Managing Data Processors

Who are Data Processors?

A ‘Data Processor’ is anyone, individual or organisation, who processes personal data on behalf of ARU. Typically this is where we engage a company to deliver a service for us and we need to either provide them with personal data which we already hold and for which we are legally responsible or request that they collect it on our behalf.

Essentially the Data Protection Act states that under these arrangements ARU is always legally accountable for the data processing done by others on our behalf, meaning a breach of the Act made by a Processor working on our behalf is our responsibility and makes us liable for any fine imposed by the regulator. This is the case unless ARU can demonstrate to the regulator that the Processor has acted outside of our instructions to them. That’s why it is so important to ensure the relationship we have with suppliers is covered by appropriate agreements which evidence our instructions to them and their commitments to us.

Examples of Data Processors:

  • Software system suppliers who host and/or have access to our personal data
  • Archiving and confidential shredding suppliers
  • Transcription and translation services
  • External Occupational Health and Counselling services
  • Legal advisors and Auditors
  • Consultants and Advisors

What must we have in place for them?

Article 28 of the General Data Protection Regulation (2016) sets out what we are required to have in place when we allow a Processor to process ARU’s personal data. In brief, these are the requirements:

  • Controllers can only use Processors who provide appropriate guarantees over data security
  • Our Processors cannot use other Processors without ARU’s consent or our prior agreement (with an option for us to object)

A contract must be in place covering:

  • A clear description of the subject-matter and duration of processing, its nature and purpose, the types of data and data subjects involved and the rights of ARU.
  • The limiting the Processor to only act on ARU’s instructions, especially where personal data may be sent outside of the European Economic Area (EEA).
  • Requiring the Processor to inform ARU of any legal requirement to process data outside of our instructions unless the law allows them not to.
  • Processor employees being under contractual obligations to their employer to keep data confidential
  • Supporting ARU in managing requests from Data Subjects to exercise their rights under GDPR
  • Supporting ARU in complying with obligations to evidence security, manage data breaches and conduct Data Protection Impact Assessments
  • Deleting or returning ARU personal data after the agreement ends and notifies us of any legal requirement for them to retain copies
  • Allowing ARU (or our auditors) to audit their data processing practices
  • Informing ARU if they believe our instructions are not lawful
    • Committing any additional processors used by the Processor to the same contract provisions and making the Processor accountable to ARU for the failings of their processors.
    • The contract must be in writing (electronic format is accepted).
    • Where a Processor acts outside of the contract, they are determined to be acting as a Controller and therefore liable to the ICO and Courts for any regulatory or legal action

    In addition to this basic legal requirement, ARU seeks to refine the contract demands to ensure that:

    • Breaches are reported to ARU within 24 hours of the Processor becoming aware of them
    • The Processor must not report breaches relating to ARU data to anyone else without our approval
    • Deletion of data at contract end must happen within 28 days of formal termination
    • Return of data at contract end must be in an agreed format to allow us to effectively use it or transfer it to a new supplier
    • The Processor does not charge us for their support in managing rights requests, supporting audits and other compliance activities

    Where the Processor may process ARU personal data outside of the EEA (e.g. their software is hosted in the United States, their customer support has 24/7 “follow-the-sun” operations or their technical support is based around the globe etc), and the country in question does not have an ‘Adequacy Decision’ from the UK regulator then a contract will contain the EU-approved Standard Contractual Clauses (SCC) or other legal safeguard to ensure the processing is lawful. ARU adds additional clauses to the SCCs in order to improve GDPR compliance as the clauses were approved by the EU pre-GDPR.

    How do we put a contract in place?

    For advice on how to manage setting up an agreement with an external supplier please visit the Procurement pages on the intranet, and in particular the Policies, Guidance and Reporting page.

    Where a supplier relationship involves the processing of ARU personal data, the procurement process will involve the Data Protection Officer reviewing either an ARU contract/ agreement template or a draft contract/ agreement provided by the Supplier.

    This process can be initiated by the purchasing Faculty or Service engaging with a supplier using the range of standard templates, with guidance from Procurement that this engagement is appropriate.

    Where a Procurement goes through a Tender process, the DPO will work with the Procurement Team to establish what questions on Data Protection compliance will form part of the evaluation. Typically this will be determined by the sensitivity of the data that the winning applicant will be processing, however additional questions may be asked depending on the specific nature of the processing as determined by the DPO. Standard low and high risk tender questions are here.

    The DPO’s involvement will also include a decision on whether the proposed activity requires a Data Protection Impact Assessment (DPIA).

    Where the service involves purchasing an IT product that will store or host personal data, the IT Services project management process at Project Initiation Document (PID) stage requires the initiator to engage with the DPO to obtain an approved DPIA or confirmation that one is not required.

    ARU uses the following clause and contract/ agreement templates:

    What if we work with individuals who don’t have an employer?

    On occasion ARU may need to engage with individuals to deliver services that require them having access to ARU personal data. Where the individual is not employed by a partner or supplier, a ‘legal entity’ who we could have a contract with, then we need establish some control over their behaviours with our data.

    Examples of this type of activity might be students engaged through the Employment Bureau, volunteers, an independent researcher, a consultant or advisor (particularly if engaged urgently ahead of a formal contract being in place).

    In such circumstances a Non-Disclosure Agreement allows us to evidence that we have made clear our expectations over an individual’s processing of our data and highlighted basic do’s and don’ts. For this to be effective:

    • The details of the activity, including details of the data being processed and the time limit must be completed and shared with the DPO
    • An ARU employee of appropriate seniority must agree to oversee and monitor compliance with the agreement
    • The DPO will document any appropriate constraints on the processing where necessary
    • Access to high-risk systems will be requested
    • The DPO will retain a record of the approval and conduct a sample check to monitor whether time limits are being observed correctly.
    • To arrange an NDA, please complete the form and send to dpa@anglia.ac.uk

    Working for/ with other bodies

    ARU as a Joint Controller

    For some initiatives ARU will work in partnership with other University’s or organisations rather than another party working for us. Where more than one party acts as a Data Controller for an activity and the data they are processing is shared with joint ownership, the parties act as ‘Joint Controllers’. A common example would be where ARU partners with other Institutions or organisations on research projects where all parties contribute as equal partners and jointly publish findings.Article 26 of the GDPR covers these arrangements and requires the following to be in place:

    • The parties must agree their respective responsibilities over personal data, especially over who will be responsible for managing data subject rights requests and providing privacy notices
    • This must be formalised in an agreement making clear the responsibilities
    • The basics of the agreement should be made available to data subjects (through privacy notices and additional explanation if necessary)
    • Data Subjects should be made aware of a contact point to direct requests and queries

    ARU manages these requirements through developing a Data Sharing Agreement which is approved by all parties who jointly act as Data Controllers.

    ARU as a Data Processor

    Where ARU processes personal data on behalf of another organisation we act as a Data Processor. An example might be where a particular specialism or expertise in ARU is used by another research institution to help them deliver their research project or where we undertake a commercial activity, i.e. an organisation pays us for our services (e.g. tissue sample testing).

    In such cases we must make all of the commitments under Article 28 of GDPR to the Data Controller we work for and it is important that we understand and comply with the commitments that we are making as we are liable for any breaches of those commitments. This may have serious implications for us financially and reputationally.