The ICO has issued new guidance for organisations as to when  they will be a data controller or a data processor given the  continuing confusion over the roles. The distinction is important  because only data controllers have to comply with the Data  Protection Act 1998 (DPA).

Under the DPA the data controller is the organisation that  determines the purposes for which and the manner in which  personal data is processed. It has overall control over the  why and how of the processing. A data processor is any  organisation processing data on behalf of a data controller.

When trying to decide whether an organisation is a data  controller or data processor the ICO suggests ascertaining who  makes certain decisions including whether to collect data and  the legal basis for doing so, which data to collect, the purposes  of collection, which individuals to collect data from, whether to  disclose the data and who to, whether subject access rights  apply and how long to retain the data. These are all decisions  that a data controller would take.

The guidance states that the decisions that are more likely to be  made by a data processor relate more to the technical aspects  of the processing including what IT systems or methods are used  to collect data, how the data is stored, security measures, the  means of transfer of the data from and to other organisations,  the means used to retrieve data if necessary, the method for  ensuring a retention schedule is complied with and the means of  deletion and destruction of data.

However, the ICO recognises that modern business  relationships are complex and in every business relationship the  responsibilities of the parties will vary. It suggests that the key is  to determine the degree of independence and degree of control  that an organisation has over the processing activities.

The guidance provides several examples of applying these  factors to common business relationships including employing  a market research company (a data controller), an agreement  with a third party payment company (a data controller),  appointment of professional services firms (data controllers) and  the outsourcing of data storage (a processor).

Having established the status of the parties, the guidance gives  recommendations as to the governing of such relationships  to ensure compliance with the DPA. The key message is  that whatever the parties’ status, organisations should have  a written agreement in place clearly setting out each party’s  responsibilities and obligations in relation to processing the  data. Key points to cover in the agreement are how the data  can be used, whether the data can be disclosed, security  requirements, use of sub-contractors, assistance with subject  access requests and transfers overseas.

The guidance also reminds organisations that even where they  are a data processor for their customers during the supply of  services, they will also be a data controller in respect of their  own business activities, for example the processing of data  about their own employees.