Data Protection Act 2018 - Part 4 Intelligence Services Processing Chapter 4 Controller and Processor



This Chapter sets out—

    1. the general obligations of controllers and processors (see sections 102 to 106);
    2. specific obligations of controllers and processors with respect to a security (see section 107);
    3. specific obligations of controllers and processors with respect to personal data breaches (see section 108).

General obligations

General obligations of the controller

Each controller must implement appropriate measures—

    1. to ensure, and
    2. to be able to demonstrate, in particular to the Commissioner,

that the processing of personal data complies with the requirements of this Part.

Data protection by design

  1. Where a controller proposes that a particular type of processing of personal data be carried out by or on behalf of the controller, the controller must, prior to the processing, consider the impact of the proposed processing on the rights and freedoms of data subjects.
  2. A controller must implement appropriate technical and organisational measures which are designed to ensure that—
    1. the data protection principles are implemented, and
    2. risks to the rights and freedoms of data subjects are minimised.

Joint controllers

  1. Where two or more intelligence services jointly determine the purposes and means of processing personal data, they are joint controllers for the purposes of this Part.
  2. Joint controllers must, in a transparent manner, determine their respective responsibilities for compliance with this Part by means of an arrangement between them, except to the extent that those responsibilities are determined under or by virtue of an enactment.
  3. The arrangement must designate the controller which is to be the contact point for data subjects.


  1. This section applies to the use by a controller of a processor to carry out the processing of personal data on behalf of the controller.
  2. The controller may use only a processor who undertakes—
    1. to implement appropriate measures that are sufficient to secure that the processing complies with this Part;
    2. to provide to the controller such information as is necessary for demonstrating that the processing complies with this Part.
  3. If a processor determines, in breach of this Part, the purposes and means of processing, the processor is to be treated for the purposes of this Part as a controller in respect of that processing.

Processing under the authority of the controller or processor

A processor and any person acting under the authority of a controller or processor, who has access to personal data may not process the data except—

  1. on instructions from the controller, or
  2. to comply with a legal obligation.

Obligations relating to security

Security of processing

  1. Each controller and each processor must implement security measures appropriate to the risks arising from the processing of personal data.
  2. In the case of automated processing, each controller and each processor must, following an evaluation of the risks, implement measures designed to—
    1. prevent unauthorised processing or unauthorised interference with the systems used in connection with it,
    2. ensure that it is possible to establish the precise details of any processing that takes place,
    3. ensure that any systems used in connection with the processing function properly and may, in the case of interruption, be restored, and
    4. ensure that stored personal data cannot be corrupted if a system used in connection with the processing malfunctions. Obligations relating to personal data breaches

Communication of a personal data breach

  1. If a controller becomes aware of a serious personal data breach in relation to personal data for which the controller is responsible, the controller must notify the Commissioner of the breach without undue delay.
  2. Where the notification to the Commissioner is not made within 72 hours, the notification must be accompanied by reasons for the delay.
  3. Subject to subsection (4), the notification must include—
    1. a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
    2. the name and contact details of the contact point from whom more information can be obtained;
    3. a description of the likely consequences of the personal data breach;
    4. a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
  4. Where and to the extent that it is not possible to provide all the information mentioned in subsection (3) at the same time, the information may be provided in phases without undue further delay.
  5. If a processor becomes aware of a personal data breach (in relation to data processed by the processor), the processor must notify the controller without undue delay.
  6. Subsection (1) does not apply in relation to a personal data breach if the breach also constitutes a relevant error within the meaning given by section 231(9) of the Investigatory Powers Act 2016.
  7. For the purposes of this section, a personal data breach is serious if the breach seriously interferes with the rights and freedoms of a data subject.