data controller

Data controller and data processor

To support overall information governance and to build trust and confidence, it is important that roles and responsibilities are clearly understood by all partners involved in the sharing of personal data. Risks will be reduced (as well as penalties if found to be at fault) by defining, agreeing and establishing:

  • who will be responsible for certain aspects of the information sharing process;
  • who is responsible for the processing of the data; and
  • who has overall responsibility.
The definitions below are from the Information Commissioner’s Office (ICO) and may help you to decide on roles and responsibilities for the processing of data.
Data controller
A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Data processor
In relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
In relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:

(a) organisation, adaptation or alteration of the information or data;
(b) retrieval, consultation or use of the information or data;
(c) disclosure of the information or data by transmission, dissemination or otherwise making available; or
(d) alignment, combination, blocking, erasure or destruction of the information or data.

Further reading
Further terms can be found in the ICO glossary of terms at the link below:
Key definitions of the Data Protection Act
This link is to a blank data processor agreement which includes guidance: 
Data processing agreement

Finding the information

Based on the data requirements identified earlier in the process, partners should undertake an information audit. This will ensure that relevant information needed by the project can be found easily.

The exercise can also be used to determine whether they already hold data that could act as a proxy measure. This will save the time and effort of collecting client information that might already be stored by partners.

Details will need to cover:

  • what information is collected and from which source(s);
  • where and how recorded information is stored;
  • what the information is used for and how it passes between systems to end users; and
  • who is responsible for the information at both an operational and a strategic level.

The Information and Records Management Society have produced a useful document to guide you through the process of an information audit. It is available from their website at this link.

Define the scope of the audit

The pre-agreed information requirements of the project should help to define the scope of the audit.

There may be particular types of information which an organisation does not wish to examine, such as aggregated data or invalidated data. Some information may also have legal restrictions or limitations and should therefore not be included.

Partners should attempt to gain a broad understanding of the situation, rather than try to analyse every single piece of information. Keeping the audit simple will give a clearer understanding of the task and help to avoid scope creep, which could compromise the exercise.

The most productive way of discovering the main systems and information flows is to talk directly to the people who manage them. Find out what managers are responsible for specifically, what information and systems managers depend on and who is responsible for those systems. It is also helpful to speak directly to the daily users of these systems as they may be aware of issues which are relevant to the audit.

Given that a key reason for undertaking this audit is to source the information required for the project, it is essential to document findings. This will form the basis of future data sharing and should consist of:

  • A list of data-sets and owners
  • Details of organisational information flows including:
    1. Methods
    2. Formats
    3. Frequencies
    4. Special requirements
  • A list of the information contained in each data-set

To fully understand where information comes from and the way information flows work, it could be useful to produce a data flow diagram.

The example below may be useful:

Data flow diagram for antenatal and postnatal contact details

What information do you need to share and where is it?

Before the legality of sharing information can be considered, it is important that work has been carried out to understand the purpose of the project as a whole. In particular, there should be a clear idea of how information sharing will be of benefit to the project and what information needs to be shared.

The information requirements for any project need to be discussed and identified to ensure that the correct information is gathered or collected from the most appropriate source. The earlier this can be done, the better as it will form the basis of the search for legal gateways to information sharing, as well as the development of information sharing protocols and agreements. It will also form the design of information gathering tools for use throughout the project and the later measurement of the success, or otherwise, of the project.

Discovering information requirements can be done most effectively by:

  1. Understanding the purpose of the overall project, including specific goals
  2. Identifying and understanding stakeholders
  3. Identifying the best sources of information
  4. Documenting the information requirements

Once these stages have been completed and the information requirements catalogue is available, the quality of the information should be assessed to ensure that it is fit for purpose.

How do you decide the legal basis for sharing?

Use the flow chart below to help you to work through the questions which you need to ask yourself to decide if there is a legal basis for your project or initiative to share information.


For a more in-depth look at this, please download the following document: Process-for-deciding-the-legal-basis-for-sharing-information and take a look at the Information Commissioner’s Office data sharing checklist

Deciding to share aggregate or anonymised data

We often talk about how to support those who are considering whether to share personal or sensitive information. However, services or organisations may receive requests to share information which is not personally identifiable, such as aggregate or anonymised data. The Data Protection Act (DPA) only covers information which relates to a living individual who can be identified from that data, and therefore the same considerations do not apply to anonymised or aggregated data. The tool on this page highlights the key issues to consider when making a decision to share information not covered by the DPA.
Guidance on sharing non-personally identifiable information
Information sharing to tackle violence
Further reading:
ICO draft consultation on anonymising data