October 2018 update of the Ethics & Compliance Committee's ongoing work in this area
September EDPB Meeting
As members are aware, the BHBIA has been engaged in discussions with the ICO in recent months on interpretation of the definition of ‘data controller’ and the implications of determining that the commissioning client company is a data controller.
Along with the MRS we had hoped that data controller guidelines and this issue were going to be raised and discussed at the 25/26 September meeting of the European Data Protection Board’s (EDPB) by the Key Provisions subgroup.
Unfortunately, we have learnt following the meeting that this was not the case (the agenda is not published in advance). We have been informed that the issue was not discussed at the meeting or placed on the list of priorities for 2018.
Apparently however it seems that other sectors are also pushing for guidance on the controller issue and the EU Commission have been asked to put pressure on the EDPB regarding this.
Given this, we can only re-iterate previous advice:
- Data controllers must be named when personal data are obtained from data subjects
- The determination of who is a data controller, joint controller, data processor or other party within the research chain is a question of fact rather than contractual stipulation. It is based on a determination of the purposes and means of the processing, and essentially the level of decision-making power exercised
- The determination of roles should be considered and agreed between the end client and agency before projects are commissioned (on a case by case basis)
- It is important that decision making is documented.
We know from our conversations with the ICO that they do understand the serious unforeseen consequences of this issue for the research industry. EFAMRO and ESOMAR are in discussions with other Data Protection Authorities to make sure that they too understand.
The BHBIA will continue to work with the MRS and ICO in the UK on this issue and will liaise with EFAMRO, EphMRA and ESOMAR to support our European counterparts in highlighting the difficulties this issue presents.
The BHBIA has sent the findings from its survey of members assessing the impact of naming the end client as data controller to the ICO and to the office of Jeremy Wright MP, Secretary of State for Digital, Culture, Media and Sport. We are also working to secure a meeting with the Department of Digital, Culture, Media and Sport to discuss the issue and its potential impact on UK business.
Whilst the delay is disappointing it does allow us more time to get our messages across.
It does seem likely that the whole process will take several months. We will update members again when there is further news.
If you want a reminder of the background to this issue, please see:
- An update on naming end clients as data controllers published in June 2018
- Impact of naming the end client as data controller - BHBIA member survey findings published in August 2018
The BHBIA’s Ethics & Compliance Committee is providing this guidance as general information for its members. It is not legal advice and should not be relied upon as such. Specific legal advice should be taken in relation to any specific legal problems or matters. Whilst every reasonable effort is made to make sure the information is accurate, no responsibility for its accuracy or for any consequences of relying on it is assumed by the BHBIA. We do expect to update our guidance on the GDPR as more information becomes available.