The definition of "controller" in the General Data Protection Regulation1 contains three main building blocks. They are:
- the natural or legal person2, public authority, agency or any other body
- which alone or jointly with others
- determines the purposes and means of the processing of personal data
A controller determines "why" and "how" personal data would be processed. It does not matter whether or not the controller actually accesses or processes the data.
According to Article 26 of the Regulation, when two or more controllers "jointly determine the purposes and means of the processing of personal data", they are joint controllers.
Requirements for data controllers applying for data
- Any organisation(s) who is/are Controller(s) must be detailed as such in the application for data. Please ensure that all Controllers are included in the application.
- The Controller(s) are required to have in place:
- a valid data sharing framework contract3 (for exactly the same organisational entity)
- adequate security assurance (see standard on security assurance requirements)
- to have paid the relevant data protection fee to the ICO - see ICO website
- The Controller(s) must only process data where it is lawful4. The Controller(s) must identify:
- a lawful basis for processing data under Article 6 of the Regulation
- if processing special categories of personal data, a lawful basis for processing such data under Article 9 (and if choosing 9b, 9g, 9h, 9i or 9j, the relevant condition(s) under Schedule 1 of the Data Protection Act 2018) – see DPA link
Controllers are subject to a number of additional obligations under Data Protection legislation and are advised to consider these duties and responsibilities. For further guidance please see the ICO website5.
1 Article 4(7).
2 For example, a person or a legal entity
3 If you do not have a data sharing framework contract please contact NHS Digital at firstname.lastname@example.org
Last edited: 19 August 2019 7:45 am