I've always recommended to non-DP-expert project leads to "forget" whether parties to an agreement are joint controllers, controllers in common or processors until *after* they have worked out who is responsible for what/who has authority to make what decisions. Otherwise you could end up in an endless circular argument. The basic explanation I use in health is:
Controller in common e.g. commissioner, can determine who the provider is, i.e. who else controls or processes data, has no access to individuals' care records.
Joint controller, e.g. care provider in other setting, both working for same purpose (direct care), making decisions about care based on information from each other (even if only referral letters/no direct share of records)
Processor, e.g. records system provider. We tell them what to do (well, we try with some of them), they have no authority over/input into care decision or right of access to individuals' care records, etc.
Once you have decided who is doing what, a legal definition should be a bit clearer if you absolutely have to have one. I think GDPR is much clearer than DPA on responsibilities, which is nice.
Regards
Sandre
Sandre Jones
T: 07939 725258
E: [log in to unmask]
https://uk.linkedin.com/in/sandre-jones-1b916856
SJ Governance Services Limited (SJGS) is a limited company registered in England & Wales. Registered number: 10423493. Registered office: 21 Hardwick Avenue, Newark, NG24 4AW.
Whilst SJGS will respect and protect your confidentiality and the security of information sent to the best of our ability and as required and permitted by law, please remember that email may be intercepted and should not be considered secure. If you are not the intended recipient of this email, please inform the sender immediately, do not copy or forward to any third party or use the information contained in the email in any way, and delete any originals and attachments from your email system and networks - thank you. Information or advice contained in this communication is given in good faith, without any warranty or acceptance of any liability: you should seek advice from a legal professional if you have any concerns about action you should take.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|