Out of control

by | Jun 4, 2014 | Data Protection, ICO, Information Security | 6 comments

Heralded by an annoying quiz that seemed to bamboozle everyone who tried it (and which has mysteriously vanished from the website *UPDATE* it can be found here), the ICO has issued new guidance on data processors. It is called, with admirable brevity, ‘Data controllers and data processors: what the difference is and what the governance implications are’. The problem it aims to solve is mentioned early on:

We are producing this guidance because of the increasing difficulty organisations can face in determining whether they or the organisations they are working with have data protection responsibility

I’m not entirely sure the guidance is any help. Let’s take one of the examples from the second part of the guidance: the market research company. Despite the fact that the organisation which contracts the Market Research company “retains overall control of the data in terms of commissioning the research and determining the purpose the data will be used for” (i.e. does what a data controller does), the ICO guidance decides that the research company is the data controller because it decides which customers to select and what questions to ask. The research happens only because the client wants it to, and only to find out what the client wants to know, but somehow, 2 + 2 makes 5 and the research company is a data controller. The same is true – apparently – for third party payment handling companies, for IT services companies (the example used is a third party doing vehicle monitoring on behalf of a car hire company), for accountants, and solicitors. As soon as a data processor does anything beyond the laborious following of technical instructions, the ICO sees them as controllers.

This is wrong, and it is stupid. In all of these examples, the client decides what data will be processed and why, and their contractor does the work on their behalf. The ICO is not skilfully negotiating what it calls the “complexity of modern business relationships”, something that few of the ICO’s staff ever experience unless they leave Wilmslow. It is turning white into black, and with consequences.

Following the ICO’s train of thought, if organisations want to share data with a lawyer, a solicitor, a market research company, an IT services company, they are obliged to tell data subjects that their data is being shared. This is what happens when one data controller shares data with another. They must identity a condition for processing the data – e.g. consent, or a legal obligation. You might think this sounds like it is the data subject’s interests and perhaps a good thing, but there’s more.

A data controller decides who to share data with. It determines the level of security, the retention period and the purposes for which the data will be used. Your market research company may choose to retain your customer data and use it for other projects. Your solicitor or accountant may chose to sell your customer data to claims management companies. A data processor that retains or reuses its client’s data without the client’s consent is likely to commit a criminal offence. A data controller that decides how to use data that it holds – even if received from someone else – is simply doing what a data controller does. The ICO’s view of market research companies is particularly eccentric given that they have previously ordered organisations to retrieve data from market research companies under FOI, on the sound reasoning that the market research company held the data solely for the organisation’s purposes.

But this is not the punchline. I’ve blogged several times about the ICO’s apparent blindness to the existence of the Royal Mail and courier companies. They’ve finally been good enough to publish their position. Couriers are neither controller or processor because “Processing personal data, including holding it, implies a degree of access to or ability to control or use the data itself, not just physical possession of the letters or parcels that contain the data”. I completely disagree with this proposition. The extended definition of processing includes ‘transmission’ and ‘destruction’, both of which can be carried out without access to the data concerned.

However, let us assume that the author is correct. Couriers are in “physical possession of the mail but may not open it to access any personal data or other content”. The same is true of an archiving company, which does not even move data from A to B, but simply takes delivery of a sealed box and returns it or destroys it without access to the data. The same is true of specialist IT firms that destroy hard drives and other data storage by means of physical destruction (for example, using the industrial guillotine promised but not delivered by the data processor in the NHS Surrey case, the identity of which the ICO insists on keeping secret). The Data Protection Act does not put couriers into this state of limbo, so the ICO have to explain why their interpretation applies to couriers but not other types of organisations who are in exactly the same situation.

This is important because the ICO has in the past served civil monetary penalties totalling more than £500,000 on organisations for breaches involving data processors who fit the same bill. In both cases, Brighton and Sussex University NHS Trust and NHS Surrey received their penalty because they did not have proper contracts with data processors who were in “physical possession of the drives but “may not open it to access any personal data or other content”. In both cases, an errant data processor sold hard drives instead of destroying them. Just as the Royal Mail handles sealed envelopes, these processors handled physically sealed drives. Opening the envelope without permission is exactly the same as connecting the hard drive to read its contents. But according to this new guidance, the Royal Mail is not a data processor and failure to have a proper contract is no breach, but hard drive renderers are data processors and failure to have a proper contract is a breach with a price of £200,000 – £325,000.

A wise person pointed out to me recently that it’s important to know what the ICO thinks, even when they’re wrong. That’s true, but only so you can argue with them properly. In the end, this is only guidance, and it doesn’t change the law. I imagine the Tribunal will make mincemeat of it should the ICO ever be foolhardy enough to base any action on its contents, but I doubt it will ever come to that. Should you wish to read advice on data processors, track down the old ICO guidance (called ‘Identifying Data Controllers and Data Processors’, and dated 14/03/2012). It’s a little bit laborious but only because whoever wrote it shows real awareness of the murky territory they were trying to navigate. It’s still good, balanced guidance and for all practical purposes has not been superseded by the new one. Until someone notices and corrects what I can only assume the intern has done, tread carefully.

UPDATE: Thanks to C.Miller in the comments for pointing out where the missing quiz can actually be found.