Who is responsible when hackers target your online appointment booking system? Data protection expert David Taylor advises
In the eyes of the Data Protection Act, responsibility always sits with the data controller - 'a person who (either alone or jointly or in common with other persons) determines the purposes for which, and the manner in which, any personal data are, or are to be, processed'.
In this case, GPs are the data controller. That means that they're responsible for all personal and sensitive personal data held by the practice for the purpose of delivering healthcare to patients.
It was the GPs who decided to offer this additional online service to its patients, and even though they have no day-to-day control of the delivery of the service, they are still viewed as the data controller. The IT company simply operates on their behalf, most probably as a data processor. The act defines a data processor as 'any person (other than an employee of the data controller) who processes the data on behalf of the data controller'.
The Data Protection Act says that the buck always stops with the data controller. Even if your data processor experiences a breach of your patients' personal data, you are responsible. That's right - the Information Commissioner's Office will be knocking on your door, and prosecuting you - not the data processor!
So what can you do to protect yourself? The Data Protection Act makes it a legal requirement to have a data processing contract with your data processor; thus, not to do so is a breach of the act.
Such a contract must be issued by you (the data controller) and requires, among other things, that the data processor meets specified security standards and processes your data only for specific purposes. The contract also provides you with powers of audit, plus all important warranties and guarantees in the event of a breach.
It in no way absolves you of your responsibilities as the data controller, but it demonstrates that you're doing your absolute best to safeguard your data subjects' personal data. It also offers the benefit of financial compensation for you in the event of a breach.
So as well as being a legal requirement, data-processing contracts are an absolute must for you as a data controller. They offer important benefits, security and peace of mind. It is important to clarify, at this point, that a data processing contract does not form part of your service-level agreement. It's an independent document provided by you, the data controller; not your supplier, the data processor.
Data processors are more common than you might think. Consider the accountants who hold your employees' personal data so that they can run payroll for you every month. Or the offsite CCTV security company you use to monitor your premises out of hours. Both are data processors who hold and process personal data (and sometimes sensitive personal data) on your behalf.
Hands up those of you who've made your data processors sign a data-processing contract? Remember, it's an offense under the Data Protection Act not to have such a contract in place—plus, it's there to protect you from your data processor.
David Taylor is the principal Data Protection Act practitioner at Data Protection Consultancy