Regulation (EU) 2016/679 (GDPR), has been criticised for being overly burdensome and disproportionally prescriptive for organisations, especially where data is the enabler for providing services and products. Whereas the GDPR has set high compliance standards, organisational compliance is rather scalable and proportionate to the role of the organisation in the data processing chain. EU data protection law continues to rely on the fundamental distinction between a data controller and processor in terms of obligations and responsibilities.
Although this distinction may seem straightforward, there are specific contexts and environments where the boundaries blur and responsibilities overlap. In this article, we look at the case of health research and at the roles of the various involved entities. In particular, we build on the recently released guidance issued by the Medical Research Council (MRC), which also complements the guidance of the Health Research Authority. The critical points raised in this guidance are also useful for other organisations in fields, where there is a diversity of stakeholders and reduced clarity in power and decision-making relationships.
Setting roles in stone
The distinction between the data controllers and processors lies in the allocation of decision-making powers regarding personal data processing. Data controllers are the main decision-makers, who determine the purposes and means of the processing: they decide to initiate it and determine the conditions under which it is going to take place. Data processors are the ‘executive bodies’ processing personal data on behalf of the controller, and enjoy limited freedom on how the data should be treated. In addition, the GDPR explicitly recognises the category of joint controllers, where two or more controllers jointly determine the purposes and means of processing.
Translating these definitions into practice can prove challenging in contexts where the roles do not reflect a traditional controller-to-processor or joint-controller relationship. This is the challenge that health researchers must navigate.
Health research brings multiple stakeholders together, such as sponsors, funders, researchers, health care organisations, universities, pharmaceutical companies and private entities. Whereas this multi-disciplinary approach brings intrinsic value to research projects, the complexities and interdependencies between the key roles challenge the strict application of the ‘controller’ and ‘processor’ requirement.
Both the Article 29 Working Party and the European Data Protection Supervisor have acknowledged the complexity of real-life scenarios and suggested a few criteria for determining ‘who-is-who’ in the relationship, including:
- Autonomy and independence
- Direct relationship with the data subjects
- Professional judgement and expertise
- Active decision-making
- Explicit, legal or factual competence and responsibility
- Visibility towards data subjects
The MRC Guidance: added value, determining factors, and guiding criteria
The MRC also confirms that the GDPR definitions are more functional than technocratic. They provide valuable examples of pragmatic and challenging scenarios in health research and suggest good approaches to all of them. In addition to the above-mentioned criteria, the MRC advises that:
- For the vast majority of health research, it is expected that the sponsor will be the sole data controller.
- For health research, the sponsor is most likely to be the controller, even if the data processing does not take place within the sponsor’s organisation or premises. For example, this applies to the collection of health data instructed to an NHS Organisation by a separate NHS Organisation.
- In some types of research, the blurring of data protection roles could be more intense, where an organisation processing personal data for another organisation may be a controller in their own right. For example, this is the frequent case of pharmaceutical and biotechnology industries collaborating with NHS Trusts or academic centres for disease-analysis. In this case, such as research project could have a single sponsor and several controllers.
- In health research, it is likely that the explicit or implicit allocation of roles will be recorded in the protocol and detailed in the data processing agreement. Similar to this, in other types of research, this could be done through the data management plan.
- Processors act based on the controller’s instructions. Nonetheless, they enjoy some degree of flexibility and can make decisions regarding the IT systems or other methods to process personal data and the details of the appropriate security measures. They can also decide the means of transferring data from one organisation to another and retention schedules will be applied in practice.
- In co-sponsored research and research where clinical trials units make significant decisions about data processing, joint controllership is likely the most appropriate scheme.
- The roles of the controllers and processors are independent and separate to other legal responsibilities and requirements, such as the common law of confidentiality, intellectual property rights, and publications rights.
Whether a healthcare organisation, a public authority or a tech-firm, there are key considerations in determining who the data controller and processor is. Organisations should critically and strategically consider these elements before processing personal data and concluding data processing agreements. If you need support in designing and determining the relevant roles, obligations and agreements for your set of data processing operations, please feel free to contact one of our advisors in the Data Governance and Cyber-Risk Team.