Cabinet Office Homepage
Issue
Section 1 of the DPA provides that:
“… the “data controller” means, subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed; …
(4) Where personal data are being processed only for the purposes for which they are required by or under any enactment to be processed, the person on whom the obligation to process the data is imposed by or under that enactment is for the purposes of the Act the data controller.”
2. A data controller may engage a “data processor”, who is not an employee, to process personal data on their behalf (section 1(1) of the DPA).
3. Departmental Notifications held by the Information Commissioner show the identity of the data controller. On occasions this is shown as the Secretary of State, or it may be the name of the organisation.
Standards
4. Ensure that a named individual or post holder is designated as being responsible for ensuring compliance with the DPA and dealing with queries directed at the data controller.
5. Ensure that all data processors are identified and appropriate security contracts in place. An example of undertakings to be included in the contract between the data controller and the data processor is at “1A”.
Recommended best practice
6. The identity of the data controller may vary from department to department depending on the circumstances (e.g. it may be shown as the department, or as the Secretary of State). This is entirely reasonable, and is consistent with a nominated individual or post being responsible for ensuring compliance with the Act.
7. There is a joint working party involving the Public Record Office, the Society of Archivists and the Records Management Society that has been drafting a code of practice for archivists and records managers under section 51(4) of the DPA. The draft code introduces the concept of “local data controllers”, ie the individuals within the organisation to whom operational responsibility for particular sets of data has been delegated. The data controller notified to the Information Commissioner would retain formal responsibility, with the local data controller being answerable to the officer responsible for data protection (as in paragraph 4 above) for compliance with the organisation’s policies and procedures.
Data processor to data controller
We hereby undertake to you to comply with obligations equivalent to those imposed on a “data controller” by the Seventh Data Protection Principle, as set out in Schedule 1 to the Data Protection Act 1998, as regards any personal data we process on your behalf in providing [ the services under the contract.]
In addition, we:
(a) Warrant and undertake that we have and will have at all times during the term of the contract appropriate measures in place acceptable to you to protect any personal data accessed or processed by us on your behalf against unauthorised or unlawful processing and against accidental loss or destruction [(current security procedures as at the date of this contract being described in the Annex to this contract)] and that we have taken all reasonable steps to ensure the reliability of any of our staff who will have access to personal data processed in accordance with this contract;
(b) Undertake that we will act only on your instructions in relation to the processing of any personal data on your behalf ;
(c) Undertake to provide [the services under this contract]at least to the level of security [set out in the Annex to this contract and] to allow you (or your representatives) access to any relevant premises owned or controlled by us on reasonable notice to inspect our procedures [described in the Annex to this contract] and will, on your request from time to time, prepare a report for you as to our then current technical and organisational measures used to protect any such personal data;
(d) Undertake to consider all reasonable suggestions which you may put to us to ensure that the level of protection we provide for personal data processed on your behalf is in accordance with this contract [and to make changes suggested unless we can prove to your reasonable satisfaction that they are not necessary to ensure ongoing compliance with our warranty and undertaking at (a) above.]
(e) Breach of any of the above warranties or undertakings will entitle you to terminate this contract forthwith.
Data Protection Handbook [PDF, 710KB]
[Top]