It is essential that the role of the University in any data processing arrangement is understood by those responsible for the selection, placement, management and termination of a contract. The University might perform the role of Data Controller or Data Processor depending on factors, such as how much control it has over the data processing and how it obtained the data. In simple terms a Data Controller owns the data and determines how it should be processed, whereas a Data Processor only acts on the instructions of a Data Controller. If a Data Processor determines the purpose and means of processing then it will be considered to be a Data Controller and will have the same liability. By way of example:
- The University processes personal data about students who have enrolled on its programmes - University is a Data Controller
- The University engages a third party to provide a cloud-based solution that will contain employee or student data but which the third party will not use themselves - University is a Data Controller; Third party is a Data Processor
- The University is engaged by an external body to conduct analysis of a dataset that the external body provides - University is a Data Processor; External body is a Data Controller.
The GDPR enhances the obligations and direct responsibilities of a Data Processor over those that were in place under the Data Protection Act.
- Key Points
- Differences Between Data Controllers and Data Processors
- The University as a Data Controller
- The University as a Data Processor
- Data Protection in Procurement
- Further Information
- The GDPR makes written contracts between Data Controllers and Data Processors a general requirement, rather than treating them as a general security and compliance control. Written contracts can be in electronic form.
- Contracts set out responsibilities and liabilities of both parties.
- Contracts must include specific terms in relation to data protection, which are designed to ensure that any processing carried out by the Data Processor on behalf of the Data Controller meets all the requirements of the GDPR.
- Data Processors must only process personal data on and in accordance with the written instructions of the Data Controller.
- Sub-processors can be engaged by a Data Processor, but the initial Data Processor remains liable to the Data Controller for the performance and compliance of such sub-processors.
- If a Data Processor determines the purposes and means of processing, they shall be considered a Data Controller with respect to that processing.
- The European Commission may develop standard contractual clauses for implementation between Data Controllers and Data Processors, but has not done so in advance of the GDPR applicability date.
- A certification scheme for organisations to demonstrate compliance with GDPR has not yet been developed. Existence of such a scheme would greatly help supplier selection. Until such a scheme exists the University will need to make its own assessment of potential suppliers and manage the performance of existing suppliers. The University must only appoint Data Processors who can provide ‘sufficient guarantees’ to implement appropriate technical and organisational measures to meet the requirements of the GDPR and to protect the rights of the data subjects.
- Notwithstanding any contractual agreements, the ICO can hold Data Processors directly responsible for non-compliance with the GDPR and impose sanctions (including warnings, fines and even a ban on data processing.
Differences Between Data Controllers and Data Processors
As per the Glossary the recognised definitions of the two roles are:
- Data Controller - The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where two or more controllers jointly determine the purposes and means of processing, they shall be Joint Data Controllers
- Data Processor - A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Decisions that would be made by a Data Controller include:
- Collecting the personal data in the first place and the legal basis for doing so
- Which items of personal data to collect, i.e. the content of the data
- The purpose or purposes the data are to be used for
- Which individuals to collect data about
- Whether to disclose the data, and if so, who to
- Whether subject access and other individuals’ rights apply i.e. the application of exemptions
- How long to retain the data or whether to make non-routine amendments to the data.
A Data Processor is bound by the agreement with the Data Controller in assisting them to fulfil their obligations under the GDPR. The above details may be very prescriptive in how the Data Processor carries out the above, but may have some flexibility in determining how to deliver their obligations, for example using its technical and specialist knowledge. The Data Processor may therefore decide, for example:
- What IT systems or other methods to use to collect personal data;
- How to store the personal data;
- The detail of the security surrounding the personal data;
- The means used to transfer the personal data from one organisation to another;
- The means used to retrieve personal data about certain individuals;
- The method for ensuring a retention schedule is adhered to; and
- The means used to delete or dispose of the data.
University contracts will be prepared by the Legal Services Team, on receipt of instruction from the budget holder / Information Asset Owner, to meet the GDPR requirements. Data protection may be covered within the body of the contract or, preferably, be addressed within an appropriate addendum, such as a Data Sharing Agreement or Data Processing Agreement.
Only in exceptional circumstances should a contract or Data Processing Agreement provided by a supplier be used.
Contracts (including Data Sharing Agreements and Data Processing Agreements) are not required for sharing data with colleagues or other departments within the University. You should still consider the risks associated with sharing data with others within the organisation and the privacy rights of the individuals concerned.
Contracts must set out the:
- Subject matter and duration of the processing
- Nature and purpose of the processing
- Type of personal data and categories of data subject
- Obligations and rights of the Data Controller.
Contracts must also include as a minimum the following terms, requiring the Data Processor to:
- Act only on the written instructions of the Data Controller.
- Ensure that people processing the data are subject to a duty of confidence
- Take appropriate measures to ensure the security of processing
- Only engage sub-processors with the prior consent of the controller and under a written contract
- Assist the Data Controller in providing subject access and allowing data subjects to exercise their rights under the GDPR
- Assist the Data Controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments
- Delete or return all personal data to the Data Controller as requested at the end of the contract
- Submit to audits and inspections, and provide the Data Controller with whatever information it needs to ensure that they are both meeting their Article 28 (Processor) obligations
- Tell the Data Controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a Member State.
In the exceptional circumstances where a Data Processing Agreement has been provided by a Data Processor, ideally we should refuse and use an Agreement prepared by the University. If we do use the provided Agreement, perhaps for expediency, the Information Asset Owner shall confirm that the above requirements are included in the Agreement.
Boilerplate templates for Data Sharing Agreements and Data Processing Agreements are being created for University use that embed the above requirements. Once completed these will need to be returned to Legal Services. Until these are available, please submit your request to Legal Services and they will coordinate an appropriate response.
The University as a Data Controller
When the University owns the data and determines the purposes and means of processing, it is a Data Controller. The Data Controller is responsible for implementing appropriate technical and organisational measures to manage data processing risks, including probability and impact assessment which includes the rights and freedoms of data subjects.
As a Data Controller the University may wish to use another organisation to process personal data on its behalf – that organisation would be a Data Processor. The agreement between the two parties should be subject to a contract. A Data Processing Agreement would be used in this case, where the clauses are not directly embedded within the contract conditions.
The University remains ultimately responsible for the data processing. Engagement of a Data Processor does not remove the obligation to carry out this risk assessment or absolve the University of its liabilities. Therefore, the University is subject to any penalties or sanctions that can be imposed for a failure to comply with the GDPR. This can include:
- Improvement notices to bring processing into compliance
- Administrative fines, of up to 2% of turnover / €10m for infringements of obligations relating to Data Controllers or Data Processors, or 4% of turnover / €20m for infringements of the basic principles or data subjects’ rights.
- Restriction of data processing, or a temporary or permanent ban on data processing
When setting up a contract or Data Processing Agreement, you need to understand and give good regard to the requirements described in Contracts above. You must be clear from the outset what it is that you are contracting for and what the extent of processing is.
The standard terms then describe responsibilities and liabilities such that:
- Written instructions – the University as the Data Controller tells the Data Processor what they are required to do before they do it
- Duty of confidence – the Data Processor’s employees and temporary or agency staff are bound by a commitment to confidentiality, such as a contractual obligation or non-disclosure agreement
- Security of processing – The Data Processor must take appropriate measures to protect the security of the data, having taken account of the risks. It is clear that risk should consider the impact on the data subject, e.g. in the event of a data breach. The University should have its own risk assessment and should be able to share relevant information with the Data Processor
- Sub-processors – must not be engaged without the prior consent of the University and must then be under a written contract that fulfils the same obligations under the GDPR regarding Data Processors. The original Data Processor will remain liable to the University for the performance of the sub-processor(s) they engage. The University must be informed in writing of any proposed changes to or replacement of those sub-processors. Where sub-processors are in place at the outset of the contract, these must be identified and the sub-processor must be able to confirm that appropriate contracts are in place with those sub-processors
- Individual rights – the Data Processor must support the University in allowing data subjects to exercise their rights under the GDPR, such as supporting subject access requests and requests for rectification or erasure of personal data. The Data Processor will be handling the data on a day-to-day basis so it is important that the processes and touchpoints are understood, even if these are not captured within the contract. Note that the first term ‘Written Instructions’, above, supporting documentation could be provided that addresses these processes and interactions. A Service Level Agreement, within or supporting the contract, may need to be set up to ensure that statutory timelines for fulfilment of requests are met.
- Assist the Data Controller – the Data Processor must help the University to meet its GDPR obligations to keep personal data secure, to notify data subjects and the ICO in the event of a data breach and in carrying out relevant data protection impact assessments
- End of contract – the University shall determine what happens to the data at the end of the contract and stipulate this to the Data Processor. Electronic files may be stored in backup solutions and these need to be considered, particularly with regard to the time taken for normal processes to remove the data from backups.
- Audits and inspections – the Data Controller may be required to demonstrate compliance with their GDPR obligations as a Data Processor. This may be by an audit carried out by or on behalf of the University, or through provision of other information. They should maintain their own records of data processing (like an Information Asset Register) and be able to support this with, for example, evidence of performance, internal/external audits, penetration testing, incident and breach investigations
- Infringements – The Data Processor must inform the Data Controller immediately if it is asked to do something infringing the GDPR or other relevant data protection law.
The University can be a Joint Data Controller with another organisation where both parties jointly determine the purposes and means of processing. In this situation a Data Sharing Agreement shall be used.
The University as a Data Processor
Where the University processes data on the instructions of another organisation it is a Data Processor. The other organisation should ensure it has its own Data Processing Agreement in place with the University.
The University may, subject to prior written authorisation from the Data Controller, contract a sub-processor. This arrangement with a sub-processor must also be covered by a contract with equivalent conditions. In this case the University will, as the original processor, remain directly liable to the controller for the performance of the sub-processor’s obligations. Any intended change to that sub-processor regarding addition to or replacement by other sub-processors must be notified in writing to the Data Controller to allow them the opportunity to object. This should also apply in the event of any notified or intended sale/takeover of the supplier organisation.
As a Data Processor the University shall implement technical and organisational measures to ensure the security of the data appropriate to the risks, including:
- Pseudonymisation and/or encryption of data
- Confidentiality, integrity, availability and resilience (business continuity) controls
- Disaster recovery and backup controls and processes
- Testing, assessing and evaluating the effectiveness of controls.
The University must ensure that its staff only process the data in accordance with the instructions of the Data Controller, i.e. as per the Data Processing Agreement.
In the event of a data breach the University must inform the Data Controller as soon as it becomes aware. This may require some internal work to identify the nature and scale of the breach prior to informing the Data Controller. Follow the University’s process to Report a Data Breach in the first instance. Breach reporting to the ICO has a limited time for compliance and is subject to penalties for non-compliance. The ICO can directly penalise a Data Processor and a Data Processor may also be liable to pay compensation to data subjects.
The University must co-operate fully, on request, with the ICO in the performance of its tasks.
Data Protection in Procurement
Procurement are working with a range of key stakeholders, including Information Governance, Legal and CIS to improve supply chain processes and embed data protection and security requirements in the procurement phase and key documentation. It is important that University users engage with Procurement at the earliest opportunity to ensure that all relevant considerations are made during a selection and procurement exercise. Where a full supplier selection and tender process is pursued, key data protection and security questions are built into the process. When the selection has been narrowed down, a further questionnaire is sent which will not form part of the scoring but will allow the team to better evaluate the risks and controls associated with, or implemented by, the supplier. The questionnaires used are:
- Data Protection and Information Security Supplier Questionnaire (Tender Questions 1 of 2) - These are embedded in Acquire and form part of the tender documentation. The supplier will be assessed against these as part of the selection process. Most of these questions are checkbox/multiple choice type responses.
- Data Protection and Information Security Supplier Questionnaire (Tender Questions 2 of 2) - This questionnaire will be sent further in the process to help understand the nature and extent of controls in place. These questions are more technical in nature and responses are generally expected to be more explanatory.
Where a full selection and tender process is not pursued, a questionnaire is required to be completed by the supplier in order to understand the nature of the data processing and the controls in place. This ensures that all the questions used in the full tender process are covered in one questionnaire. If you are not conducting a selection/tender process, download the file for completion by your supplier:
The ICO has more detailed information about Contracts between Data Controllers and Data Processors in line with the GDPR requirements, and about Outsourcing, written around the Data Protection Act 1998.