Data controller and data processor

To support overall information governance and to build trust and confidence, it is important that roles and responsibilities are clearly understood by all partners involved in the sharing of personal data.

Risks will be reduced (as well as penalties if found to be at fault) by defining, agreeing and establishing:

  • Who will be responsible for certain aspects of the information sharing process
  • Who is responsible for the processing of the data
  • Who has overall responsibility

The definitions below are from the Information Commissioner’s Office (ICO) and may help you to decide on roles and responsibilities for the processing of data.

Data controller
A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

Data processor
In relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

Processing
In relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:

(a) organisation, adaptation or alteration of the information or data,
(b) retrieval, consultation or use of the information or data,
(c) disclosure of the information or data by transmission, dissemination or otherwise making available, or
(d) alignment, combination, blocking, erasure or destruction of the information or data.

Further reading

Further terms can be found in the ICO glossary of terms at the link below:
Key definitions of the Data Protection Act

This link is to a blank data processor agreement which includes guidance:
Data processing agreement (DOC)