Data Protection – what you need to know
If you store personal data about individuals, you should be registered with the UK Government’s Information Commissioner’s Office (ICO) as a Data Controller. For example, a personnel system is an obvious example of a system which stores personal information.
Whether you are storing the information on your own hardware at your office, using a hosted server, or even using a cloud based software service also known as Software as a Service (SaaS), you should be registered.
It is sufficient for a business to register – you don’t have to name an individual within your organisation with Data Controller responsibilities as that employee might change. It’s not expensive to register but will require you to provide some information as to the nature of the data being stored. You will also need to be familiar with the 8 principles of data protection as set out by the ICO which will help you comply with any laws relating to the Data Protection Act.
As IT has become more prevalent in everything we do, especially data collection, some IT systems are used and managed by a chain of organisations that provide support or are subcontracted or paid to facilitate the use of IT systems to gather or provide personal information. With this in mind, a clear distinction has been made between Data Controllers and Data Processors.
In simple terms a Data Controller is an organisation that makes a decision to collect and store personal information in an organised or structured form, usually in the form of an IT system. This might be using software or a database they’ve purchased off the shelf, a bespoke system written specifically for their needs, or even software as a service (SaaS).
In all cases it is the organisation that makes the decision to collect and store the information that has Data Controller responsibilities, and this responsibility cannot be passed on to another organisation, even if other organisations are involved in facilitating the collection or management of the data, or are providing IT support or the IT systems concerned.
Only Data Controllers can register with the ICO, and Data Controllers have sole responsibility for ensuring that any systems they use are adhering to the relevant laws and the eight principles set out in the guide linked at the end of this post. For this reason, it’s important that Data Controllers familiarise themselves with the requirements.
Data Processors are any organisation that are involved with providing assistance with the processing of the data being collected by or on behalf of the Data Controllers. Data Controllers may rely on 3rd party Data Processors to assist them with adhering to the principles of the Data Protection Act, which is why Data Processors, although not able to register with the ICO, should also be familiar with the principles involved.
The following resources from the ICO are useful for both Data Controllers and Data Processors:
The ICO’s main website
The ICO’s guide to data protection including the eight principles involved
The ICO’s guide to help differentiate Data Controllers and Data Processors
The guides are well written, and provide greater clarity and more detail on this subject. They’re definitely worth reading, and are a necessity if the topic is relevant to you and your business.
We operate as Data Processors for various organisations, whether they are using our software services or our IT Support service.