What the law says:
" "data processor", in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller;"
The Act imposes obligations on a data controller in respect of the use of data processors. These obligations are set out in paragraphs 19 and 20 of Scehdule 1 to the Act.
Paragraph 19 states:
"Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle:
(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and
(b) take reasonable steps to ensure compliance with those measures.
Paragraph 20 states:
Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless
- the processing is carried out under a contract
- (i) which is made or evidenced in writing, and
- (ii) under which the data processor is to act only on instructions from the data controller, and
- the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.
What it means:
A data processor is a person who undertakes certain functions on behalf of the data controller.
A data processor acts only on the instructions of the data controller and does not take any decisions as to the use of the personal data supplied to it, nor can it use the personal data for any other purpose.
They generally act under strict contractual conditions, often referred to as 'outsourcing'. Examples of this are call centres and payroll, or mail, administration services and hosted services (including cloud).
Data controllers remain responsible for ensuring that their processing complies with the Act, whether they do it in-house or engage a data processor. In particular, data controllers must ensure that data processors have appropriate security measures in place for the personal data entrusted to them.
Where roles and responsibilities are unclear, they will need to be clarified to ensure that personal data is processed in accordance with the data protection principles. When distinguishing between a data controller and a data processor the greatest weight should be placed on identifying whose decision to achieve a “business” purpose has led to personal data being processed.
For these reasons, data controllers should choose data processors carefully and have effective means of monitoring, reviewing and auditing the processing undertaken by the data processor, in particular the security arrangements.