Identifying controllers and processors in health and care
This guidance is designed to help information governance (IG) professionals identify whether health and care organisations are acting as a controller, joint controller or a processor in relation to the processing of personal data.
Data processing for research is not covered within this guidance. For guidance on controllers and processors in research, please see guidance from the Health Research Authority.
Guidance for IG professionals
Definitions
Controller
In the UK GDPR ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
A controller is an organisation that decides why and how personal data is used for a particular processing activity. Controllers are responsible for compliance with UK General Data Protection Regulation (UK GDPR) obligations – and, in most cases, the compliance of their processors (although processors also have their own compliance responsibilities under the UK GDPR). Their responsibilities include ensuring that the appropriate documentation and agreements are in place to support the data processing, such as Data Protection Impact Assessments (DPIAs), Data Sharing Agreements (DSAs) and Data Processing Agreements (DPAs). An example of a controller in health and care is a hospital or a GP practice in control of a patient record, or a care home responsible for care records.
Processor
In the UK GDPR ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
This is the organisation that processes data on behalf of the controller. A processor has more limited responsibility for compliance than a controller but is still accountable and contractually liable for their data processing activity and must be careful to only process personal data in line with the controller's instructions, otherwise they may be considered controllers themselves. They may make some decisions, but not on essential means of the processing (see further information on essential means below). An example of a processor in health and care is the provider of the IT systems used in hospitals or care homes.
Joint controller
The UK GDPR says that where two or more controllers jointly determine the purposes and means of processing, they shall be ‘joint controllers’.
Sometimes organisations may work together to make joint decisions about why and how data is used for a particular processing activity. In this case, the organisations making the decisions together would be considered joint controllers. An example of joint controllers is a group of health and care providers inputting into a shared care record.
Within a distinct processing activity, an organisation can only take on one role – this means that the same party cannot be both the controller and the processor for the same activity.
Within one activity you may have multiple controllers, joint controllers and processors.
Determining roles
Controllers
It is not necessary for a controller to have access to the data that is being processed to qualify as a controller, but they must determine:
- the purpose: this means that they decide why the data processing is happening, to what end or ‘what for’
- the means: this means ‘how’ the purpose will be achieved, what action and data processing will take place to achieve the objective (or purpose)
To determine whether an organisation is acting as a controller, consider:
- do they decide the purposes of collecting and using the data for the activity?
- do they decide what data should be collected and used for the activity?
- do they decide what security standards and retention periods should be set for the data?
- do they decide how long data needs to be processed for to achieve the aims of the activity?
- do they decide who can have access to the data and who it can be shared with as part of the activity?
- do they decide the lawful basis for the processing for the activity?
If the answer to these questions is yes, it is likely that the organisation in question would be considered a controller for the activity.
Joint controllers
To determine whether two or more organisations are acting as joint controllers, consider:
- do they together decide what data should be collected and used for the activity?
- do they together decide the purposes of collecting and using the data for the activity?
- do they together decide what security standards and retention period should be set for the data?
- do they together decide who can access the data and who it can be shared with as part of the activity?
- do they together decide the lawful basis for processing for the activity?
If the answer to these questions is yes, it is likely that the organisations in question would be considered joint controllers.
Joint controller arrangements require significant consideration to ensure that the responsibilities and liabilities are properly understood and documented by each party. It is not appropriate to use joint controller arrangements to allow access to data to another party, if they are not making joint decisions as detailed above.
Processors
To determine whether an organisation is acting as a processor, consider:
- do they process data for the activity purely on the instruction of another organisation?
- do they refrain from making decisions about the purposes of collecting and using the data for the activity?
- do they follow another organisation’s policies in relation to the data, such as security standards and the retention period for the data used in relation to the activity?
If the answer to these questions is yes, it is likely that the organisation in question would be considered a processor.
It is common for a controller to allow a processor to use their technical knowledge to make certain decisions about data processing and the practical elements of this. For example, an IT supplier may be able to decide on the best way to migrate data, but this is unlikely to make them a controller, unless they also decide on the key elements listed in the controller section of this guidance.
The European Data Protection Board has produced further guidelines on the concepts of controller and processor in the General Data Protection Regulation (GDPR), where they define ‘essential means of processing’ which an organisation may decide on to qualify as a controller.
The Information Commissioner’s Office (ICO) also provides further information in their guide to controllers and processors.
Sub-processors
Sub-processing occurs when a processor uses another organisation to perform the processing activities which is the processor has been instructed to perform by the controller – however this can only be done with the written permission of the controller (or joint controllers).
Commissioning
Where one organisation is commissioning another to provide a service, there may be a controller/processor relationship but that will not always be the case. It will largely depend on the purpose of the service being provided.
If the processing of personal data is central to the service being provided, and the commissioning organisation provides instruction regarding the processing of the data, then the service provider is more likely to be a processor.
If the processing of data is a supporting element, and less central to the service, then the service provider will often have more freedom and flexibility to determine how it will process personal data. The service provider is therefore more likely to be a controller.
An example where the service provider would potentially be a controller include:
- delivering oxygen to patients at home
- running a crèche in a hospital
- providing outsourced Continuing Healthcare Assessments and reviews
In these situations the commissioner of the service does not provide detailed instructions about how to process the data. The commissioner may require the service provider to comply with certain standards (such as following the NHS Records Management Code of Practice). However, if the service provider determines how it meets those standards it is more likely to be the controller, rather than the commissioner.
Where the service provider is a controller, the commissioner will be neither controller nor processor as they do not have an involvement in the data processing and have simply arranged for the service to be delivered.
Where data processing is the main purpose of the service being commissioned, the service provider is more likely to be a processor and the commissioner the controller. For example:
- IT suppliers storing patient records electronically
- archiving companies storing organisational records
In these cases, the commissioner is more likely to give the service provider greater instruction on the means and purpose for processing the data. Each situation should be assessed individually to understand how much control the commissioner maintains over the data processing. Contracts must clearly state who the controller is, as they are responsible for the personal data.
Processing required by law
If an organisation is required to do something by law, it is likely that they will be the controller for that specific part of the process, even if they do not have much control over whether to process the data, because it is a legal obligation for example.
An example may be when an organisation is required to share personal data as a result of a legal direction. In this case, the organisation sending the data will be controller for the processing required to send the information. The organisation which receives the data will be a separate controller for their receipt and use of the data.
Personal health record systems
Health and care organisations may use a personal health and care record system provided by an external supplier.
Those record systems can be used to offer services to patients and service users on behalf of the health and care organisation or on behalf of the system supplier.
For example, the supplier can allow a patient to access their GP record via a web portal or app controlled by their GP practice. This would be a service provided on behalf of the GP practice. In this scenario, the supplier is a processor on behalf of the GP practice which is the controller for the record.
Separately, the supplier may offer those patients the ability to record their own information on the platform, for example through an app. This information is not added to the GP record but it could be accessible to the GP practice with the patient’s consent. Where information is added to the platform but not the record, the supplier is considered the controller.
This should be made clear to users of these platforms so that they understand who is in control and responsible for which parts of the information viewed and added to these platforms.
Scenarios
Below are some scenarios to demonstrate how you may complete an assessment to determine the roles of each party. These are for demonstration only and are not intended to provide definitive answers about the roles of any party in an arrangement – it is important to assess your own arrangements individually to determine who is making decisions about what elements within your unique activity.
Scenario 1: A record keeping system
A hospital trust is looking to replace numerous departmental record-keeping systems with a single, trust-wide Electronic Patient Record system (EPR) from a single supplier.
The trust alone determines how the information will be managed and processed. They will be directing the supplier to assist with data migration to the new system.
The supplier will be acting under the trust's instruction, not to process data for their own purposes.
Assessment
| EPR supplier | NHS trust | |
|---|---|---|
| Do they decide the purposes of collecting and using the data? | No | Yes |
| Do they decide what data should be collected and used? | No | Yes |
| Do they set key policies for the data such as the security standards and the retention period? | No | Yes |
| Do they decide how long data needs to be processed for? | No | Yes |
| Do they decide who the information can be shared with? | No | Yes |
| Do they decide the lawful basis for the processing? | No | Yes |
| Are these decisions being made jointly with another organisation? | No | No |
| EPR supplier | NHS trust | |
|---|---|---|
| Do they process data purely on the instruction of another organisation? | Yes | No |
| Do they refrain from making decisions on the purposes of collecting and using the data? | Yes | No |
| Do they follow another organisation’s policies in relation to the data, such as security standards and the retention period? | Yes | No |
| If they wanted to use the data for their own purposes, would they need permission? | Yes | No |
Result
The NHS trust is the controller.
The EPR supplier is the processor.
Scenario 2: Commissioning a health service
An integrated care board (ICB) commissions a new podiatry service for its area, so that routine, low risk procedures can be carried out at the patient’s home.
The podiatry service will decide what information they will collect to deliver the service while meeting the requirements of their contract with the ICB, maintain the records for the duration of their contract and share them as needed for the care of the individual.
At the end of the contract, responsibility for the records will fall to the commissioner (the ICB in this case), and under their instruction be transferred to the new supplier of the service, which may be an NHS or private provider. If the service is not re-commissioned, the ICB will instruct the transfer of the records to an appropriate place for storage. This is in line with the NHS Records Management Code of Practice.
This scenario provides an example where the answers may not be a straightforward ‘yes’ or ‘no’ to all questions. Where there is a mix of decision making, an assessment is needed about the degree of control each party has over the data processing and to what extent they determine the purposes and the means.
Assessment
| ICB | Service provider | |
|---|---|---|
| Do they decide the purposes of collecting and using the data? | Yes | Yes |
| Do they decide what data should be collected and used? | No | Yes |
| Do they set key policies for the data such as the security standards and the retention period? | Partially (through contract terms requiring compliance with certain standards or codes) | Yes |
| Do they decide how long data needs to be processed for? | Partially (see above) | Yes |
| Do they decide who the information can be shared with? | No | Yes |
| Do they decide the lawful basis for the processing? | No | Yes |
| Are these decisions being made jointly with another organisation? | No (while the purposes of collecting and using the data align, the decisions have not been made together) | No |
| ICB | Service Provider | |
|---|---|---|
| Do they process data purely on the instruction of another organisation? | No | No |
| Do they refrain from making decisions on the purposes of collecting and using the data? | No | No |
| Do they follow another organisation’s policies in relation to the data, such as security standards and the retention period? | No | Partially (for example, the retention period may be determined by statutory requirements that the commissioner is subject to) |
| If they wanted to use the data for their own purposes, would they need permission? | No | Partially (likely not permitted by contract) |
Result
The service provider is the controller for the duration of the contract.
The ICB is neither a controller nor a processor for the duration of the contract but may become the controller if the contract is not extended or awarded to another service provider.
Further information
To be a controller, the organisation needs to determine both the purpose and the means of the processing.
The ICB has determined the purpose of the processing in this example by nature of commissioning a specific service. They also put certain obligations on the service provider, such as following the NHS Records Management Code of Practice or prohibiting the use of information for purposes other than the delivery of the health service. On the whole, however, they have not determined enough of the specific means of the processing to be considered a controller. While the 2 parties’ purposes of processing align, the decision about the purpose has not been made together, therefore they are not joint controllers. They are also not doing any data processing under instruction, so they are not a processer.
The service provider in this example has determined all the means of the processing. The contract places some restrictions on how and why they use data to ensure compliance with legal and NHS standards, but the provider will be responsible for how they implement these standards. Therefore, for the processing that takes place in order to deliver the service to individuals, they are likely the sole controller.
Scenario 3: Commissioning a care service
A local authority contracts a private care agency to provide integrated care services for elderly residents. The goal is to offer care including daily living assistance, health monitoring, social support and emergency response to enable elderly individuals to live independently at home.
The local authority commissions the services while the care agency plans and delivers the service in the home.
The local authority has determined what care and support should be provided, although the care agency has discretion to decide how best to deliver the service.
Consider the role of the local authority and of the private care agency specifically in the delivery of the service to individuals at home.
Assessment
| Local authority | Care provider | |
|---|---|---|
| Do they decide the purposes of collecting and using the data? | Yes | Yes |
| Do they decide what data should be collected and used? | No | Yes |
| Do they set key policies for the data such as the security standards and the retention period? | Partially (through contract terms requiring compliance with certain standards or codes) | Yes |
| Do they decide how long data needs to be processed for? | Partially (see above) | Yes |
| Do they decide who the information can be shared with? | No | Yes |
| Do they decide the lawful basis for the processing? | No | Yes |
| Are these decisions being made jointly with another organisation? | No | No |
| Local authority | Service provider | |
|---|---|---|
| Do they process data purely on the instruction of another organisation? | No | No |
| Do they refrain from making decisions on the purposes of collecting and using the data? | No | No |
| Do they follow another organisation’s policies in relation to the data, such as security standards and the retention period? | No | Partially (for example, the retention period may be determined by statutory requirements that the commissioner is subject to) |
| If they wanted to use the data for their own purposes, would they need permission? | No | Partially (likely not permitted by contract) |
Result
The service provider is the controller for the duration of the contract.
The local authority is neither a controller nor a processor for the duration of the contract.
Further information
Like scenario 3, the commissioner of the service (in this case, the local authority), has determined the purpose of the processing by commissioning a specific service with a desired outcome. They also put certain obligations on the service provider, such as specific retention periods in line with their statutory obligations. Overall, however, they have not determined enough of the specific means of the processing to be considered a controller. While they have provided direction on retention, they do not instruct the provider on how to comply with this. They are also not doing any data processing under instruction, so they are not a processer.
The provider in this example has determined all the means of the processing. The contract places some restrictions on how and why they use data to ensure compliance with legal and local authority standards, but the provider will be responsible for how they implement these standards. Therefore, for the processing that takes place in order to deliver the service to individuals, they are likely the sole controller. There is no processor being used in this example.
Scenario 4: Population Health Management - analysis
An ICB wants to start a Population Health Management project to aid their planning for the next year. They ask a group of 5 GPs and 5 local hospitals to share information to support their analysis. They contract a supplier to host their respective information in a secure cloud environment. The supplier’s system will pseudonymise the data when it is received from all parties so that individuals are protected from identification while it is being analysed. External analysts are hired to analyse the information to gain insight into the population's health.
The activity has been commissioned by the ICB who is seeking to better understand how they should commission services. They contract a company to provide the secure environment and tell GPs and hospitals what data they need for the analysis.
The GPs and hospitals can decide whether to share information or not, but they do not decide what happens to the data once it is shared.
Assessment
| ICB | GPs/ hospitals | System supplier | Analysts | |
|---|---|---|---|---|
| Do they decide the purposes of collecting and using the data? | Yes | No | No | No |
| Do they decide what data should be collected and used? | Yes | No | No | No |
| Do they set key policies for the data such as the security standards and the retention period? | Yes | No | No | No |
| Do they decide how long data needs to be processed for? | Yes | No | No | No |
| Do they decide who the information can be shared with? | Yes | No | No | No |
| Do they decide the lawful basis for the processing? | Yes | No | No | No |
| Are these decisions being made jointly with another organisation? | No | No | No | No |
| ICB | GPs/ hospitals | System supplier | Analysts | |
|---|---|---|---|---|
| Do they process data purely on the instruction of another organisation? | No | N/A - For the data analysis, the GP does not have access to this after it is shared. | Yes | Yes |
| Do they refrain from making decisions on the purposes of collecting and using the data? | No | N/A - For the data analysis, the GP does not have access to this after it is shared. | Yes | Yes |
| Do they follow another organisation’s policies in relation to the data, such as security standards and the retention period? | No | N/A - For the data analysis, the GP does not have access to this after it is shared. | Yes | Yes |
| If they wanted to use the data for their own purposes, would they need permission? | No | N/A - For the data analysis, the GP does not have access to this after it is shared. | Yes | Yes |
Result
The ICB is determining the means and the purpose of the processing, so they are the controllers.
The system supplier and the analysts are following the ICB’s instruction, so they are processors.
The GPs and hospitals are not deciding the means and the purpose, and they are also not processing under instruction, so they do not fit the definition of a controller or a processor in relation specifically to the processing that happens for the population health analysis.
Further information
It is commonly recognised that GPs and hospitals are independent controllers for the health records they hold and process for healthcare purposes, but this scenario highlights how assessments must focus on the processing activity rather than the data. In relation to the distinct activity of processing the data for population health analysis, it is the ICB who has control over this processing.
The GPs and hospitals have controller responsibilities in terms of their initial choice to share their patient records which they hold for their own purposes with the ICB for this activity, but do not have a direct relationship with the processing that takes place for analysis purposes.
The ICB is a sole independent controller for the data they collect for this project and is accountable for what they (or their processors) do with that data.
Scenario 5: Population Health Management – re-identifying data for care (risk stratification)
As part of the same Population Health Management project, the GPs and hospitals might receive notifications about individuals under their care who may be at increased risk of certain health conditions, along with access to a key, so that they can re-identify data and offer direct care interventions to individuals.
For the data they receive back, they will determine why and how it is used and who they share it with.
Assessment
| ICB | GPs/ hospitals | System supplier | Analysts | |
|---|---|---|---|---|
| Do they decide the purposes of collecting and using the data? | No | Yes | No | No |
| Do they decide what data should be collected and used? | No | Yes | No | No |
| Do they set key policies for the data such as the security standards and the retention period? | No | Yes | No | No |
| Do they decide how long data needs to be processed for? | No | Yes | No | No |
| Do they decide who the information can be shared with? | No | Yes | No | No |
| Do they decide the lawful basis for the processing? | No | Yes | No | No |
| Are these decisions being made jointly with another organisation? | No | No | No | No |
Result
The GPs and hospitals will independently determine the means and purpose of the processing for health and care purposes once they receive notification about individuals under their care who might need to be contacted for direct care purposes, therefore they are controllers.