Data Protection Working Party[1] published in 2010[2] recognised the challenge in this area. The Working Party made some unambiguous observations:

  • In identifying a Data Controller, identifying who sets the purposes of the processing is the paramount consideration;
  • The actors involved must have the legal and factual capacity to fulfil their role i.e. a Data Controller is not a Data Controller unless in facts and law they have the capacity to set the purposes for the processing of the personal data;
  • A pluralistic situation, with a number of Data Controllers, including with different degrees of responsibility and liability, is both possible and acceptable.

Key messages:

  • It is essential to be clear as to who is acting as a data controller with respect to any given data set which involves the processing of personal data
  • It is possible that one or more parties can act in the capacity as a data controller and will accordingly be held jointly liable
  • It is possible to agree between parties who will act as a data controller with respect to a given dataset and/or to agree difference levels of responsibility and liability

Data Controllers and Data Processors

The Data Controller is defined as the person or persons who determines the 'purposes for which and the manner in which personal data are to be processed'.

The Data Processor is defined as any person '…other than an employee of the Data Controller who processes data on behalf of the Data Controller'.

Data Controllers and Data Processors are typically organisations, authorities or businesses e.g. the Data Controller of the personal data used across NHS hospitals in the Lothians area is Lothian NHS Board. There are also cases where a Data Controller is an individual, for example General Practitioners are Data Controllers for patient information provided to them.

An important feature of the Data Controller/Data Processor relationship is that the Data Controller retains liability under the DPA for all processing of personal data undertaken by the Data Processor on their behalf. There is a legal requirement that a written contract between the Data Controller and Data Processor governs processing undertaken by a Data Processor on behalf of a Data Controller.

Data Controllers may only disclose personal data in accordance with their Register entry in the Information Commissioner's Register of Data Controllers, and the Data Protection Principles set out in Schedule 1 of the DPA. Whilst the Data Controller is legally required to ensure that all disclosures of personal data meet these requirements, they do not retain these obligations after the data are disclosed. These obligations essentially flow to their recipient, who then becomes the Data Controller and liable for their use and disclosure in accordance with DPA.

Key messages:

  • Data controllers retain legal liability with respect to processing of data and the activities of Data Processors who work on their behalf until such time as data are disclosed
  • It is imperative to be clear with respective parties as to the capacity in which they are entering a relationship and also the point at which the responsibilities of Data Controller(s) will pass (if at all).

Contact

Email: Kirsty MacLean

Back to top