At a glance
- Understanding whether you are a controller, joint controller or processor for the personal data you are processing is key to ensuring you are complying with data protection law.
- Controllers determine the purposes and means by which personal data is processed. Processors handle personal data on behalf of controllers. Whilst controllers have most responsibility for compliance with data protection law, processors have their own obligations as well. The ICO has the power to take action against both.
- Political parties and campaign groups are structured in different ways and may have complex set-ups and constitutional and contractual arrangements. This may include national and local organisations. Also, elected representatives are often controllers in their own right.
- You should take the time to assess and document what personal data you hold; the processing activities you carry out with each organisation you work with; and what responsibilities you each have.
In more detail
- Introduction
- What is the difference between a controller, joint controller or processor?
- How does controllership apply in political campaigning?
- How do we determine whether we are a controller or processor?
- How do we identify controllership relationships in practice?
- What is required in each relationship?
- Are we required to pay the data protection fee?
Introduction
Understanding your responsibilities for the personal data you are processing is essential in ensuring you comply with data protection law.
Your obligations under the UK GDPR vary depending on whether you are a controller, joint controller or processor.
What is the difference between a controller, joint controller or processor?
Controllers are the main decision-makers – they exercise overall control over the purposes and means of processing personal data.
If two or more controllers jointly determine the purposes and means of processing the same personal data, they are joint controllers. However, they are not joint controllers if they are processing the same data for different purposes.
Controllers shoulder the highest level of compliance responsibility – they must comply with, and demonstrate compliance with, all the data protection principles as well as the other UK GDPR requirements. They are also responsible for the compliance of their processor(s). This guidance is primarily for controllers.
Processors act on behalf of, and only on the instructions of, the relevant controller.
Processors do not have the same level of compliance responsibility as controllers. But they do carry responsibility for some compliance in their own right, such as security, data breach notification and accountability. See our guidance on controllers and processors and contracts and liabilities for further information.
The ICO has the power to take action against both controllers and processors, and individuals can bring claims against both.
How does controllership apply in political campaigning?
In political campaigning there can be many different controllership arrangements depending on the situation.
Political parties are set up in different ways with different legal entities. The controller might be central office, a local association, a candidate or a campaigner, or any combination of these acting as joint controllers. Therefore, the data held at any one time by a political party might be under the responsibility of different controllers.
Similarly, campaign groups may also have complex set-ups and contractual arrangements.
Under electoral law, candidates, registered political parties and other registered campaigners (see section on use of the electoral register) are permitted to access personal data held on the full electoral register for campaigning purposes. The right to obtain a copy of the register comes from separate sections of the Representation of the People Regulations (England and Wales) 2001 and equivalent legislation. Therefore, regardless of any other set-up arrangements, candidates and political parties are considered separate controllers for data you obtain from the electoral register. This does not mean you are unable to work as joint controllers if appropriate, but it is important to be clear that you are treated as distinct from each other under data protection law.
In addition, elected representatives are also separate controllers for work you carry out for the purpose of being an elected representative, such as constituency case work. This means that you should not share data between elected representatives’ offices and your local or national parties unless you can comply with data protection law.. This does not mean that it is prohibited in all situations but the key point is that as separate controllers you need to treat this as a data share and consider all the data protection principles. For more information on data sharing please see our Data Sharing Code of Practice.
Most political parties, campaign groups and candidates are controllers. But many also contract processors to process personal data on their behalf.
Example
An independent candidate in a local election holds a list of potential supporters’ names and addresses. They decide to write to these supporters to encourage them to vote on polling day. They contract a company to write, add the names and addresses and distribute the letters.
The candidate is the controller. A controller decides the purposes and means of processing personal data. The candidate is making the decision to write to the individuals for the purpose of encouraging them to vote. Similarly, the candidate is deciding to do this by contracting a company on their behalf.
The company they contract is the processor as it is acting solely on the instructions of the controller with a binding contract in place.
How do we determine whether we are a controller or processor?
Although the example above is fairly straightforward, often establishing whether you are acting as a processor or a controller in your own right can be more complicated. Examples include working with third party data analytics, modelling, market research and marketing companies, as well as online platforms.
The key is to work out how much independence you have in determining how and for what purpose the data is processed, as well as the degree of control you have over it. You may sometimes want to seek specific legal advice about this aspect of compliance.
In certain circumstances, and where included in the contract, a processor may have the freedom to use its technical knowledge to decide how to carry out certain activities on the controller’s behalf. However, it cannot take any of the overarching decisions, such as what types of personal data to collect or what the personal data will be used for. These decisions must only be taken by the controller. As such, many relationships where a controller has contracted out a service to a third party organisation are actually joint controller relationships.
Example
A candidate representing a political party in a local election jointly holds a list of potential supporters’ names and addresses with the local party association. The particular set-up of the party means that the local party association is a separate legal entity to the party’s central office. The candidate and the local party decide together to write to these potential supporters to encourage them to vote on polling day. They contract a company to write, add names and addresses and distribute the letters.
The candidate and the local party association are joint controllers as they jointly decide the purpose and means of processing the personal data.
The company they contract is the processor as it is solely acting on the instructions of the joint controllers with a binding contract in place.
Example
A political party contracts a research company to carry out research for voter modelling purposes. The political party specifies its budget and that it wants to understand the characteristics of voters in particular geographical areas that are likely to vote for them. The party leaves it to the research company to determine sample sizes, survey methods and presentation of results.
The party and the research company act as joint controllers. Controllers decide the purpose and manner of the processing of personal data whereas processors simply act on the instructions of the controller.
The research company is processing personal data on the party’s behalf, but it is also determining what information they are collecting and how they are carrying out the processing (the survey). It has the freedom to decide such matters as which people to select for the survey, what form the survey should take, what information to collect and how to present the results. This means the research company is a joint controller with the party regarding the processing of personal data to carry out the survey, even though the party retains overall control of the data because it commissions the research and determines the purpose the data will be used for.
In essence, the research company makes substantial decisions about the means of the processing so in this situation cannot be a processor on behalf of the party.
It is worth highlighting that when using a social media platform to target political messaging, you are likely to be a joint controller with the platform. Therefore you need to establish who is responsible for each aspect of the processing, and ensure you have an appropriate arrangement in place. For more information, see section Are we joint controllers with social media platforms for all targeting activities we undertake?.
How do we identify controllership relationships in practice?
It is essential for compliance with the UK GDPR that you are clear who the controller is for what data and in what circumstances. There are many ways you can identify this but it is often helpful to map the flow of personal data – labelling which organisations are responsible.
It is then important to establish the types of controller relationship by fully considering how far each of you is determining how and in what manner you are processing the personal data. If you establish that there is more than one controller, then you should further establish whether you are both processing personal data for the same purpose. You can consider these points as either a standalone exercise or as part of a data protection impact assessment (DPIA). See our section on DPIAs for more information.
What is required in each relationship?
Once you have established controller and/or processor relationships, both of you must ensure you fully understand your respective responsibilities under data protection law. You must also take into account the particular circumstances and requirements that each type of relationship requires. A relationship with a processor for example requires a written contract binding the processor to the controller. In contrast, a joint controller relationship does not require a contract but does require a transparent arrangement that sets out your agreed roles and responsibilities for complying with the UK GDPR. See our guidance on controllers and processors and contracts and liabilities for further information on these requirements.
Regardless of where legal responsibility lies, with political campaigning in particular, you should also bear in mind that the media and general public are likely to be unaware of the complexities of controller relationships. You should consider how individuals are likely to contact you in order to exercise their UK GDPR rights. You should ensure you have effective processes in place for dealing with these.
Are we required to pay the data protection fee?
The Data Protection (Charges and Information) Regulations 2018 require every controller who processes personal data to pay a data protection fee to the ICO, unless they are exempt.
Members of the House of Lords, elected representatives and prospective representatives are exempt from this requirement. However, in most circumstances political parties, campaign groups and other controllers need to pay the fee. See the ICO website for further information on this.
Further reading
For guidance on Data Protection Impact Assessments, see our guidance section on DPIAs.
For general guidance on controllers and processors, see our Guide to the UK GDPR.