Data protection and third-party suppliers

There are many situations where the University might engage a third party to carry out activities on their behalf, perhaps some specialist expertise or a software platform. 

Where they will be collecting or storing the personal data of our staff, students, or customers on our behalf they are acting as ‘data processors.’ The University is the ‘data controller’ and determining how the data is used; the supplier or ‘data processor’ is carrying out our instructions. If the data processor is using its own processors, such as a hosting provider, these are called ‘subprocessors.’

In data protection law both ‘controllers’ and ‘processors’ have obligations under data protection law. If a processor suffers a data breach, the University could be liable for substantial monetary penalties.

The University as ‘controller’ needs to ensure there is a formal contract in place for the supplier covering a range of standard provisions.

  • process data only on instructions from the University
  • their staff accessing the data are under an obligation of confidentiality
  • has security measures in place
  • assists with any data protection impact assessments for the University in relation to the system
  • only appoints their own third parties (“subprocessors”) on the University’s authorisation, who will process data at the same level of protection as they will   
  • can demonstrate their compliance to the controller

You can assess this in the contract checker document (.docx).

Arrow symbol
Contact us
Information Assurance Manager
Telephone: 01206 872285