UK—ICO issues updated guidance on identifying data controllers and data processors, “disproportionate effort" and "regulatory activity”
Published
Contributors:
Brian Davidson
CIPP/E
Group Data Protection Manager
Howden Group Holdings
The UK Information Commissioner's Office has updated some of its practical guidance documents aimed at assisting organisations in dealing with their data protection obligations.
“Identifying data controllers and data processors” recognises the difficulty in identifying the relevant parties as a result “of the variety of different interrelationships that exist between organisations involved in the processing of personal data to any degree jointly with others.” The guidance refers to various practical examples of where “controller-processor” and “joint controller” relationships may exist and offers definitions on the types of different client and service provider that can exist in order to help organisations determine their applicable responsibilities and obligations.
“Disproportionate effort” sets out the obligations of an organisation to comply with a subject access request—and to what extent it can rely on the “disproportionate effort” exemption—the guidance again provides practical examples and clarifies that the scope of the exemption only applies to the task of responding to a subject access request by providing a copy of the information in permanent form—it does not apply to the effort required to locate the personal data.
Finally, “Regulatory activity” sets out the circumstances in which the regulatory activity exemption under Section 31 of the Data Protection Act may be used by organisations to withhold requested information or to be provided under the subject information provisions of the act.
“Identifying data controllers and data processors” recognises the difficulty in identifying the relevant parties as a result “of the variety of different interrelationships that exist between organisations involved in the processing of personal data to any degree jointly with others.” The guidance refers to various practical examples of where “controller-processor” and “joint controller” relationships may exist and offers definitions on the types of different client and service provider that can exist in order to help organisations determine their applicable responsibilities and obligations.
“Disproportionate effort” sets out the obligations of an organisation to comply with a subject access request—and to what extent it can rely on the “disproportionate effort” exemption—the guidance again provides practical examples and clarifies that the scope of the exemption only applies to the task of responding to a subject access request by providing a copy of the information in permanent form—it does not apply to the effort required to locate the personal data.
Finally, “Regulatory activity” sets out the circumstances in which the regulatory activity exemption under Section 31 of the Data Protection Act may be used by organisations to withhold requested information or to be provided under the subject information provisions of the act.
Contributors:
Brian Davidson
CIPP/E
Group Data Protection Manager
Howden Group Holdings
Tags:
