Processor - not processor? Covid-19 testing privacy notice
Dr W Kuan Hon
Of Counsel, Dentons; Member, UK International Data Transfer Expert Council; Editor, Encyclopedia of Data Protection & Privacy All views personal only.
It's not easy determining if an organisation is acting as a controller, processor (or indeed neither) for a particular processing operation/activity.
The UK DHSC's privacy notice on coranavirus / Covid-19 testing for essential workers doesn't seem to be as clear on processors as it could be. At least, I'm confused!
There are two reasons why.
Firstly, there's a section on data processor activities, but then a separate section listing data processors, and I can't quite match the two up fully (see below).
Secondly, I don't understand how some of the organisations named as processors in the privacy notice could be considered to be processing personal data in the GDPR sense i.e. for the purposes of EU/UK data protection law.
- Courier/delivery services aren't processors - the ICO made clear in its helpful guidance that a mail delivery service is not a processor of the personal data contained in what it delivers - not unless it can access the content of what it delivers, i.e. open the envelope or box. So why does the privacy notice say that Amazon, engaged "to deliver test kits once a request has been registered", is a processor? Surely Amazon can't be authorised to open completed (or even unused) test kits? Perhaps it's simply that Amazon has been given and holds the names and addresses of the people to whom it must deliver testing kits so, to that very very limited extent only, it's a processor of those names and addresses.
- Software providers who license out their software aren't processors - not unless, perhaps, the software is provided as a cloud service (SaaS); or, an organisation uses software to provide a service to the controller, in the course of which service provision it can access the personal data concerned (the latter is the example used in the ICO guidance). So why does the privacy notice say that "ACF Technologies, providing software to enable you to book a test at a regional test site", is a processor?
- Hardware/equipment vendors/suppliers aren't processors - this wasn't covered in the ICO guidance, probably because most practitioners would think it goes without saying. Yet the privacy notice names as a processor a hardware supplier: "Jigsaw24, who are providing mobile phone and SIMs for the mobile regional test site apps – so you don’t have to self-scan a barcode at the regional test site)". Again, surely Jigsaw24 can't access the personal data within or communicated via those mobile phones or SIMs?
- The rest I can understand, but with a few exceptions:
- "Deloitte, supporting DHSC to help accelerate and scale testing capacity for the national COVID-19 testing programme" - isn't that just providing strategic advice, surely they're not saying that Deloitte can access individuals' test-related info? Or can it? That's not very clear.
- "Barcode Warehouse, who provide barcodes for test kits" - would a barcode provider really have access to personal data of the test subjects? Whoever sticks the barcodes on might, but can the barcode provider?
- If Randox is named as a processor for home tests specifically ("Randox, to supply home tests and inform you of the result of your Randox home test. They also operate some regional test sites"), why aren't other home testing providers mentioned in the processor listing as processors in relation to the results of home tests?
My table attempting to match up the two sections is here. (Apologies, but functionally I can't insert a table in a LinkedIn article, or upload a doc to an article as opposed to a post.)
I suspect this just was an issue of "For speed let's just name all companies that were involved in this project", rather than some of those organisations actually being true processors, for GDPR purposes, of the personal data relevant to testing for Covid-19. For starters, if they were all processors then there would have to be a GDPR-compliant data processing agreement with each of them. And, of course, under the GDPR strictly a privacy notice must state only the "recipients or categories of recipients", so this privacy notice could give only the types of recipients to whom personal data will be disclosed, rather than specifically naming them all. (In fact the GDPR defines "recipients" more broadly than just "processors".)
But I thought this was a good illustration of the difficulties that can be involved in distinguishing between controllers and processors (or indeed "neither" - as I've argued could be the case for data centre providers whose services are used by customers, but who can't access their customers' data within the datacentre). Note, I make no comment on other aspects of the privacy notice beyond how it provides information on processors.
Any thoughts welcome!
(And of course the photo above demonstrates that different people can think of "processors" in different ways...)