Processor - not processor? Covid-19 testing privacy notice
Photo Platon Tank https://www.flickr.com/photos/tech-fun/3639383950/ Creative Commons BY licence https://creativecommons.org/licenses/by/2.0/

Processor - not processor? Covid-19 testing privacy notice

It's not easy determining if an organisation is acting as a controller, processor (or indeed neither) for a particular processing operation/activity.

The UK DHSC's privacy notice on coranavirus / Covid-19 testing for essential workers doesn't seem to be as clear on processors as it could be. At least, I'm confused!

There are two reasons why.

Firstly, there's a section on data processor activities, but then a separate section listing data processors, and I can't quite match the two up fully (see below).

Secondly, I don't understand how some of the organisations named as processors in the privacy notice could be considered to be processing personal data in the GDPR sense i.e. for the purposes of EU/UK data protection law.

  1. Courier/delivery services aren't processors - the ICO made clear in its helpful guidance that a mail delivery service is not a processor of the personal data contained in what it delivers - not unless it can access the content of what it delivers, i.e. open the envelope or box. So why does the privacy notice say that Amazon, engaged "to deliver test kits once a request has been registered", is a processor? Surely Amazon can't be authorised to open completed (or even unused) test kits? Perhaps it's simply that Amazon has been given and holds the names and addresses of the people to whom it must deliver testing kits so, to that very very limited extent only, it's a processor of those names and addresses.
  2. Software providers who license out their software aren't processors - not unless, perhaps, the software is provided as a cloud service (SaaS); or, an organisation uses software to provide a service to the controller, in the course of which service provision it can access the personal data concerned (the latter is the example used in the ICO guidance). So why does the privacy notice say that "ACF Technologies, providing software to enable you to book a test at a regional test site", is a processor?
  3. Hardware/equipment vendors/suppliers aren't processors - this wasn't covered in the ICO guidance, probably because most practitioners would think it goes without saying. Yet the privacy notice names as a processor a hardware supplier: "Jigsaw24, who are providing mobile phone and SIMs for the mobile regional test site apps – so you don’t have to self-scan a barcode at the regional test site)". Again, surely Jigsaw24 can't access the personal data within or communicated via those mobile phones or SIMs?
  4. The rest I can understand, but with a few exceptions:
  • "Deloitte, supporting DHSC to help accelerate and scale testing capacity for the national COVID-19 testing programme" - isn't that just providing strategic advice, surely they're not saying that Deloitte can access individuals' test-related info? Or can it? That's not very clear.
  • "Barcode Warehouse, who provide barcodes for test kits" - would a barcode provider really have access to personal data of the test subjects? Whoever sticks the barcodes on might, but can the barcode provider?
  • If Randox is named as a processor for home tests specifically ("Randox, to supply home tests and inform you of the result of your Randox home test. They also operate some regional test sites"), why aren't other home testing providers mentioned in the processor listing as processors in relation to the results of home tests?

My table attempting to match up the two sections is here. (Apologies, but functionally I can't insert a table in a LinkedIn article, or upload a doc to an article as opposed to a post.)

I suspect this just was an issue of "For speed let's just name all companies that were involved in this project", rather than some of those organisations actually being true processors, for GDPR purposes, of the personal data relevant to testing for Covid-19. For starters, if they were all processors then there would have to be a GDPR-compliant data processing agreement with each of them. And, of course, under the GDPR strictly a privacy notice must state only the "recipients or categories of recipients", so this privacy notice could give only the types of recipients to whom personal data will be disclosed, rather than specifically naming them all. (In fact the GDPR defines "recipients" more broadly than just "processors".)

But I thought this was a good illustration of the difficulties that can be involved in distinguishing between controllers and processors (or indeed "neither" - as I've argued could be the case for data centre providers whose services are used by customers, but who can't access their customers' data within the datacentre). Note, I make no comment on other aspects of the privacy notice beyond how it provides information on processors.

Any thoughts welcome!

(And of course the photo above demonstrates that different people can think of "processors" in different ways...)

要查看或添加评论,请登录

Dr W Kuan Hon的更多文章

  • Action after the GDPR 2-yr report? (what's NOT in the report but tucked away)

    Action after the GDPR 2-yr report? (what's NOT in the report but tucked away)

    Most of the below isn't in the Commission's Communication or EDPB work programme, but from the Commission's Staff…

  • Loo roll song - Beatles parody!

    Loo roll song - Beatles parody!

    Parody of "With A Little Help From My Friends" - with apologies to the Beatles and Ringo! https://www.youtube.

  • Don't walk so close to me!

    Don't walk so close to me!

    Here's something for fans of The Police and Sting to sing at home in the shower - but not in public, for obvious…

    5 条评论
  • Data localisation - now webinar / video

    Data localisation - now webinar / video

    Just to confirm that the session next Monday evening 23 Mar on my data localisation book is still going ahead, but only…

  • COVID-19: missing UK info

    COVID-19: missing UK info

    The main UK government COVID-19 webpage omits important info that should be there or linked to from there - not buried…

  • Encryption - humans miss the point!

    Encryption - humans miss the point!

    Encryption is a great way to secure data confidentiality, but getting people to use it properly is tough like you…

  • Data localization / transfers - BCS session 23 Mar

    Data localization / transfers - BCS session 23 Mar

    I'm presenting on the topics covered in my book Data Localization Laws and Policy - the EU data protection…

    5 条评论
  • Doctor Who - and data protection

    Doctor Who - and data protection

    Just catching up on season 12 of Doctor Who and whaddayaknow, there's this in episode 1: Hospital doctor to Graham…

    7 条评论
  • Data localization book - new review

    Data localization book - new review

    I'm really happy to have come across this recent (Nov 2019) review of my book on data localisation / international data…

  • The archiving risk - €14.5m fine in Germany

    The archiving risk - €14.5m fine in Germany

    Big fine by the Berlin data protection supervisory authority against a property company for keeping tenants' personal…

    3 条评论

社区洞察

其他会员也浏览了