Responsibilities as a data processor
Data processors process data on behalf of the data controller. The existence of a data processor is dependent on decisions taken by the data controller as to how the data should be processed and by whom.
When you are accessing data through a SHIP Safe Haven you will be a ‘data processor’ for the purposes of the Data Protection Act 1998. The data controllers are the SHIP Safe Haven itself, and the original data custodian, as they determine how the data should be processed and by whom.
The data protection principles
Under the Data Protection Act 1998 (DPA) it is the responsibility of the data controller to comply with the obligations set out in the Act, which are contained in the data protection principles in schedule 1. However, it is still essential that you as a researcher are aware of these principles as adhering to them will ensure that you are handling data responsibly. Indeed, data custodians will usually require you to undertake not to use their data in such a way that would breach any of the data protection principles.
The obligations imposed by the DPA are:
- To process data fairly and lawfully;
- To process data in accordance with one of the conditions in schedule 2 and for sensitive personal data also schedule 3 of the DPA;
- To process data only in such a way that is compatible with the purpose for which you specified the data would be processed;
- To not process personal data which are excessive or irrelevant for the purpose for which they are processed;
- To ensure that personal data is accurate and up to date;
- To only keep personal data for as long as is necessary for the purposes of processing;
- To process data in accordance with the rights of the data subject;
- To ensure that adequate security measures- physical, technical and managerial- are in place to protect personal data;
- To not transfer personal data outside the European Economic Area unless adequate security safeguards are in place.
Changing responsibilities- becoming a data controller
You should however remember that you may become a data controller over your research output data after your research project is completed. You must therefore be aware of how your legal obligations can change depending on the access and control you have over the data.
Some questions to consider to help you assess whether you are acting as a data controller or processor include:
- Do you have the capacity to determine the purposes for which the data is being processed?
- Do you have the capacity to determine the manner in which the data is to be processed?
- What is the role of other possible actors? (Remember that there can be more than one data controller.)
- Are you acting autonomously or on the instructions of another?