You might wonder, when you are offered the role of data controller, whom you have upset. However, the role is a vitally important one not only to ensure compliance with the requirements of The Data Protection Act 1998 (The DPA)) but to foster trust between customers and those who use email marketing.
Section 1.(1) of The DPA defines data controller as a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
‘Person’ in this context means a ‘legal person’ and comprises individuals as well as organisations.
The DPA goes on to provide that it is the duty of a data controller to comply with the Data Protection Principles in relation to all personal data with respect to which he is the data controller" (s.4(4)).
The role of data controller is one of responsibility and as such those who perform it should exercise a degree of control over all the procedures with regards to processing personal data to be regarded as such in law.
It can be seen from the definition that it is the function that defines the role. If a person, either individually or together with another, decides the purpose for which the personal data is to be processed then they are the de facto data controller, regardless of job description. The Information Commissioner has stated that: “. . . when a person determines the purposes for which personal data are to be processed, a decision as to the manner in which those data are to be processed is often inherent in that decision.”
It is these functions which define who, under The DPA, is the data controller.
A further responsibility of the data controller is the data processor. Those who were familiar with the term ‘data user’ under the 1984 Act should be aware that it could now refer to either the data controller or a ‘data processor’, the later being defined in The DPA: “in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.” Anyone unsure of which definition applies should make enquiries to The Information Commissioner’s Office.
However, The DPA makes it clear that the data controller is responsible for the actions of a data processor when they are carrying out any duties on behalf of the data controller.
Chapter 4 of The DPA covers the rights of an individual. In brief it requires that when an individual so requests in writing, including via electronic means, and after paying the fee, the data controller must inform them if they, or someone on their behalf, is processing that individual’s personal data. If so they must be given a description of the personal data, the purpose for which they are being processed, and those to whom they are or may be disclosed.
The individual is also entitled to be informed of all the information which forms any such personal data.