What should we consider when acting as joint controllers?
In detail
- What do we need to consider if we are acting as joint controllers?
- What are the responsibilities of the “contact point”?
- Do we need to consult with joint controllers before responding to a SAR?
- What happens if we are only processing some of the requested information for joint purposes?
- Can we consult other competent authorities when deciding whether to apply a restriction?
- What happens if independent controllers are processing the same information for different purposes?
What do we need to consider if we are acting as joint controllers?
Where two or more competent authorities jointly determine the purposes and means of processing personal information, they are acting as joint controllers.
If you are acting as a joint controller, you must:
- have an arrangement in place with your fellow joint controllers that clearly and transparently sets out each of your responsibilities under Part 3, including how you deal with SARs; and
- specify a contact point that is one of the joint controllers.
Example
Separate policing organisations have statutory remit to enter into a collaboration agreement to investigate serious crime. The agreement sets out the respective functions of officers and staff at each organisation.
As the organisations are processing personal information as joint controllers, they must have joint arrangements in place that allocate each organisation’s data protection responsibilities.
What are the responsibilities of the “contact point”?
Joint controllers must, in their joint arrangements, name one of the joint controllers as the contact point. You must not appoint a third party as the contact point or have more than one contact point.
Each joint controller should name the contact point on their websites or in other communications, and direct people to make their SAR to the named contact point, where possible. However, a SAR is received as soon as it is received by any of the joint controllers.
If any of the joint controllers receives a SAR, you should forward it to the contact point as soon as possible. Your joint arrangements should make provision for this. In general, you should make each joint controller aware of every SAR.
The joint arrangements must clearly set out the duties of each joint controller about SARs. The contact point often takes responsibility for all aspects of complying with the SAR (including performing reasonable searches, redacting, and providing (or refusing) the information). However, these duties may be allocated amongst the joint controllers. The contact point could coordinate responses to a SAR, by liaising with the other joint controllers, as appropriate, subject to the terms of the joint arrangements.
Your joint arrangements should make it clear if people can make a SAR to each controller, or to the contact point only. Your arrangements should also set out who people may complain to, if they are unhappy with your response. Each controller must comply with their specific responsibilities under the terms of the joint arrangements and also with their statutory data protection obligations.
While you must not delegate the role of the contact point to a third party organisation, this does not prevent joint controllers from outsourcing certain aspects of your SAR work to a processor (eg performing reasonable searches).
Do we need to consult with joint controllers before responding to a SAR?
Depending on the circumstances, you could seek the views of other joint controllers about how you respond to a SAR. You should include provisions in your joint arrangements for notifying other joint controllers before responding to a SAR.
Example
Two government agencies (Agency A and Agency B) use shared information access systems to process personal information for law enforcement purposes. They are acting as joint controllers. Their arrangement specifies that Agency A is the contact point for SARs and is responsible for responding to them. The arrangement also states that Agency A will consult with Agency B to decide how to respond to a SAR.
Agency A receives a SAR.
Agency A informs Agency B about the SAR and seeks its views before deciding how to respond. Agency B believes disclosing some of the information may put another person at risk. It believes that it is necessary and proportionate to apply a restriction (to protect another person), and provides evidence to support this.
As set out in the joint arrangement, Agency A is responsible for complying with the SAR. It should carefully consider Agency B’s arguments, to decide whether it should apply the restriction (including whether it is necessary and proportionate to do so).
On the basis of the joint arrangement, Agency A may be subject to enforcement measures by the ICO if it does not agree with the use of the restriction. However, Agency B may be required to assist with the ICO’s investigations.
What happens if we are only processing some of the requested information for joint purposes?
There may be circumstances where a number of organisations are acting jointly about one aspect of their processing. However, they may be acting independently in carrying out other processing activities.
If some of the information falls within scope of the joint arrangements, the joint controllers with responsibility for responding to SARs must deal with this part of the SAR.
Example
A number of organisations (Agency A, Agency B, Agency C, and Agency D) are able to access a shared database that contains information about people’s criminal convictions. Agency C owns and manages the system on behalf of the other agencies. The information is processed under Part 3.
Each of the agencies is an independent controller in its own right. However, they are joint controllers for the information stored on the shared database. Agencies A, B, C, and D have joint arrangements that set out each of their data protection responsibilities under the DPA 2018, including their arrangements for dealing with SARs.
The arrangements specify that Agency C is the contact point and responsible for responding to SARs.
Agency D receives a SAR from someone requesting “all the information you hold about me”. Agency D is an independent controller for most of the information it processes about the person. However, the information held on the shared database is also within scope of the request. As Agency D is not the contact point for the information held on the shared database, it forwards the SAR to the named contact point, Agency C.
Agency C must respond to the element of the SAR that concerns the information held within the shared database.
Can we consult other competent authorities when deciding whether to apply a restriction?
It depends. During the lifecycle of a criminal case, a person’s personal information is likely to processed by a number of competent authorities. For example, police obtain information for the purpose of investigating crime. If the prosecution service reviews the information to decide whether or not to pursue a prosecution, but does not issue instructions about the investigation, the police and the prosecution service are working collaboratively, yet independently of each other, and make decisions separately. They are not necessarily joint controllers, but are likely to share personal information in the course of a criminal case.
There is nothing in the DPA 2018 that requires you to only consider your own specific circumstances in deciding whether to restrict access. It is not usually necessary or appropriate to consult other organisations before you respond to a SAR. However, if you believe there may be a risk of serious harm in disclosing the information, you may wish to do so.
In these circumstances, you should base your decision on evidence provided by the other controller. You are responsible for complying with the SAR and must not restrict the right of access or speculate about risks without proper justification. You should be able to justify why you consider applying a restriction is necessary and proportionate. You must also respond to the request within one month.
If independent controllers share information with each other, you should have a data sharing arrangement in place.
What happens if independent controllers are processing the same information for different purposes?
There are likely to be circumstances when you and another organisation are processing the same personal information for different purposes (eg law enforcement and general purposes).
For example, a hospital shares information with police about the nature of the injuries sustained by a victim. The hospital is processing the information under the UK GDPR, while the police are processing it under Part 3.
If you are processing personal information under Part 3, you could apply a restriction under Part 3 of the DPA 2018. You could also consult other organisations before you respond to a SAR, if you have identified a potential risk of serious harm. If you consult another organisation, you must still respond to the request within one month of receiving the SAR.