Guide to Data Protection Act for Data Controllers
- Change log
- Introduction
- How to use this guidance
- Key definitions
- Who does the DPA apply to?
- What is processing of personal data?
- What is a data controller?
- What is a data processor?
- What information does the DPA apply to?
- Data Protection Principles
- First Data Protection Principle - Fair and lawful processing
- Second Data Protection Principle - Purpose limitation
- Third Data Protection Principle - Data minimization
- Fourth Data Protection Principle – Data accuracy
- Fifth Data Protection Principle - Storage limitation
- Sixth Data Protection Principle – Respect for the individual’s rights
- Seventh Data Protection Principle - Security – integrity and confidentiality
- Eighth Data Protection Principle - International transfers
- Legal basis for processing
- Sensitive personal data
- Individual rights
- Personal data breaches
- Exemptions
- National Security
- Crime, government fees and duties
- Health
- Education
- Social Work
- Monitoring, inspection or regulatory function
- Journalism, literature or art
- Research, history or statistics
- Information available to public by or under enactments
- Disclosures required by law or made in connection with legal proceedings
- Personal, family or household affairs
- Honours
- Corporate finance
- Negotiations
- Legal professional privilege and trusts
- Contracts between data controllers and data processors
- Questions or comments?
What is a data controller?
If you exercise control over personal data by making decisions about why and how personal data is handled, you are the data controller.
The DPA defines a “data controller” as:
As a data controller, you are responsible for applying the requirements of the DPA, applying the data protection principles to the personal data which you process (or which are processed by someone else on your behalf), and cooperating with investigations of the Ombudsman.
As a data controller you are also responsible for ensuring that the data protection principles are complied with in relation to personal data being processed on your behalf (by a data processor).
A data controller can be any legal person, i.e. an individual, corporation, either aggregate or sole, or any club, society, association, public authority or other body, of one or more persons.
Where you, as a data controller, decide together with another organisation about how and why personal data is processed, you will be a joint data controller together with the other organisation. This means that both entities are jointly responsible for complying with their obligations under the DPA. While not explicitly mentioned in the DPA, it is best practice for joint controllers to enter into a joint controllership agreement, which will lay out the parties’ respective responsibilities. It should be noted that the information requirements under the first data protection principle (fair and lawful processing) will mean that the essence of the joint controllership agreement should be communicated to the individual.
Previous Next