Data protection and third-party suppliers

There are many situations where the University might engage a third party to carry out activities on their behalf, perhaps some specialist expertise or a software platform. 

Data processors and data controllers 

Where the third party will be collecting or storing the personal data of our staff, students, or customers on our behalf they are acting as ‘data processors.’ The University is the ‘data controller’ and determining how the data is used; the supplier or ‘data processor’ is carrying out our instructions. If the data processor is using its own processors, such as a hosting provider, these are called ‘subprocessors.’

In data protection law both ‘controllers’ and ‘processors’ have obligations under data protection law. If a processor suffers a data breach, the University could be liable for substantial monetary penalties.

Contract with the supplier

Whenever the University as ‘controller’ uses a processor it needs to ensure that there is a formal written contract in place with the supplier. The contract needs to cover a range of standard provisions stating that the processor must:

  • process data only on instructions from the University
  • ensure that their staff accessing the data are under an obligation of confidentiality
  • have appropriate security measures in place
  • assist the University with any data protection impact assessments for the University in relation to the system
  • only appoint their own third parties (“subprocessors”) on the University’s authorisation, who will process data at the same level of protection as they will   
  • demonstrate their compliance to the controller
  • take appropriate measures to help the controller respond to requests from individuals to exercise their rights
  • assist the controller in meeting its UK GDPR obligations in relation to the security of processing and the notification of data breaches
  • delete or return all personal data to the controller at the end of the contract, and also delete existing personal data unless the law requires its storage
  • submit to audits and inspections, providing the controller with whatever information it needs to ensure they are both meeting their Article 28 obligations

You can assess this in the contract checker document (.docx).

Arrow symbol
Contact us
Information Assurance Manager
Telephone: 01206 872285