Data Controller/Data Processor Contracts #1:
Applicability

This blog explains why and when organizations should require contracts with service providers that have access to customer or employee personal information.

One of the most underappreciated aspects of data controller/data processors contracts is when they are needed. This results from either 1) a lack of awareness of their necessity, or 2) the failure to recognize all service providers that are given access to personal information.

Regarding the first point – awareness of the need – any organization that is responsible for protecting the personal information of customers and employees falls into the category of “data controller” and should have written contract with service providers that have access to personal information.

Sectors commonly thought of as data controllers include financial, healthcare, insurance, retail, hospitality, transportation, government, large employers, social media platforms, and data brokers and they are all subject to data protection regulations. In that regard, there are some regulatory qualifiers that make exemptions for smaller data controllers, but in today’s privacy environment, any organization with clients or employees is better off behaving as if they are one. Simply relying on regulatory loopholes as a defense for not protecting personal information is a risky gamble and certain to end badly.

The service provider entrusted by the data controller to access personal information is a “data processors” under those same data protection regulations.

Unlike data controllers, however, there are NO regulatory exemptions for data processors. No matter what, any individual or organization engaged by a data controller to process (access or handle) personal information is automatically considered a data processor under all data protection regulations simply as a function of the services they provide.

Here is a partial list of service providers that technically qualify as data processors, and with whom all organizations should have an explicit data controller/data processor contract:

• Records/Data Storage Services
• Secure Destruction Services
• Computer Recycling Services
• IT Asset Disposal (ITAD) Services
• Managed IT Services
• Medical Waste Transporters
• Human Resource and Payroll Services
• Background Screening Services
• Billing and Collection Services

The failure to recognize these services as data processors is one of the main reasons data controllers find themselves vulnerable to data security breaches and out of compliance with regulatory contract requirements. Should an incident reveal that no contract was in place, the result will be far more consequential.

Why Data Controller/Data Processor Contracts are Always Necessary

Some data protection regulations, such as HIPAA/HITECH and GLBA specifically require data controller/data processor contracts, as do the spate of new state data protection and privacy laws sweeping the country. And, should the US federal government follow suit, as many predict, it is a virtual certainty that data controller/data processor contracts will be baked into that law.

On the other hand, some data protection regulations, such as the FACTA Final Disposal Rule and many older state data protection regulations, do not have a similar requirement.

As stated earlier, however, the regulatory necessity of such contracts is moot, since relying on regulatory loopholes as a defense for not protecting personal information is not really an option.

Take the FACTA Final Disposal Rule, for example, which does not explicitly require a contract* between data controllers and data processors. Under the regulation, Credit Reporting Agencies (CRAs) are obligated to ensure that service providers have adequate safeguards in place to protect personal information.

In the event a CRA experiences a security breach via a data processor they engage, even though the contract requirement is not spelled out, the absence of such a contract would severely impugn their data security diligence. In fact, failure to have a contract would likely be deemed willfully negligent. How could they reasonably expect to hold the data processor accountable without a contract in place?

To take it a step further, let’s look at it from the perspective of a data controller that is too small (either in number of employees or annual sales) to be subject to data protection regulations. Regardless of size, no organization is exempt from the responsibility to protect the personal information of clients and employees and no organization is immune to the potential legal consequences. Should they be sued as a result, the absence of contract with its data processors would be inexcusable and surely make the outcome far worse for them. Saying they were not required to have a contract under the relevant regulation would do them no good whatsoever. In fact, using that defense could end up being even more damning.

The only reasonable best-practice for any organization is to identify all service providers that will have access to any customer or employee personal information, and make sure data security requirements are specifically detailed and reporting requirements are fully documented in a formal contract.

Doing so is easy and responsible, which makes not doing so all that more unforgivable.

*While the FACTA Final Disposal Rule suggests there be a processor contract in place, it is not technically a requirement of the regulation.