Data Protection has two types of organisations. The Data Controller is one with the responsibilities: they decide how personal data is processed, and so are subject to the eight Data Protection principles and all of the associated challenges, problems and heartaches. Even if they outsource an entire process like payroll or HR to a data processor to deliver on their behalf, they retain legal responsibility. If information is lost or stolen and it turns out that appropriate security is not in place, the Data Controller is liable regardless of how incompetent the processor turned out to be.
The Data Processor is just that; a processor, a contractor carrying out specific tasks according to instructions, bound by the contract and by the specific requirements put on them by the Controller. Despite the fact that a subcontractor apparently spirited hard drives containing very sensitive data out of a hospital in Brighton instead of disposing of them, without the hospital’s management’s knowledge, it was the hospital trust who paid the £325,000 penalty, not the errant processor.
So what is the Royal Mail?
Logic seems to dictate that the Royal Mail is not a Data Controller. They do not decide that bank statements, summonses, medical test results, marketing and invoices are sent through their network. They accept, sort and deliver the post on behalf of Data Controllers. In normal parlance, they process it. But this immediately gives us a problem.
The Data Protection Act is famously open to interpretation on a wide variety of topics, but in describing the relationship between controller and processor, it is remarkably specific and demanding. Schedule 2, Part II, Section 9 of the DPA sets out a DP rarity: RULES
- The Data Controller must select a processor offering guarantees over technical and organisational security measures
- The processing must be carried out under a contract “which is made or evidenced in writing” and
- The Data Processor is to act only on the instructions of the processor
- The Data Controller must take reasonable steps to check compliance with the contract
So when I posted some personal data yesterday, what was the Royal Mail’s role, and what were my responsibilities? I haven’t selected them particularly over TNT or DX (experience and anecdote tells me that one of those two is more secure than Royal Mail and the other is less) – I picked them solely on the basis that it was convenient. I didn’t give the Royal Mail any instructions beyond the tacit one that my properly addressed envelope should be delivered to that address. And crucially, there is no contract made or evidenced in writing. I just posted it and went on my way.
I am the Data Controller for that data. I certainly don’t expect the Royal Mail to open the letter and decide that actually, the contents are not accurate and should in fact to be routed to a pet shop in Stroud. I expect the letter to be delivered and nothing more. But if the letter goes missing, is delivered to the wrong address or stolen, would the Information Commissioner do anything about it (assuming of course that I told the Information Commissioner about the incident, which given that I work in the private sector, I wouldn’t, I’d just keep it secret like everyone else in the private sector does)? Would the Information Commissioner see the Royal Mail – and every other courier – as data processors? I’ve never dealt with delivery firms from a work perspective, but I cannot see how you would sign up to a regular contract with a courier without dealing with Principle 7 and other information security matters in the contract. I’m certain that the ICO would expect you to do so and contemplate enforcement action if you didn’t.
So why don’t we need a written contract with the Royal Mail, and why isn’t the Information Commissioner telling us all to get one?
I’ve started this argument – largely to annoy other people – many times, and the opposing view often seems to be based on the fact that Royal Mail cannot be a Data Processor because of the inconvenience of that being true. That is, of course, irrelevant. I might be wrong to think that they’re processors, but only because I’m reading the DPA incorrectly, not because it would be difficult to comply with. Data Protection takes inconvenience into account, allowing Data Controllers to withhold fair processing information or copies of personal data requested under subject access if provision requires “disproportionate effort”. The need for a written contract isn’t similarly dropped.
The only consistent counter-argument against my theory I have encountered is that the Royal Mail is not actually processing the data. It remains sealed inside an envelope or package while in their hands, and they don’t do anything with it other than take it from one place to another. Delivery companies are possibly different to those that destroy information for example, as Section 1 of the DPA specifies that ‘processing’ includes ‘destruction’. There is no question that the man who shreds your paper or disposes of your hard drives is a data processor because of that word. This argument runs that none of the terms in Section 1 covers the delivery of a sealed envelope – but that is argue that delivering a letter isn’t ‘holding, ‘transmitting’ or ‘disseminating’ on behalf of the Data Controller. I think this is nonsense, because I believe that the Royal Mail do all three.
Last October, the third sector adoption agency Norwood Ravenswood received a £70,000 Civil Monetary Penalty after one of their staff left a package of sensitive documents in a concealed area of a prospective adopter’s house, only for the information to go missing before the adopters returned home. It makes no sense to me that somehow if they had engaged the Royal Mail to deliver the package instead of them, Royal Mail would not be a data processor in that scenario. I don’t think the Data Protection Act conceives a role for ‘Unspecified Harmless Middleman’ – in any given situation where personal data is involved, you’re surely either a processor or a controller.
I see no reason why the Royal Mail should be seen differently than any other delivery company, so I see only two possibilities. In box number one, we’re all in breach of the 7th principle every time we post something in a work capacity. Banks, hospitals, insurance companies, councils, government departments, training companies – we’re all breaking the law unless we have a written contract with the Royal Mail. In box number two, there is something magic and special about the process of delivering mail that makes it different to the storage or destruction of personal data, which everyone seems to agree is a processor role. If this is the case, nobody needs a written contract with DHL, TNT or any of the other delivery companies around.
My more astute colleague Jon Baines has already ruminated to meaningful effect on the role of processors here, and unlike him, I don’t have a substantial and provocative point on which to end. It just strikes me that some kind of Doctor Who style reality distortion field has been erected around the Royal Mail. It’s like wallpaper or carpet, just part of the surroundings. Thousands of items go missing every year (in other words, they are delivered to the wrong place or are stolen), many of them containing personal data. These losses have consequences – concrete things like lost money, credit card and bank fraud, and distress to many people that is harder to quantify but deserving some kind of remedy. I think the current limbo is problematic – Data Controllers are not called upon to consider whether the Royal Mail really is a suitable way to transmit information, and the Royal Mail are not forced under contract to meet legitimate obligations.
Of course, if you’ve got this far and you’re determined to make the argument that the Royal Mail cannot possibly be a Data Processor because that would mean every non-domestic user of their services would have to make them sign a contract, then I believe that the only rational alternative is that somehow, the Royal Mail must actually be a Data Controller after all. As it happens, this would suit me just fine, even though I don’t actually agree with it. I think the Royal Mail should be forced to account to someone for all the data that gets lost (and, ahem, the invoices). An investigation or audit by the Information Commissioner doesn’t seem to me to be that bad an idea. Of course, none of this will happen – the ICO often doesn’t take action even when the issues are cut and dried – but nevertheless, the next time you post something, ask yourself why the envelope has just disappeared into a black hole.