Columnist Kaleke Kolawole Naming the end client I t is a conundrum, we know. Do you need to name the client The determination of who is a controller (DC), joint controller when conducting research? What are the challenges of doing (JDC), data processor (DP) or third party is a question of fact so and are there any exemptions? rather than contractual stipulation. It is based on a determination The MRS Code of Conduct states that members must disclose of the purposes and means of the processing and, essentially, the the identity of clients where there is a legal obligation to do so, level of decision-making power exercised. and states that where files of identifiable individuals are used Depending on the type of research project, a client may be a e.g., client databases members must ensure that the source third party, sole data controller or joint data controller in line with of the personal data is revealed at an appropriate point in the the level of autonomy and responsibility the client exercises over data collection. the personal data being collected. Similarly, a research supplier There is an obligation to name a commissioning client in three may be a processor, joint controller or sole controller. Importantly, main scenarios: it should be noted that receiving personal data is not the only measure for determining if you are a controller in a research Client is the data controller or joint controller project. If you set a purpose for example, issue a commercial Client is the source of the personal data question to a researcher you are rendered a controller. The key to Client is receiving personal data from a research activity. determining the status of each party in research data collection is Additionally, the identity of the client must be revealed when data knowing the level of control exercised collection is undertaken if clients and understanding where the require personal data from a project. decision-making authority is held. First, what is a data controller? Numerous legal cases have tested The data controller determines the We acknowledge that naming the purposes for which, and the means end client is not a favourable position whether access to identifiable data is key to determining whether a by which, personal data is processed. to commissioners. It can erode the controller relationship exists. These If your company/organisation principle of confidentiality cases have determined that an entity decides why and how the personal does not need to have access to data should be processed, it is the personal data to be considered a data controller. The UK General controller. It is enough if a business determines the purposes and Data Protection Regulation (GDPR) draws a distinction between a means of processing, has influence on the processing by causing the controller and a processor to recognise that not all organisations processing of personal data to start (and being able to make it involved in the processing of personal data have the same degree of stop), or receives the anonymous statistics based on personal data responsibility. The UK GDPR defines these terms: collected and processed by another entity. Controller means the natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of What are the challenges with naming personal data. the client? We acknowledge that naming the end client is not a favourable Processor means a natural or legal person, public authority, position to commissioners. It can erode the principle of agency or other body that processes personal data on behalf of confidentiality, introduce bias and reduce the robustness of a the controller. research project. Naming the client can also: If you are a controller, you are responsible for complying with the UK GDPR you must be able to demonstrate compliance with the Reduce methodological rigour (e.g., bias responses where the data protection principles and take appropriate technical and clients identity is known up front; adversely impact on trend data organisational measures to ensure your processing is carried out in where attitudes on behaviour etc. are measured over time, as line with the UK GDPR. results will not be comparable) 52 Impact ISSUE 42 2023_pp52-53 Legal.indd 52 16/06/2023 17:19