Skip to main content

What can we consider when acting as joint controllers?

Contents

In detail

What do we need to consider if we are acting as joint controllers?

Where two or more competent authorities jointly determine the purposes and means of processing personal information, they are acting as joint controllers.

If you are acting as a joint controller, you must:

  • have an arrangement in place with your fellow joint controllers that clearly and transparently sets out each of your responsibilities under part 3, including how you deal with SARs; and
  • specify a contact point that is one of the joint controllers.

Example 

Separate policing organisations have a statutory remit to enter into a collaboration agreement to investigate serious crime. The agreement sets out the respective functions of officers and staff at each organisation.

As the organisations are processing personal information as joint controllers, they must have joint arrangements in place that allocate each organisation’s data protection responsibilities.

What are the responsibilities of the 'contact point'?

Joint controllers must name one of the joint controllers as the contact point in their joint arrangements. You must not appoint a third party as the contact point or have more than one contact point.

Each joint controller should name the contact point on their websites or in other communications and, where possible, direct people to make their SAR to that contact point. You should make it clear in your joint arrangements whether people can make a SAR to each controller, or to the contact point only. However, a SAR counts as received as soon as any joint controller receives it.

If any of the joint controllers receives a SAR, you should forward it to the contact point as soon as possible. Your joint arrangements should make provision for this. In general, you should make each joint controller aware of every SAR.

You must clearly set out in your arrangements the duties of each joint controller about SARs. The contact point often takes responsibility for all aspects of complying with the SAR, including:

  • performing reasonable searches;
  • redacting; and
  • providing (or refusing to provide) the information.

However, the joint controllers may allocate these duties among themselves. The contact point could coordinate responses to a SAR by liaising with the other joint controllers, as appropriate, subject to the terms of the joint arrangements.

Your arrangements should set out how you will handle complaints if people are unhappy with your response. Each controller must comply with their:

  • specific responsibilities under the terms of the joint arrangements; and
  • statutory data protection obligations.

You must not delegate the role of the contact point to a third party organisation. However, this does not prevent joint controllers from outsourcing certain aspects of SAR work to a processor (eg performing reasonable searches).

Do we need to consult with joint controllers before responding to a SAR?

Depending on the circumstances, you could seek the views of other joint controllers about how you respond to a SAR. Where appropriate, you should include provisions in your joint arrangements for notifying other joint controllers before responding to a SAR.

Example 

Two government agencies (Agency A and Agency B) use shared information access systems to process personal information for law enforcement purposes. They are acting as joint controllers. Their arrangement specifies that Agency A is the contact point for SARs and is responsible for responding to them. The arrangement also states that Agency A will consult with Agency B to decide how to respond to a SAR.

Agency A receives a SAR.

Agency A informs Agency B about the SAR and seeks its views before deciding how to respond. Agency B believes that disclosing some of the information may put another person at risk. It believes that it is necessary and proportionate to apply a restriction (to protect another person), and it provides evidence to support this.

As set out in the joint arrangement, Agency A is responsible for complying with the SAR. It should carefully consider Agency B’s arguments to decide whether it needs to apply the restriction (including whether it is necessary and proportionate to do so).

On the basis of the joint arrangement, Agency A may be subject to regulatory action by us if it does not agree with the use of the restriction. However, Agency B may be required to help with our investigations.

What happens if we are only processing some of the requested information for joint purposes?

There may be circumstances where several organisations are acting jointly about one aspect of their processing. However, they may be acting independently in carrying out other processing activities.

If some of the information falls within the scope of the joint arrangements, the joint controllers with responsibility for responding to SARs must deal with this part of the SAR.

Example 

A number of organisations (Agency A, Agency B, Agency C and Agency D) are able to access a shared database that contains information about people’s criminal convictions. Agency C owns and manages the system on behalf of the other agencies. The information is processed under part 3.

Each of the agencies is an independent controller in its own right. However, they are joint controllers for the information stored on the shared database. Agencies A, B, C and D have joint arrangements that set out each of their data protection responsibilities under the DPA 2018, including their arrangements for dealing with SARs. 

The arrangements specify that Agency C is the contact point and responsible for responding to SARs.

Agency D receives a SAR from someone requesting “all the information you hold about me”. Agency D is an independent controller for most of the information it processes about the person. However, the information held on the shared database is also within the scope of the request. As Agency D is not the contact point for the information held on the shared database, it forwards the SAR to the named contact point, Agency C. 

Agency C must respond to the part of the SAR that concerns the information held within the shared database.

Can we consult other competent authorities when deciding whether to apply a restriction?

It depends. During the lifecycle of a criminal case, personal information is often processed by multiple competent authorities. For example, a prosecution service reviews information obtained by the police (for the purposes of investigating crime) to decide whether to pursue a prosecution against someone. However, it does not issue instructions about the investigation. The police and the prosecution service are working collaboratively yet independently. They are making decisions separately and are not necessarily joint controllers. However, they are likely to share personal information in the course of the criminal case.

There is nothing in the DPA that requires you to only consider your own specific circumstances in deciding whether to restrict access. It's not usually necessary or appropriate to consult other organisations before you respond to a SAR. However, if you believe there may be a risk of serious harm in disclosing the information, you may wish to do so.

In these circumstances, you should base your decision on the evidence provided by the other controller. You are responsible for complying with the SAR and must not restrict the right of access or speculate about risks without proper justification. You should be able to justify why you consider applying a restriction is necessary and proportionate. Remember, you must respond to the request within one month.

If independent controllers share information with each other, you should have a data sharing arrangement in place.

What happens if independent controllers are processing the same information for different purposes?

There are likely to be circumstances when you and another organisation are using the same personal information for different purposes (eg law enforcement and general purposes).

For example, a hospital shares information with police about the nature of the injuries sustained by a victim. The hospital is processing the information under the UK GDPR, while the police are processing it under part 3.

If you are processing personal information under part 3, you may apply a part 3 restriction. You can also consult other organisations before you respond to a SAR if you have identified a potential risk of serious harm. If you consult another organisation, you may consider the request as complex and extend the time limit by up to two months. (See When is a part 3 request complex?.)

How do we deal with SARs if we are jointly processing the information with intelligence services?

If you wish to have a joint controllership arrangement in place with intelligence services, you must jointly apply for a designation notice from the Secretary of State. This allows you and intelligence services to jointly process information under a single regime.

Where a designation notice is in place, you are jointly processing information with intelligence services under part 4 of the DPA. This means that all the part 4 requirements apply.

You must deal with SARs under the part 4 SAR regime, regardless of whether you or the intelligence services are the designated contact point. (See our part 4 guidance for more details.)