- What are the seven principles of data protection?
- What are the ‘special categories’ of personal data?
- Are we a data controller, a data processor or a joint controller – and what’s the difference?
At its core, data protection has seven main principles. They are:
- Lawfulness, fairness, and transparency – using personal data in a way that complies with the law, and in a way your customers and staff expect and have been told about.
- Purpose limitation – only use personal data for the reasons you collected it, and not for something extra or unrelated.
- Data minimisation – limit the amount of personal data you collect to what you need. If you only need basic contact details of your customers to run your accounts, don’t ask for more information.
- Accuracy – the personal details in your records should be accurate and kept up to date.
- Storage limitation – only keep personal data for as long as you need it. When you no longer need it, it should be securely destroyed or deleted.
- Integrity and confidentiality (security) – personal data needs to be kept securely. You need to make sure that the details of your staff and customers is protected and that you can access those details.
- Accountability – this underpins the other six principles. It’s about taking responsibility, having appropriate measure in place, and keeping records to demonstrate how you achieve data protection compliance. Company owners should hold themselves accountable for getting it right.
In data protection law, ‘special category data’ means personal data that needs more protection because it’s sensitive. The special categories of personal data are:
- personal data about racial or ethnic origin;
- personal data about political opinions;
- personal data about religious or philosophical beliefs;
- personal data about trade union membership;
- genetic data;
- biometric data (where used for identification purposes) – this could be data such as fingerprints or retina scans;
- data concerning health;
- data concerning a person’s sex life; and
- data concerning a person’s sexual orientation.
If you’re processing special category data, you should give particular consideration to how and why the data is used, and make sure you only use it when it’s absolutely necessary. You should also take extra care to keep it safe.
You’re a data controller if you’re the main decision-maker when it comes to how people’s personal information is handled, and how it’s kept safe. Controllers can be a limited company, an organisation, charity, association, club, volunteer group or business of any size – including sole traders and people who work for themselves.
You’re a processor if you’re only acting on behalf of the instructions of a controller – if a business has hired you to process their mail, for example. As a processor, you wouldn’t be doing anything with the data if the controller hadn’t asked you to. It’s not up to you to decide what should happen to it, which means you’re only processing the information and not controlling it. However, you do have responsibilities to protect the personal data that you’ve been trusted with and to use it appropriately in-line with your contract with the controller.
The difference between controller and processor is important because someone ultimately needs to be responsible for making sure personal data is handled lawfully, fairly, and transparently, that people are protected from harm and that their information rights are upheld.
For example, Harry manages a chain of hair salons and he keeps a note of the names of his customers. It’s the customers’ personal data and they’re giving it to Harry so that he can provide them with a service. This information wouldn’t be kept in this way if Harry’s business didn’t exist, therefore Harry controls this information and – among other responsibilities – he’s ultimately responsible for making sure it’s accurate, accessible, and safe.
Harry’s business is considered the controller, not Harry personally. Harry is the only person responsible for everything to do with how his business is run, so the term ‘controller’ may not seem like it makes much difference on a practical level, but it does mean that Harry’s business continues to be the controller, even if Harry moves on or stops trading.
If Harry hires an IT services company to keep an electronic list of his appointments, the IT services company would be the processor for that data, and Harry is still the controller.
When it comes to joint controllers, this is a little less straightforward. But generally speaking, joint controllers decide together why and how personal data will be processed and will have the same or similar reasons for using the data. Controllers using the same data for different reasons aren’t usually joint controllers but this will depend on the circumstances.
If you’ve received a subject access request, you need to think about who's responsible for responding. Responsibilities are different depending on whether you’re a controller, processor or joint controller. Our step-by-step guide walks a controller through dealing with a request for information
If you’re unsure whether you’re the controller, the processor, or a joint controller in your situation, we’re here to help – please contact us.