Data controllers and data processors

Data  Controller - Someone (a natural or legal person, public authority, agency or other body) who, alone or jointly with others determines the purpose and means of processing of personal data.

Data Processor - Someone (a natural or legal person, public authority, agency or other body) who processes personal data on behalf of the data controller.

Both roles have responsibility for complying with the GDPR, but the specific duties vary between the roles. Both a data controller and a data processor may be subject to penalties.

Which am I - controller or processor? When expert witnesses are provided with personal data by an instructing solicitor, it is most likely that the Expert Witness will be a data controller in their own right as, although the information will be provided by the instructing solicitor, the Expert Witness is independent from the solicitor and decides how the information is processed for their own purposes. Therefore, both Expert Witnesses and instructing solicitors will be data controllers in their own right, although they will be sharing information. The ICO has guidance on this (available at https://ico.org.uk/media/for-organisations/documents/1546/data-controllers-and-data-processors-dp-guidance.pdf).

From paragraph 26 of this guidance, the ICO state that where you are using an outside service, they would be considered a controller as they determine the purposes for which and means by which the personal data is processed.

Therefore, when an Expert Witness is commissioned to provide a Report/Expert Witness statement, the service is being provided independently from the legal advisor and therefore the Expert is a controller of this information and may, in very limited circumstances, also be considered a processor of the legal advisor.