Data Controllers are defined by their responsibility, not by their job title. If a person makes certain decisions with regards to data then they are de facto Data Controllers regardless of job title. It should be understood that the Data Controller is the person responsible for how the personal data is processed. If this authority is removed from them they cease to be the Data Controller.
Section 1.(1) of The Data Protection Act 1988 (The DPA) defines data controller as;
A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
‘Person’ in this context means a ‘legal person’ and comprises individuals as well as organisations.
The subsection means in effect that any company which stores personal data will have a Data Controller.
The Data Controller can work alone or may share responsibility jointly or in common with others. ‘Jointly’ is where a group all act together equally whereas ‘in common’ is where there is a common pool of data where each Data Controller processes the data independently of the other.
The duty of a data controller is:
to comply with the Data Protection Principles in relation to all personal data with respect to which he is the data controller. (S.4(4))
The Eight Principles as defined in The Act require the data to be:
- fairly and lawfully processed,
- processed for limited purposes,
- adequate, relevant and not excessive,
- accurate and up to date,
- not kept longer than necessary,
- processed in accordance with the individual’s rights,
- not transferred to a country outside the EEC unless it has adequate protection for the individual. Safe Harbour in the USA does not provide adequate protection for the individual. [LINK]
Whilst the Data Controller can be penalised for any breaches of these Eight Principles, responsibility for complying with The DPA still remains with company and cannot be devolved.
The Data Controller is also the interface between customer and company and has the duty to deal with subject access requests.
Chapter 4 of The DPA covers the rights of an individual. In brief it requires that when an individual so requests in writing, including via electronic means, and after paying the fee, the Data Controller must inform them if they, or someone on their behalf, is processing that individual’s personal data. If so they must be given a description of the personal data, the purpose for which they are being processed, and those to whom they are or may be disclosed.
The individual is also entitled to be informed of all the information which forms any such personal data.
A Data Controller might not process the data themselves. This can be devolved to a Data Processor although The DPA makes it clear that the Data Controller is responsible for the actions of a Data Processor when they are carrying out any duties on behalf of the Data Controller.
The role of Data Controller is a vitally important one not only to ensure compliance with the requirements of The DPA but to foster trust between customers and those who use email marketing.
The full text of The DPA can be found at:
The Information Commissioner’s Office helpline contacts are:
tel, 01625 545 745, fax, 01625 524 510, email, firstname.lastname@example.org