The Information Commissioner recently published a report following a series of visits to Victims’ Services Alliance Organisations. These are typically charities but the report is also aimed at non-charitable volutary organisations.
One issue touched is the question of identifying who is a data controller and who is a data processor. ICO found that service agreements did not always refer to data protection, information security or any records management procedures. It was sometimes unclear, in terms of the DPA, who was the data controller or data processor and what would happen to the personal data they are holding should the relationship with the organisation break down, or the agreement be terminated. ICO recommended:
Organisations should refer to the ICO’s data controllers and data processors guidance which explains the difference between both categories and the implications for the organisations concerned. Once the relationship has been determined, this should be formally documented along with the relevant roles and responsibilities. Create a counsellor’s agreement which covers, as a minimum, the security provisions that are expected for any documents containing personal data about a client, and the response times that are expected to be met for any requests for information from management.
Unfortunately, as practitioners well know, deciding what is what in this area, is often very difficult, and involves interpreting the definitions of data controller and processor in section 1 of the DPA. This is likely to become an increasingly important issue as some public services are ‘contracted out’ to charities and other voluntary organisations.
The controller is the person who “who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;” and the processor is someone “other than an employee of the data controller, who processes the data on behalf of the data controller”. To make matters worse, in some situations a person may be both controller and processor.
There are some clear pitfalls to avoid, and these will be considered in the light of a fairly typical situation of a Local Authority handing over the running of a local library to a voluntary community organisation. Under the 1964 Public Libraries and Museums Act, councils have a duty to provide a ‘comprehensive and efficient’ public library service. Running a library service inevitably involves handling personal data of customers. Whilst this may well not technically be ‘sensitive personal data’ it can have sensitive and confidential implications: type of book borrowed, websites visited on library computers etc.
As this is a statutory function, the Council is often likely to remain data controller in relation to the customer data. It remains the Council’s purpose, and in most cases it will still be run to Council processes. The voluntary organisation (“VO”) would then be a data processor, with all the implications for the Council & VO under principle 7 including:
- appropriate contractual terms dealing with DP responsibilities
- due diligence by Council in appointing and monitoring the running of the service
- VO responsible for taking appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to the personal data including vetting and training ‘staff’ – although the agreement could of course pass this back to the Council in reality
In such an arrangement, where the VO is purely a data processor, it is probably not necessary (at least in DP compliance terms) that the Council obtains customer consent for the new arrangement, although the requirement of fairness (and political reality) suggests that they should be told.
However it is possible to imagine other ways of farming out this service where the VO actually has some leeway to provide new and innovative services outside the core duties imposed on the Council, which it would determine and manage for itself. In such a case the VO could become a data controller in relation to using personal data for these purposes. In this case there would almost certainly need to be a renewal of customer consent which would have to be managed carefully before the VO could use the personal data.
Great care must also be taken over the status of the ‘staff’ themselves. There is a difference, not often recognised, between pure volunteers, and ‘voluntary workers’. Because of the definition in DPA. a pure volunteer, i.e. someone who does not have any form of contract of employment or contract to perform work or provide services and is under no obligation to perform work or carry out instructions and can come and go as they please with no expectation of any reward, would have to be regarded as a data processor in his or her own right, as they would not be an ’employee’ of the VO. It would be almost impossible for either Council or VO to comply with its data protection obligations if such a volunteer had access to personal data.
The VO should therefore employ “voluntary workers” with a formal contract within the meaning of s44 of the National Minimum Wage Act. This would be sufficient to make them an ’employee’ in the terms of the DPA definition, and the contracts should have appropriate confidentiality clauses. The VO would then take vicarious liability for the acts of the volunteers.