Self-employed contractors in your workforce – are they data processors?

United KingdomScotland

Most organisations have moved on from the implementation phase of their GDPR project to deal with “business as usual” queries. In this edition of our “GDPR bitesize” series about the impact of the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 ("DPA") in day-to-day HR practice, we focus on the question of whether a self-employed contractor might be a data processor and if so, the implications for both parties.

Who is a data processor?

The GDPR and the DPA distinguish between a data controller and a data processor. A data controller determines the purposes and means of processing personal data; in other words, how and why the data is used. For example, an employer decides how and why to collect the personal information of its workforce.

A data processor processes personal data only on behalf of and in accordance with instructions from the data controller. For example, an employer might outsource its payroll function to an external provider making that provider its data processor. Although a data processor may have quite wide discretion and use its expertise in the processing of the personal data, the data controller retains control over what personal data is processed and why.

Why does it matter?

Both a data controller and a data processor can be liable under the GDPR. Additionally, when engaging a data processor, data controllers must enter into a contract that includes certain mandatory provisions about the relationship between the data controller and the data processor and how personal data is to be handled, as set out in Article 28 of the GDPR.

What are these mandatory provisions?

A contract between the data controller and a data processor must include the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject and the data controller’s obligations and rights.

It must also include specific obligations on the data processor, for example that it:

  • will process the personal data only on documented instructions from the controller;
  • will put appropriate security and confidentiality measures in place;
  • will not appoint a sub-processor without the controller's consent (and if they are given general consent will inform the controller of any changes in sub-processor);
  • must assist the controller to comply with certain of the data controller's data protection duties (e.g. to notify a personal data breach to the supervisory authority and, if applicable, to data subjects, or to carry out a data protection impact assessment) when asked to do so.

The data processor must also delete or return the personal data at the end of the arrangement and keep appropriate records.

How do we determine whether someone working for us could be a data processor?

Broadly, employees are considered to be acting under the direct authority of their employer, rather than being a third party recipient of personal data and potentially acting as a data processor in their own right. As long as they are acting within the scope of their duties as an employee, employees are seen to be acting as an agent of their employer (i.e. the controller) itself.

This was specifically set out in the Data Protection Act 1998, and is also addressed in the ICO’s guidance on controllers and processors. However, the position of other members of an employer’s workforce is more complex. This is particularly true in relation to self-employed contractors (either engaged directly or through an intermediary such as a personal service company) if they have access to personal data by virtue of providing services to their client, the data controller.

Determining whether a self-employed contractor is likely to be a data processor within the meaning of the GDPR is going to be very fact-specific. The more integrated they are into an organisation, the more persuasive the argument that they are acting under the direct authority of the data controller and in a position akin to that of an employee. This aspect of the relationship, however, could have ramifications from an employment rights and tax perspective.

What if we do not include processor clauses?

Failure to meet the duty to include the specific information and clauses referred to above in a contract with a processor can result in a fine of up to the higher of €10 million or 2% of worldwide annual turnover.

However, beyond a technical breach, considering the issue and discussing a contractor’s responsibilities with them will help ensure that personal data is being trusted to the right person or organisation. In addition to any fines, given the reputational risks of an organisation being implicated in its contractor's data breach, going through this process makes good business sense.

What if the contractor is a data controller?

The fact that a self-employed contractor may provide services to an organisation does not necessarily mean that they are a data processor; they may be a data controller. Whether the self-employed contractor is a data controller or data processor will depend on their role and responsibilities in relation to the processing. For example, professional service providers such as lawyers and accountants will usually be data controllers in their own right.

There are not the same mandatory obligations to include particular clauses in your arrangements with other data controllers. Nonetheless, from a reputational perspective, if you as a controller are giving personal data of your customers, clients, staff or similar to a third party consultant, it would be sensible for the parties to commit to appropriate data protection standards, including those recommended in the ICO’s data sharing code of practice. This code of practice is in the course of being updated for GDPR, and we can expect to see an updated code in the near future.