#99

One of the things that still trips me up in data privacy is determining whether someone is considered as a controller or processor. Sometimes, it is not so clear cut. For example, Company A partners with Hospital B such that employees of Company A gets free medical check ups from Hospital B as part of the onboarding process. Is Hospital B a controller or a processor?

In answering the question whether a company is a controller or processor, we have been taught that the idea of "control" is predominant. The personal information controller, as the name denotes, "controls" the purpose and means of processing. The personal information processor, on the other hand, only follows the instructions of the former.

Going back to our example, Hospital B is receiving personal information of Company A's employees - let's say name, age, sex, and other health information. Is it a controller or a processor? We need to delve deeper. Did Hospital B get the personal information from Company A itself? Let's say Hospital B only got the names of the employees from Company A but received all other information from the employees directly. Does this make Company A and Hospital B distinct and separate controllers? We have to consider that Hospital B has to keep records of the employees' medical results. What if the employees voluntarily go back to Hospital B for other medical examinations outside of pre-employment purposes and Hospital B updated the results from the previous medical exam? Finally, because of the agreement between Company A and Hospital B, the employees had no choice but to go to Hospital B for their onboarding medical exam. Does this make the processing by Hospital B of the employees under the instruction of Company A, making Hospital B a processor? Or are Company A and Hospital B joint controllers?

In gauging the relationship of Company A and Hospital B, and by extension, all businesses with each other, identifying which is controller and which is the processor is not always a simple process. It would have been easier if personal data owned by Entity X goes to Entity Y for processing like a direct line, but based on experience, that is not always the case. Lines go up, down, left, right, back, forward; sometimes, lines even become circles, squares and triangles; worse are those times when these shapes even become 3D. Even "ownership" of personal data is disputed. At the end of the day, all of these data were taken from natural persons which are distinct and separate from the corporation that collected such information.

Anyway, that goes to show that there is more to learn in this field.