Chapter 1: Introduction to Privacy
Processing and Data Roles - Subject, Controller, Processor
Processing covers almost anything done with personal data. The data controller decides how and why data is processed and bears most obligations; the data processor acts on the controller's behalf - under HIPAA, processors are 'business associates'.
Processing refers to almost anything done with personal information - collection, recording, storage, use, disclosure, combination, blocking, erasure, or destruction. These terms were first widely used in the EU.
| Role | Definition |
|---|---|
| Data subject | The individual the information is about (patient, employee, customer) |
| Data controller | Decides how and why data is processed; focus of most obligations |
| Data processor | Processes data on the controller's behalf (often a third party); 'business associate' under HIPAA |
Processors stay in scope
Each link in the chain - controller, processor, sub-processor - must act consistently with the controller's direction. A processor is not authorized to process data beyond what is permitted for the controller.
Key terms - quick answers
What is “Processing”?
Almost anything done with personal information - collection, storage, use, disclosure, combination, erasure, destruction, and more.
What is “Data subject”?
The individual about whom information is being processed, such as a patient, employee, or customer.
What is “Data controller”?
An organization with authority to decide how and why personal information is processed; bears most obligations under privacy law.
What is “Data processor”?
An individual or organization that processes data on behalf of a controller; called a 'business associate' under the HIPAA Privacy Rule.