4. Data Management Hierarchy & Responsibilities
The nature of your data protection obligations will depend on whether you are a controller, joint controller or processor.
To determine who is data controller you need to ascertain which organisation decides:-
- what data is being collected;
- which individual’s data you are collecting;
- what the purpose for the processing is;
- the lawful basis for processing the data;
- who (if anyone) you are disclosing the data to;
- what to tell individuals about the processing of their data; and
- how long to retain the data.
The ownership of equipment is not a deciding factor in itself.
The data controller must provide data management process guidance for its staff and its data processors to follow.
Data protection legislation requires that all data processing carried out by a data processor on behalf of a data controller is carried out under a written contract. See section 13 of this document for further details.
This is the person appointed by the managing agent or data controller to deal with the day to day management of surveillance & security technology employed on the site or sites they are responsible for. The data manager has access to the VeriFi Help Desk that provides back up and advice relating to data release requests.
Joint Data Controllers
If organisations are joint data controllers then the parties’ responsibilities must be clearly defined in writing, otherwise the situation could be confusing for the various stakeholders.
Data Protection Officer (DPO)
The data controller should consider appointing an individual responsible for data protection compliance who reports to the board of directors. This position may be contracted out in whole or in part to a third party. In some circumstances data controllers have a legal duty to appoint a data protection officer. You can find out if you need to appoint a data protection officer here. If you appoint a DPO then you should update your ICO registration to include the DPO’s details. For more information go to Data Processors.
Lead Data Processor
In the case that the landlord acts as data controller the managing agent could act as lead data processor and nominate a data manager for the premises. All other data processors, such as guarding service providers, would be subordinate to the managing agent who would be responsible for dissemination of the data controller’s policy and procedures and reporting to, and obtaining approval from, the data controller for the release of data.
Guarding and systems service providers and any other organisations that process personal data on behalf of the data controller are usually data processors. This includes, in particular, where the processing is carried out under the terms of a Data Processing Agreement.
Service providers which carry out processing activities on the instruction of the lead data processor are usually sub-processors (also known as subordinate data processors).
The recipient of personal data from the data controller. This could be a regular/repeated transfer of data or a one-off event. Typically, the data recipient will be one of the following:-
- tenants of the landlord’s premises;
- insurance companies;
- legal representatives; or
- local government authorities.