Performance issue: If clicking on a link doesn't do anything, press F5 to refresh the page
Definition
of
Data controller
from
Care Data Matters: a roadmap for better data for adult social care (May 2023)
The organisation that has overall responsibility for the data that is stored. They control who can access the data and how it can be accessed
If a flag appears next to this message, click on it to see others' comments about this definition
Definition
of
Data controller
from
Information Commissioner's Office: UK GDPR guidance and resources
The UK GDPR draws a distinction between a ‘controller’ and a ‘processor’ in order to recognise that not all organisations involved in the processing of personal data have the same degree of responsibility. The UK GDPR defines these terms:
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
If you are a controller, you are responsible for complying with the UK GDPR – you must be able to demonstrate compliance with the data protection principles, and take appropriate technical and organisational measures to ensure your processing is carried out in line with the UK GDPR.
If you are a processor, you have more limited compliance responsibilities.
The UK GDPR defines a controller as "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data."
Controllers make decisions about processing activities. They exercise overall control of the personal data being processed and are ultimately in charge of and responsible for the processing.
Some controllers may be under a statutory obligation to process personal data. Section 6(2) of the Data Protection Act 2018 says that anyone who is under such an obligation and only processes data to comply with it will be a controller.
A controller can be a company or other legal entity (such as an incorporated partnership, incorporated association or public authority), or an individual (such as a sole trader, partner in an unincorporated partnership, or self-employed professional, eg a barrister).
However, an individual processing personal data for the purposes of a purely personal or household activity is not subject to the UK GDPR.
If a flag appears next to this message, click on it to see others' comments about this definition
Further information
Definition
of
Controller
from
NHS England Transformation Directorate: Information Governance Framework for Integrated Health and Care: Shared Care Records (Sep 2021)
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
If a flag appears next to this message, click on it to see others' comments about this definition