Managing Data Processors

A ‘Data Processor’ is a Party who processes personal data on behalf of ARU. Typically this is where we engage a company to deliver a service for us and we need to either provide them with personal data which we already hold and for which we are legally responsible or request that they collect it on our behalf.

Essentially the Data Protection Act states that under these arrangements ARU is always legally accountable for the data processing done by others on our behalf, meaning a breach of the Act made by a Processor working on our behalf is our responsibility and makes us liable for any fine imposed by the regulator. This is the case unless ARU can demonstrate to the regulator that the Processor has acted outside of our instructions to them. That’s why it is so important to ensure the relationship we have with suppliers is covered by appropriate agreements which evidence our instructions to them and their commitments to us.

Examples of Data Processors:

• Software system suppliers who host and/or have access to our personal data
• Archiving and confidential shredding suppliers
• Transcription and translation services
• External Occupational Health and Counselling services
• Legal advisors and Auditors
• Consultants and Advisors

Article 28 of the General Data Protection Regulation (2016) sets out what we are required to have in place when we allow a Processor to process ARU’s personal data. In brief, these are the requirements:

• Controllers can only use Processors who provide appropriate guarantees over data security
• Our Processors cannot use other Processors without ARU’s consent or our prior agreement (with an option for us to object) 
• A contract must be in place covering:
  • A clear description of the subject-matter and duration of processing, its nature and purpose, the types of data and data subjects involved and the rights of ARU.
  • The limiting the Processor to only act on ARU’s instructions, especially where personal data may be sent outside of the European Economic Area (EEA).
  • Requiring the Processor to inform ARU of any legal requirement to process data outside of our instructions unless the law allows them not to.
  • Processor employees being under contractual obligations to their employer to keep data confidential
  • Supporting ARU in managing requests from Data Subjects to exercise their rights under GDPR
  • Supporting ARU in complying with obligations to evidence security, manage data breaches and conduct Data Protection Impact Assessments
  • Deleting or returning ARU personal data after the agreement ends and notifies us of any legal requirement for them to retain copies
  • Allowing ARU (or our auditors) to audit their data processing practices
  • Informing ARU if they believe our instructions are not lawful
• Committing any additional processors used by the Processor to the same contract provisions and making the Processor accountable to ARU for the failings of their processors.
• The contract must be in writing (electronic format is accepted).
• Where a Processor acts outside of the contract, they are determined to be acting as a Controller and therefore liable to the ICO and Courts for any regulatory or legal action

In addition to this basic legal requirement, ARU seeks to refine the contract demands to ensure that:

• Breaches are reported to ARU within 24 hours of the Processor becoming aware of them
• The Processor must not report breaches relating to ARU data to anyone else without our approval
• Deletion of data at contract end must happen within 28 days of formal termination
• Return of data at contract end must be in an agreed format to allow us to effectively use it or transfer it to a new supplier
• The Processor does not charge us for their support in managing rights requests, supporting audits and other compliance activities

On occasion ARU may need to engage with individuals to deliver services that require them having access to ARU personal data. Where the individual is not employed by a partner or supplier, a ‘legal entity’ who we could have a contract with, then we need establish some control over their behaviours with our data.

Examples of this type of activity might be volunteers, an independent researcher, a consultant or advisor (particularly if engaged urgently ahead of a formal contract being in place).

In such circumstances a Non-Disclosure Agreement allows us to evidence that we have made clear our expectations over an individual’s processing of our data and highlighted basic do’s and don’ts. For this to be effective:

• The details of the activity, including details of the data being processed and the time limit must be completed and shared with the DPO
• An ARU employee of appropriate seniority must agree to oversee and monitor compliance with the agreement
• The DPO will document any appropriate constraints on the processing where necessary
• Access to high-risk systems will be requested
• The DPO will retain a record of the approval and conduct a sample check to monitor whether time limits are being observed correctly.

Where we direct students or staff to use third party applications or websites (tools) we should understand our obligations in ensuring such tools appropriately comply with personal data legislation.

The extent to which such checks are made depends on the circumstances of our proposed use. If use of the tool is a core part of relationship with student or staff member, i.e. they must use it and there is no alternative, then there should be an appropriate agreement in place between ARU and the tool supplier. This is always the case where the supplier relationship involves ARU providing the supplier with student and staff data (e.g. to set up accounts and manage access). The supplier will need to make statutory commitments to us about their processing of Personal Data and we have a legal duty to ensure this is in place.

Where we are only ‘sign-posting’ users to a tool which we are recommending as an optional resource and which doesn’t require ARU to have a contractual relationship with the provider (e.g. we’re not purchasing licenses/ paying for use and not sharing personal data with the supplier), the user is free is determine whether they wish to use the tool or not.

Users should be made aware that use of the tool is not mandatory and that whilst ARU makes basic checks over the appropriateness of the tool, Users are encouraged to ensure they are comfortable with a provider’s use of their personal data.

Therefore, when considering sign-posting Users to tools, the following should be considered as a basic Privacy ‘health-check’, and the majority of the following points should be addressed in the Supplier’s ‘Privacy’ content on their websites. Take care to ensure that the ‘Privacy’ content you review relates specifically to the tool rather than just to basic use of the supplier’s website.

Suppliers should also state whether data is ‘accessed’ from another country, e.g. it may be stored in the UK, but they may have support in the US who remotely access data. Both ‘access’ and ‘storage’ count as ‘processing’, and processing outside the UK needs to offer the same protections as under UK law.

• What Privacy rights are available?
  Is there a commitment to allow Users to contact the Supplier and be able to have a copy of their personal data held by them, amend their data, stop using it, or delete it?

• Are the use purposes clear?
  Do they make clear that personal data will only be used for the purpose of delivering the tool’s core service? If there are other uses made of data, is the user given choices to prevent this?

• Is there Third-party use of data?
  Is there any suggestion that data may be used for other purposes without the User being able to prevent this, or any sharing with third parties? Use where the supplier states the data is anonymised is not personal data and therefore Data Protection law doesn’t apply.

• Where will Personal Data reside or be accessed from?
  If personal data provided through the tool is stored in the UK, then we can be assured that it is governed by UK law or equivalent law. If it is stored in other countries (list here) whose law is ‘trusted’ by the UK then this is acceptable also. If not then they should state a legal basis explaining how they safeguard privacy rights – typically we are looking for compliance with the Standard Contractual Clauses, sometimes known as the EU Model Clauses. This is particularly relevant for storage in the United States.