Re: "Control and accountability disappears when you hand it over."
"Not necessarily. If, for example, the NHS stores all our medical records, they may make tem available to other organisations, not as processors on behalf of the NHS but for the purpose of those other organisations (e.g. university based research projects). In this case the relationship may be joint controllership or sharing."
There is not really a single entity called the NHS - it's lots of distinct orgs, both public sector and businesses (i.e. GPs and dentists).
The "NHS" doesn't store all our records, GP Practices are the sole Data Controller for their registered patients' records ("primary care"). Hospitals/Trusts store secondary care records for people they have treated. Both these types of records may be/are shared with other orgs. GPDPR for example was an attempt to create a central store for both primary and secondary care records.
I have ongoing ICO cases regarding GP Practices sharing their patients records via a Data Sharing Agreement (DSA) that defines they, along with the other orgs involves, are "Data Controllers in Common" (not quite the same as Joint Data Controllers). Except the DSA that governs (i,e, legalises it) this sharing requires all participants to be signatories to the DSA but the local health body has admitted that *none* of the GP Practices involved have ever signed (it seems they've never even seen it so couldn't even have agreed to it) the DSA - and so their participation in the sharing (and likewise for the recipients of the shared data) has had no valid lawful basis for the past 10 years! Part of my complaint is regarding the GPs lost of control (as sole Data Controller) over my patient records once they have shared them with the central system - even if this data is used for the intended purpose it is retained centrally for death+10 years and may be later used for additional purposes that the GP is unaware of/did not intend.
"A processor can only process on the direct instructions of a data controller that specify exactly what is to be done with what data for what purposes. So the only legitimate reason a processor has is having been specifically so instructed by a controller."
That forms another part of my complaint - my GP Practice (and it appears all others participant practices) *never* instructed EMIS and INPS (the companies that host practically all of the UK GPs patient record systems) to setup/enable the automated data sharing integration with the central system. It appears that the central health service agency running the data sharing asked/told EMIS & INPS to enable data sharing integration for all the GP Practices in question - so EMIS & INPS, as Data Processors for GPs, have broken data protection law by acting without instructions from their Data Controllers (each individual GP Practice) and the GP Practices (and their DPOs) have also broken data protection law by failing to ensure they are in control of their Data Processors.
"That's primarily why the use of behemoth processing services (e.g. Mailchimp, Survey Monkey) are legally questionable, as their typically non-negotiable unilaterally imposed contracts with their customers (the controllers) specify the processing despite their being officially processors on behalf of said controllers."
That feeds into issues like Data Minimisation and Purpose Limitation, especially for the sharing of data as if the Data Controller (i.e. GP) has no control over which data is deemed manditory for sharing purposes (e.g. in an API or in an interactive online system) then the Data Controller cannot exercise their responsibility for ensuring Data Minimisation whenever its someone else who decides on the mandatory criteria.