Who is responsible for complying with data protection legislation (including the POPI Act in South Africa and the Data Protection Act in the UK) where you process personal information together with someone else? Most organisations have many relationships where they process personal information together with other organisations, including customer-service-provider, vendor-buyer, and contractor-client relationships.
POPI distinguishes between the ‘responsible party’ and the ‘operator’, while the UK DPA distinguishes between the ‘data controller’ and the ‘data processor’. We will refer to them simply as the ‘responsible party’ and the ‘operator’. The ‘responsible party’ decides the purpose or ‘way’ of processing the personal information and the ‘operator’ processes the personal information on behalf of a responsible party without being directly controlled by them. The responsible party carries most of the responsibility, while the operator carries much less.
Where you process personal information together with someone else, whether you are the responsible party or the operator depends on your relationship with them.
What different types of relationships are there?
Organisations often instruct other organisations to process personal information on their behalf or are instructed to do so by them. In a relationship between a customer and a service provider, the customer generally instructs the service provider. But, the organisation doing the instructing isn’t always the responsible party and the organisation being instructed isn’t always the operator. It can be difficult to pinpoint who is playing which role. We will see this by examining the three different types of relationships: authority, liberty, and equality. Please click through the tabs to read about them.
The one organisation gives the other organisation specific and comprehensive instructions on how to process the personal information so that the instructed organisation is constrained, has little discretion, and is completely dependent on the instructing person for their decision making.
Example: you instruct a human resources company to carry out the activity of paying your employees. You are their customer and they are your service provider. You tell them exactly which of your employees to pay, how much to pay them, and when to pay them. They cannot decide to pay anyone else on your behalf, to pay any of your employees any more or any less, or to pay your employees before or after payday. They may offer you advice on any of these things, but you will decide whether or not to take it.
The instructing organisation will likely be the responsible party and the instructed organisation will likely be its operator in a relationship of authority.
The one organisation gives the other organisation broad and simple instructions on how to process the personal information so that the instructed organisation is free, has lots of discretion, and is completely independent of the instructing organisation in their decision making.
Example: you instruct the same human resources company to carry out the activity of running background checks on your employees. You handover your staff files containing employment contracts, copies of ID documents, and CVs, but you do not tell them what to do with those documents beyond coming back to you with background checks on each employee. They decide whether or not to check police records, run credit checks, or contact references. You may ask them specific questions about individual employees, but they will decide how to provide the answers.
The instructed organisation will likely be the responsible party and the instructing organisation will likely be its operator in a relationship of liberty.
Both organisations agree on a common set of instructions on how they will each process the personal information so that both organisations are accountable to one another, they have agreed discretion, and are interdependent on each other in their decision making.
Example: you enter into a partnership with the same human resources company where together you will both carry out the same activity of providing a joint service to both of your customers. Both you and the human resources company share personal information with each other for the purposes of providing the service. Each party decides what to do with the personal information that they receive from the other to provide their portion of the service. There is constant feedback between the two of you so that you can provide the joint service.
Both organisations will likely be joint responsible parties in a relationship of equality.
Your relationships and working out who is responsible
Most relationships are more complicated than these examples and fall somewhere between these three categories. They may also shift categories from one activity to another.
We can help you to understand your relationships and responsibilities under data protection legislation with a Data Protection Responsibility Assessment.
If you are interested, please complete the form on the right or enquire now. We will contact you to find out more about your requirements and give you a quote.