4. Data Management Hierarchy & Responsibilities
The nature of your data protection obligations will depend on whether you are a Controller, Joint Controller or Processor.
To determine who is data controller you need to ascertain which organisation decides:-
- what data are being collected;
- which individuals’ data you are collecting;
- what the purpose for the processing is;
- the lawful basis for processing the data;
- who (if anyone) you are disclosing the data to;
- what to tell individuals about the processing of their data; and
- how long to retain the data.
The ownership of equipment is not a deciding factor in itself.
The data controller must provide data management process guidance for its staff and its data processors to follow.
Data protection legislation requires that all data processing carried out by a data processor on behalf of a data controller is carried out under a written contract. See section 13 of this document for further details.
Joint Data Controllers
If organisations are joint data controllers then the parties’ responsibilities must be clearly defined in writing otherwise the situation could be confusing for the various stakeholders.
Data Protection Officer (DPO)
The data controller should consider appointing an individual responsible for Data Protection compliance and who reports to the board of directors. This position may be contracted out in whole or in part to a third party. In some circumstances data controllers have a legal duty to appoint a Data Protection Officer. To learn more go to
Guarding and systems service providers and any other organisations that process personal data on behalf of the data controller are usually data processors. This includes, in particular, where the processing is carried out under the terms of a Data Processing Agreement.
Service providers which carry out processing activities on the instruction of the lead data processor are usually Sub-processors (also known as Subordinate data processors).
Lead Data Processor
In the case that the landlord acts as data controller the managing agent could act as lead data processor and nominate a data manager for the premises. All other data processors such as guarding service providers would be subordinate to the managing agent who would be responsible for dissemination of the data controller’s policy and procedures, and reporting to and obtaining approval from the data controller for the release of data.
Employed by the data controller or lead data processor typically as a facilities or building manager responsible for onsite implementation and management of the data controller’s policy and procedures. The data manager will be responsible for agreeing with the data controller to release data on a case by case basis unless an overarching agreement allows release at the data managers discretion in accordance with the data controller’s policy.
The recipient of personal data from the data controller. This could be a regular/repeated transfer of data or a one-off event. Typically, the Data Recipient will be one of the following:-
- tenants of the landlord’s premises;
- insurance companies;
- legal representatives; or
- local government authorities.
It is good practice that you enter into a Data Sharing Agreement with the Data Recipient (see section 14 for more information). A Data Sharing Agreement is not required for the release of data to law enforcement agencies. If you were to refuse to share the data they may obtain a search warrant to seize the evidence. You should seek legal advice in this situation.