There are many situations where the University might engage a third party to carry out activities on their behalf, perhaps some specialist expertise or a software platform.
Where they will be collecting or storing the personal data of our staff, students, or customers on our behalf they are acting as ‘data processors.’ The University is the ‘data controller’ and determining how the data is used; the supplier or ‘data processor’ is carrying out our instructions. If the data processor is using its own processors, such as a hosting provider, these are called ‘subprocessors.’
In data protection law both ‘controllers’ and ‘processors’ have obligations under data protection law. If a processor suffers a data breach, the University could be liable for substantial monetary penalties.
The University as ‘controller’ needs to ensure there is a formal contract in place for the supplier covering a range of standard provisions.
process data only on instructions from the University
their staff accessing the data are under an obligation of confidentiality
has security measures in place
assists with any data protection impact assessments for the University in relation to the system
only appoints their own third parties (“subprocessors”) on the University’s authorisation, who will process data at the same level of protection as they will
can demonstrate their compliance to the controller