Rachel Burnett, a solicitor with her own IT-focused practice, explains the different roles and responsibilities of data controllers and data processors.

In data protection, the 'data controller' is the organisation or individual legally responsible for: determining why and how it should be holding and processing the personal data; following the data protection principles, effectively a code of good practice; and taking decisions about the personal data.

A service provider who processes personal data as part of the services it provides on behalf of the data controller, is defined as a 'data processor'.

For example, in disaster recovery or outsourcing arrangements, the customer will be the data controller and the provider will be the data processor.

The distinguishing feature is that the data processor does not deal with the personal data in its own right.

In carrying out the processing service, the data processor is accountable to the data controller. The data controller therefore remains responsible overall for the processing.

In this relationship between provider and customer, each party has different legal requirements to meet, in order for the processing of personal data to be authorised and lawful.

The data protection principle about security is particularly relevant: 'Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of, or damage to, personal data'.

There must be a written contract to ensure that the appropriate standards will be applied. It must require the data processor to act only on instructions from the data controller in respect of the personal data, and to guarantee the security of the processing.

Further provisions are advisable so that the data processor will use its best efforts to prevent any unauthorised or unlawful processing or any accidental loss, destruction or damage and to take all reasonable steps to ensure the honesty and reliability of its personnel.

It is up to the data controller to check that the data processor consistently meets the security standards and complies with all its contractual responsibilities.

Supplied by Rachel Burnett, solicitor, Burnett IT Legal Services.