Appendix 6: Joint controllers: Issues to consider
Introduction
This guidance outlines the main issues that you need to consider when acting as a joint controller and it should support you when signing up to a joint agreement. It should help, in particular, when you are one of a large number of joint controllers for example if you are working with a large number of organisations to provide integrated care.
For more detailed guidance, the ICO has published a statutory Code of Practice on Data Sharing, which covers all aspects of this area.
What is a joint controller?
The Data Protection Act 2018 provides a definition of a controller. There are two types:
- sole controller
- joint controller
A sole controller is an organisation that decides, by itself, the purpose for, and the manner in which, personal data is to be processed. For example, a GP practice may make a decision to run an exercise to find out which of their patients are most at risk of hospital admission or developing a particular condition.
Joint controllers are organisations which, between them, decide on the purpose and manner for the processing and have the same or shared purposes. Controllers will not be joint controllers if they are processing the same data for different purposes.
To be joint controllers, there must be more than one organisation involved, the number can be unlimited. A GP practice would be a joint controller, for example, if it was contributing information to a shared record and where all organisations were using that information to make decisions to provide care.
Signing up to a joint controller agreement
As a joint controller you will need to be clear about:
- your role and responsibilities; and
- the role and responsibilities of the other controllers you are entering into an agreement with.
This can be achieved through an agreement containing the details of those involved in the joint controllership and how it will work. This is called a joint controller agreement.
The following sets out areas to consider when signing up to a joint controller agreement for a Shared Care Record Programme (ShCR).
| Issue to Consider | Questions | Yes or No | Further information |
|---|---|---|---|
| Risks and mitigations | Has a DPIA been completed for the ShCR and are you happy that the risks have been appropriately identified and mitigated? | Y or N | A DPIA is a process to help identify and minimise the data protection risks of a project. This is required for processing that is likely to result in a high risk to individuals. The DPIA must be completed before you sign the agreement. |
| Purpose | Are you clear for what purpose the data is being shared? | Y or N | It is important that the agreement is clear about the purpose for processing. This also supports transparency with the public. If the purpose changes the agreement must be updated and information must be displayed to inform patients of this change. |
| Legal Basis for processing data | Are you clear about the legal basis for processing the data? | Y or N | The agreement must clearly document the legal basis for processing the data. This should include 3 parts: UK GDPR: the legal conditions for processing personal and special category data under UK GDPR, a condition from Article 6 and 9. Common Law Duty of Confidentiality: for individual care, it is reasonable to rely upon implied consent. For other purposes the agreement will need to be clear how the common law is being met (for example, by seeking explicit consent) or set aside, for example, through section 251 support. Statutory powers: if you are a public body, does the processing match your statutory functions. GPs will not have statutory powers, but derive their powers and abilities based on their service provision contract (GMS/PMS contract). |
| Roles and Responsibilities | Are you clear about which organisations or individuals information will be shared with or accessible by. For example, trusts, care homes etc? Has the ShCR identified any processing which requires the use of a processor? |
Y or N | The agreement should clearly set out which other joint controllers are signing up to the agreement. There should be a separate contract if a processor is used. This should not be part of the joint controller agreement but requires a separate written, legally binding contract in place between the ShCR IG lead and the processor. It is important that you understand these arrangements prior to signing a joint agreement. For example, the ShCR IG lead should provide evidence that they have conducted due diligence on the processor to ensure legal and regulatory compliance. |
| Retention of Records | Are you clear about how long records will be retained? | Y or N | The agreement should set out how long records will be retained. In addition the ShCR should have a policy or guide that states how long records will be kept for and what will happen once the retention period has expired, known as the Retention and Disposal Schedule? The retention period should be in line with the Records Management Code of Practice. |
| Relevance of data | Does the agreement clearly set out what data is being processed? | Y or N | This includes the data to be shared, for example, diagnosis and whether the data is identifiable or not. In relation to the data to be shared the PRSB has developed the Core Information Standard through engagement with health and care professionals, patients and service users which defines the content of an individual’s health and care record. The ShCR should only use confidential patient information when necessary, for example, data should be anonymised whenever possible and where confidential patient information is required only the minimum amount for the purpose should be processed. |
| Informing the public how their information is used | Is there consistent information for the public on the proposed use of their information? | Y or N | You should ensure that arrangements are in place for informing patients or service users about shared records prior to signing the agreement. The aim of transparency is to ensure there are "no surprises" for the patient. Part of the transparency requirement involves the provision of information to the public – previously referred to as fair processing. Your local area should have provided information for the public, patients or service users to all joint controllers and you should make sure you display this. This should include accessible information, for example, different languages or formats. Staff in your organisation should know how to signpost patients or service users to further information. You should ensure that arrangements are in place for patients or service users to be informed prior to signing the agreement. There should also be a clear ShCR policy in relation to how complaints will be handled. |
| Records of Processing Activities (ROPA) | Have you got an up to date record of processing which includes information about the ShCR? | Y or N | Before signing the agreement, you should ensure your ROPA is up to date. It should set out: (i) when, why and how that data is processed (ii) what purposes the data is used for and; (iii) with whom it is shared and retention periods. This can be requested by the ICO at any time. Records of Processing Activity can be linked to privacy notices for ease of transparency. |
| Patient or Service Users’ Rights - Subject Access Requests (SARs) | Does the agreement set out how SARs will be dealt with by the joint controllers? | Y or N | You should ensure that the ShCR has clearly documented policies and processes for handling SARs between the joint controllers. You should make sure you can locate all the information you hold related to a patient or service user and know where to send this information in the event of an SAR relating to the ShCR within the legal time limit, one calendar month from receipt. |
| Patient or Service Users’ Rights - Right to Object | Are you clear about how to handle patient objections? | Y or N | It is important before signing an agreement that you understand how patient or service users' objections will be handled. These should be considered on a case by case basis. If you override an objection you should be able to demonstrate how and why your processing of data for individual care provides compelling grounds to override an individual’s right to object. |
| Training | Are staff in your organisation trained? | Y or N | The minimum requirements for staff IG training are set out in NHS England's Data Security and Protection toolkit. |
Last edited: 31 March 2026 8:22 am