A ‘Data Processor’ is anyone, individual or organisation, who processes personal data on behalf of ARU. Typically this is where we engage a company to deliver a service for us and we need to either provide them with personal data which we already hold and for which we are legally responsible or request that they collect it on our behalf.
Essentially the Data Protection Act states that under these arrangements ARU is always legally accountable for the data processing done by others on our behalf, meaning a breach of the Act made by a Processor working on our behalf is our responsibility and makes us liable for any fine imposed by the regulator. This is the case unless ARU can demonstrate to the regulator that the Processor has acted outside of our instructions to them. That’s why it is so important to ensure the relationship we have with suppliers is covered by appropriate agreements which evidence our instructions to them and their commitments to us.
Examples of Data Processors:
Article 28 of the General Data Protection Regulation (2016) sets out what we are required to have in place when we allow a Processor to process ARU’s personal data. In brief, these are the requirements:
A contract must be in place covering:
In addition to this basic legal requirement, ARU seeks to refine the contract demands to ensure that:
Where the Processor may process ARU personal data outside of the EEA (e.g. their software is hosted in the United States, their customer support has 24/7 “follow-the-sun” operations or their technical support is based around the globe etc), and the country in question does not have an ‘Adequacy Decision’ from the UK regulator then a contract will contain the EU-approved Standard Contractual Clauses (SCC) or other legal safeguard to ensure the processing is lawful. ARU adds additional clauses to the SCCs in order to improve GDPR compliance as the clauses were approved by the EU pre-GDPR.
Where a supplier relationship involves the processing of ARU personal data, the procurement process will involve the Data Protection Officer reviewing either an ARU contract/ agreement template or a draft contract/ agreement provided by the Supplier.
This process can be initiated by the purchasing Faculty or Service engaging with a supplier using the range of standard templates, with guidance from Procurement that this engagement is appropriate.
Where a Procurement goes through a Tender process, the DPO will work with the Procurement Team to establish what questions on Data Protection compliance will form part of the evaluation. Typically this will be determined by the sensitivity of the data that the winning applicant will be processing, however additional questions may be asked depending on the specific nature of the processing as determined by the DPO. Standard low and high risk tender questions are here.
The DPO’s involvement will also include a decision on whether the proposed activity requires a Data Protection Impact Assessment (DPIA).
Where the service involves purchasing an IT product that will store or host personal data, the IT Services project management process at Project Initiation Document (PID) stage requires the initiator to engage with the DPO to obtain an approved DPIA or confirmation that one is not required.
ARU uses the following clause and contract/ agreement templates:
On occasion ARU may need to engage with individuals to deliver services that require them having access to ARU personal data. Where the individual is not employed by a partner or supplier, a ‘legal entity’ who we could have a contract with, then we need establish some control over their behaviours with our data.
Examples of this type of activity might be students engaged through the Employment Bureau, volunteers, an independent researcher, a consultant or advisor (particularly if engaged urgently ahead of a formal contract being in place).
In such circumstances a Non-Disclosure Agreement allows us to evidence that we have made clear our expectations over an individual’s processing of our data and highlighted basic do’s and don’ts. For this to be effective:
For some initiatives ARU will work in partnership with other University’s or organisations rather than another party working for us. Where more than one party acts as a Data Controller for an activity and the data they are processing is shared with joint ownership, the parties act as ‘Joint Controllers’. A common example would be where ARU partners with other Institutions or organisations on research projects where all parties contribute as equal partners and jointly publish findings.Article 26 of the GDPR covers these arrangements and requires the following to be in place:
ARU manages these requirements through developing a Data Sharing Agreement which is approved by all parties who jointly act as Data Controllers.
Where ARU processes personal data on behalf of another organisation we act as a Data Processor. An example might be where a particular specialism or expertise in ARU is used by another research institution to help them deliver their research project or where we undertake a commercial activity, i.e. an organisation pays us for our services (e.g. tissue sample testing).
In such cases we must make all of the commitments under Article 28 of GDPR to the Data Controller we work for and it is important that we understand and comply with the commitments that we are making as we are liable for any breaches of those commitments. This may have serious implications for us financially and reputationally.