A ‘Data Processor’ is a Party who processes personal data on behalf of ARU. Typically this is where we engage a company to deliver a service for us and we need to either provide them with personal data which we already hold and for which we are legally responsible or request that they collect it on our behalf.
Essentially the Data Protection Act states that under these arrangements ARU is always legally accountable for the data processing done by others on our behalf, meaning a breach of the Act made by a Processor working on our behalf is our responsibility and makes us liable for any fine imposed by the regulator. This is the case unless ARU can demonstrate to the regulator that the Processor has acted outside of our instructions to them. That’s why it is so important to ensure the relationship we have with suppliers is covered by appropriate agreements which evidence our instructions to them and their commitments to us.
Examples of Data Processors:
Article 28 of the General Data Protection Regulation (2016) sets out what we are required to have in place when we allow a Processor to process ARU’s personal data. In brief, these are the requirements:
In addition to this basic legal requirement, ARU seeks to refine the contract demands to ensure that:
On occasion ARU may need to engage with individuals to deliver services that require them having access to ARU personal data. Where the individual is not employed by a partner or supplier, a ‘legal entity’ who we could have a contract with, then we need establish some control over their behaviours with our data.
Examples of this type of activity might be volunteers, an independent researcher, a consultant or advisor (particularly if engaged urgently ahead of a formal contract being in place).
In such circumstances a Non-Disclosure Agreement allows us to evidence that we have made clear our expectations over an individual’s processing of our data and highlighted basic do’s and don’ts. For this to be effective:
Where we direct students or staff to use third party applications or websites (tools) we should understand our obligations in ensuring such tools appropriately comply with personal data legislation.
The extent to which such checks are made depends on the circumstances of our proposed use. If use of the tool is a core part of relationship with student or staff member, i.e. they must use it and there is no alternative, then there should be an appropriate agreement in place between ARU and the tool supplier. This is always the case where the supplier relationship involves ARU providing the supplier with student and staff data (e.g. to set up accounts and manage access). The supplier will need to make statutory commitments to us about their processing of Personal Data and we have a legal duty to ensure this is in place.
Where we are only ‘sign-posting’ users to a tool which we are recommending as an optional resource and which doesn’t require ARU to have a contractual relationship with the provider (e.g. we’re not purchasing licenses/ paying for use and not sharing personal data with the supplier), the user is free is determine whether they wish to use the tool or not.
Users should be made aware that use of the tool is not mandatory and that whilst ARU makes basic checks over the appropriateness of the tool, Users are encouraged to ensure they are comfortable with a provider’s use of their personal data.
Therefore, when considering sign-posting Users to tools, the following should be considered as a basic Privacy ‘health-check’, and the majority of the following points should be addressed in the Supplier’s ‘Privacy’ content on their websites. Take care to ensure that the ‘Privacy’ content you review relates specifically to the tool rather than just to basic use of the supplier’s website.
Suppliers should also state whether data is ‘accessed’ from another country, e.g. it may be stored in the UK, but they may have support in the US who remotely access data. Both ‘access’ and ‘storage’ count as ‘processing’, and processing outside the UK needs to offer the same protections as under UK law.
What Privacy rights are available?
Is there a commitment to allow Users to contact the Supplier and be able to have a copy of their personal data held by them, amend their data, stop using it, or delete it?
Are the use purposes clear?
Do they make clear that personal data will only be used for the purpose of delivering the tool’s core service? If there are other uses made of data, is the user given choices to prevent this?
Is there Third-party use of data?
Is there any suggestion that data may be used for other purposes without the User being able to prevent this, or any sharing with third parties? Use where the supplier states the data is anonymised is not personal data and therefore Data Protection law doesn’t apply.
Where will Personal Data reside or be accessed from?
If personal data provided through the tool is stored in the UK, then we can be assured that it is governed by UK law or equivalent law. If it is stored in other countries (list here) whose law is ‘trusted’ by the UK then this is acceptable also. If not then they should state a legal basis explaining how they safeguard privacy rights – typically we are looking for compliance with the Standard Contractual Clauses, sometimes known as the EU Model Clauses. This is particularly relevant for storage in the United States.