Working with Third Parties | Student Hub | City, University of London

Page of contents -

Summary

Data Protection (DP) law requires certain standards and obligations to be met when third parties - such as data processors – process personal data and/or special categories of personal data on City’s behalf.

When working with third parties, you should ensure that they have implemented appropriate technical and organisational measures which meet City Information Security requirements, and which ensure the protection of the rights of data subjects. DP law should not, however, be viewed as a barrier to sharing - you should give equal weight to the consequences of not sharing the data.

Designation of each party

There are three situations in which you might be sharing data with third parties

Using a third party to process City personal data on behalf of City (a data processor);
Working with an organisation that independently decides the purposes of processing shared personal data (an independent or separate data controller);
Working with a joint controller, who has a common objective with City regarding the processing (a joint controller or controllers in common).

More information about the designation of parties is available on the Information Commissioner’s Office (ICO) website.

Please note that it is very important to get the designation right, as it will dictate what type of data sharing agreement we put in place with them. Please also note that a third party may be a combination of the designations listed above

Using a third party to process data on behalf of City (data processors)

Be aware that City has a higher-level of responsibility under DP law for the data processor’s actions;
We must have a written agreement in place with the data processor, outlining our respective DP obligations (per Article 28 of the GDPR);
Ensure that the data processor has appropriate organisational and technical security measures in place to protect the personal data;

When sharing data with any third party (whether they are a data processor, separate controller or joint controller)

Identify the roles of each party;
Consider and document the lawful basis for sharing including any conditions for processing special category data;
Consider undertaking a Data Privacy Impact Assessment (‘DPIA’) (login required);
Put in place a written contract between City and the third party (in the form of a Data Sharing Agreement);
Ensure that the written contract outlines the responsibilities for compliance with data protection laws, including responsibility for putting appropriate security measures in place to protect personal data and ensuring that data subjects know how their data is being processed;
Consult with the Information Assurance Team via email at dataprotection@city.ac.uk or feel free to attend one of our Data Protection Drop-in Clinics, which are every second Wednesday from 11am to 1pm in S202 (Abacus House).

Contracting with a third party to process City personal data (Data Processors)

When a third-party processes personal data, City is usually the ‘data controller’ and instructs the third party (e.g. a supplier), to process personal data on its behalf. City may still be legally responsible for how that personal data is processed, if it determines the manner and the purpose of the processing of such personal data in its capacity as data controller.

Contracts or data processing agreements with processors must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of City as data controller.

In more detail, contracts with data processors must stipulate that the data processor:

Only collects personal data from individuals necessary and relevant for City purposes, in accordance with City’s written instructions;
Provides City with prior-approved privacy notices on how personal data is processed and does not further process personal data for its own independent purposes;
Only collects personal data from individuals which is necessary and relevant for City purposes, in accordance with City’s written instructions;
Complies with City Information Security requirements on technical measures to keep City personal data secure;
Assist us by using appropriate technical and organisational measures, insofar as this is possible for the fulfilment of our obligation to respond to requests for exercising data subject’s rights;
Provides necessary security protections and any such additional fair processing requirements, when processing special categories of personal data;
Complies with relevant industry codes of practice, the ICO guidance notes, European Data Protection Board (formerly Article 29 Working Party) guidance and additional relevant regulatory guidance;
Ensures that persons authorised authorised to process City personal data are subject to appropriate confidentiality obligations;
Will not engage another processor (e.g. a sub-contractor) without City’s prior permission, and where such another processor is engaged, it must be subject to obligations equal to the obligations imposed on the original processor, and the original processor must remain fully liable to us for performance of its DP obligations under the main contract;
At City’s discretion, deletes or returns personal data at the end of the service provision (unless required by law to store personal data);
Makes available to us all information necessary to demonstrate its compliance with its DP obligations to contract with us;
May not send personal data outside of the EEA without prior written approval from City and that appropriate international data transfer compliance mechanisms are in place;
The processor must notify City of any data breaches in relation to City personal data within 24 hours, or at the very least without undue delay;
The processor must submit to audits and inspections. The processor must also give the controller whatever information it needs to ensure they are both meeting their Article 28 obligations.

Situations which may involve personal data sharing

A reciprocal or one-way exchange of data;
An organisation providing another with access to personal data on its IT systems;
One or more organisations providing data to a third party or parties;
Several organisations pooling information and making it available to each other;
Several organisations pooling information and making it available to a third party or parties;
Data sharing on a routine, systemic basis for an established purpose;
One-off or ad hoc data sharing, including in urgent or emergency situations.

Where the data shared does not include personal data, there is no need to comply with the Data Protection legislation regime.

The Data Protection legislation and arrangements between controllers—whether independent or joint

DP law distinguishes between ‘controllers’ (usually, in the private sector, a natural or legal person or body which (either alone or jointly with others) determines the purposes and means of processing personal data) and ‘processors’ (in summary, any person or body (other than an employee of the controller) who processes the personal data on behalf of the controller). As such, there is a distinction between sharing personal data between:

Controllers, and
A controller and a processor—as noted above.

Under the DP legislation, there are no specific mandatory arrangements which must be put in place where personal data is shared by one controller to another controller unless they are ‘joint controllers’ as defined in Article 26 of the GDPR. However, compliance with the DP legislation and prudent risk management for each controller is likely to result in each controller considering putting in place appropriate contractual arrangements even if it is sharing (or receiving) personal data as an independent controller.

Data Sharing Agreements (independent and joint controllers)

The Draft Data Sharing Code states that a data sharing agreement between the parties sharing and receiving data can form a major part of compliance with the accountability principle of the GDPR.

While data sharing agreements may be drafted as stand-alone contracts (sometimes also called information sharing agreements, data or information protocols, or personal information sharing agreements), it is also common to see data sharing provisions to address such matters incorporated into a broader commercial agreement. See for example, the data protection provisions in the Cabinet Office’s Model Services Contract. This Practice Note uses the term data sharing agreement to refer to all such provisions regardless of whether they form a separate contract.

Although contractually binding data sharing agreements are not required by the DP legislation, the ICO’s Draft Data Sharing Code states it is good practice to have one in place for all types of data sharing between controllers (i.e. regardless of whether the parties are independent or joint controllers).

Helps all the parties to be clear about their respective roles;
Sets out the purpose of the data sharing;
Covers what is to happen to the data at each stage;
Sets standards;
Helps justify the data sharing and to demonstrate that the parties have been mindful of, and have documented, the relevant compliance issues (i.e. to demonstrate accountability).

In addition, a data sharing agreement may allow for financial and other remedies in the event the arrangement is not complied with by the other party, and as such may incentivise the other party to comply with the arrangements and allow an ‘innocent’ controller to recover losses it suffers as a result of the breach.

Each controller should therefore seek to put in place clear, robust and enforceable written contractual provisions (before any processing) to govern the processing of personal data. The appropriate content of data protection provisions in an agreement will depend on the circumstances, including the size of the deal and nature of the processing.

Data sharing agreements can become quite complicated, so, in many cases, it might be sensible to include them in a schedule rather than seeking to draft them as clauses within the main body of a broader commercial agreement.

Drafting and adhering to a data sharing agreement does not in itself provide any form of legal protection from action under the Data Protection legislation regime. However, the ICO has stated it will take this into account if it receives a complaint about any data sharing.

What a data sharing agreement should contain

According to the Draft Data Sharing Code, a data sharing agreement should address the following (among other things as appropriate in the circumstances):

Topic	Detailed requirements
The purpose of the data sharing initiative	The agreement should document the following in precise terms so that all parties are absolutely clear about the purposes for which they may share or use the personal data: —why the data sharing initiative is necessary —the specific aims of the data sharing —the benefits the parties hope to bring to individuals or to society more widely by sharing the personal data
The organisations involved in the data sharing	The agreement should clearly identify all the organisations that will be involved in the data sharing and should include: —contact details for their Data Protection Officer (DPO) and other key members of staff —procedures for including additional organisations in the data sharing arrangement —procedures for dealing with cases where an organisation needs to be excluded from the sharing
Where the parties are joint controllers, the mandatory arrangements which must be addressed under Article 26 of the GDPR	Although this is not expressly stated in the Draft Data Sharing Code, it seems implicit from the ICO’s general approach to data sharing agreements.
The personal data to be shared	The agreement should explain the types of personal data that will be shared. This may need to be quite detailed, because in some cases it will be appropriate to share only certain details held in a file about an individual, omitting other, more sensitive, material.
The lawful basis for sharing	The agreement must clearly explain the lawful basis for sharing data. If the lawful basis for disclosure is consent, the data sharing agreement should also address issues surrounding the withholding or retraction of consent and may provide a model consent form.
Special categories of personal data or criminal offence data	The relevant (additional) lawful basis for processing must be documented.
Procedures for compliance with individual rights	These include (among others) the right of access to information as well as the right to object and requests for rectification and erasure. The agreement should: —explain what to do when an organisation receives a request for access to shared personal data or other information —ensure that one staff member (generally a DPO) or organisation takes overall responsibility for ensuring that the individual can gain access to all the shared data easily —in the case of joint controllers, state which controller is responsible for responding to individuals who exercise their data subject rights (although individuals may choose to contact any controller) The agreement must make it clear that all controllers remain responsible for compliance (even if there are processes setting out who should carry out particular tasks). It is also good practice to provide a single point of contact for data subjects, which allows them to exercise their rights over the data that has been shared without making multiple requests to several organisations (although individuals may still choose to contact any controller).

The contractual documentation should also:

Address any other matters necessary to ensure the sharing arrangement is designed for compliance with the Data Protection legislation;
Address international personal data transfers;
Reflect whether personal data will be shared with other organisations (e.g. subsidiaries);
Require that each controller will provide reasonable co-operation to assist the other in Data Protection compliance.

Under the transparency requirements of the GDPR, joint controllers must make the essence of the agreement available to individual data subjects and the ICO recommends this is done within privacy information given to data subjects.

Steps controllers should take to comply with the Data Protection legislation when sharing or receiving personal data

Personal data should only be shared if it is necessary to do so. The controller should take the following steps when sharing or receiving personal data as appropriate to the circumstances:

Confirm the purpose of the data sharing and when it should occur

Each controller must always document a clear objective or set of objectives and that it would be good practice to document this in a data sharing agreement. Establishing this will help the parties decide what data needs to be shared and with whom and to comply with their obligations under the DP legislation.

The circumstances in which personal data should be shared should also be documented and detailed (eg whether the sharing should be an ongoing, routine process or whether it should only take place in response to particular events).

Confirm which laws apply to the data sharing

Confirm what data being shared needs to be treated as personal data subject to the DP legislation regime and consider applicable national derogations under UK law (or the laws of other EU Member States) which may impact how the regime applies. Seek appropriate local law advice as appropriate.

Confirm the roles in which the parties will be sharing the personal data

Knowing whether the parties are joint controllers or independent controllers and if either of them may be a processor (or sub-processor) for any of the data processing activities is vital to understanding the obligations of the parties under the DP legislation regime.

Each party should also consider whether the other parties to the data sharing arrangement are the most appropriate.

Ensure the controller complies with Data Protection laws

The controller should ensure its own processing of personal data and internal processes comply with the requirements of DP law. Ensuring the controller complies with applicable laws will reduce the risk of an incident that might lead to investigations by supervisory authorities and/or potentially require the controller to pay additional costs (or compensation) to the other controller or third parties.

Carry out due diligence and assess the risks of the proposed arrangements

To comply with the accountability principle of the GDPR (and as a prudent risk management approach), each controller should conduct appropriate due diligence before entering into any data sharing and to assess the risks of the proposed arrangement.

Controllers disclosing personal data should consider investigating (as appropriate):

The source, data collection methods, accuracy and currency of the data it is considering sharing;
Whether it has a lawful basis to share the data;
Whether the data sharing will comply with data protection and other laws;
The recipient organisation;
Whether the recipient understands the nature and sensitivity of the personal data;
Whether appropriate technical and organisational security measures are in place;
The recipient’s privacy notices;
The adequacy of the recipient’s other policies and procedures;
The extent to which its processes, procedures and IT, protective marking or other systems are compatible with those of the recipient (e.g. whether the parties are aligned on the way dates will be recorded).

The transfer of personal data (including databases and lists of individuals) whether or not for money or other return is a form of data sharing and the recipient is responsible for satisfying itself concerning the integrity of the data supplied. This means that organisations have responsibilities for personal data provided to them by third parties such as data brokers, marketing agencies, credit reference agencies and clubs and societies.

Consider a full Data Protection Impact Assessment (‘DPIA’)

The controller should consider whether a formal DPIA of the proposed data sharing is required under the DP legislation. The ICO recommends considering undertaking a DPIA even if that is not strictly required and it is good practice to do a DPIA for any major project that involves the disclosure of personal data or any routine data sharing.

Ensure the sharing arrangement is designed for compliance with the DP legislation

Ensure the envisaged processing, and the basis on which it will take place, complies with the DP legislation. For example:

Example of principles / requirements under the GDPR	Example of action to take (where applicable to the party)
Principle: Lawfulness, fairness and transparency	Processing of personal data must be transparent, lawful and fair; processing that fails to meet any one of those criteria will be unlawful. Transparency Ensure that data subjects have been provided with all required information regarding the processing of their personal data (eg via a privacy notice) Each party must ensure appropriate mechanisms have been put in place to comply with transparency obligations. It is good practice to also take any opportunity to provide individuals with information about the data sharing when answering specific queries or complaints. Article 26 of the GDPR requires that ‘joint controllers’ must: —in a transparent manner determine their respective responsibilities for compliance with the obligations under the GDPR, in particular their respective duties to provide the transparency information required by Articles 13 and 14 of the GDPR —make the essence of the data protection arrangement between the joint controllers available to the data subject (the parties should agree how this will be done (eg via a privacy notice)) Even where the parties are not joint controllers, it would be prudent for the parties to agree which party will undertake transparency obligations. For example, the parties may agree that each party is responsible for its own fair processing information, or that one party will be responsible for the provision of information to data subjects related to fair processing. If the parties to the data sharing arrangement are undertaking ongoing routine or systematic sharing, then consider agreeing a standard privacy notice / consent form which sets out appropriate fair processing information to allow each party to use the personal data as intended. Fairness —each data subject must be treated fairly and each controller must not use the data in ways that would have unjustified adverse effects on any data subject —where controllers share personal data they must ensure it is reasonable and proportionate in all cases —controllers must ensure that the sharing happens in a way that each data subject would not find unexpected or objectionable, unless there is a good reason; the origin of the data may be a key concern (eg if someone was misled when the data was received it is unlikely to be fair to process it) Lawful processing Ensure that: —there are lawful grounds for processing all the personal data in the manner intended —the arrangements take into account whether the processing relates to any special categories of personal data (or any other personal data subject to particular rules under the GDPR such as criminal offence data) —the arrangements are not in breach of any other law (eg any restrictions on data sharing arising from the organisation’s constitution, any duty of confidence, or any sector specific regulation) Examples of the parties’ concerns The disclosing controller will want to ensure that the receiving controller only processes the personal data for specified and agreed purposes to ensure that: (a) the data sharing is based on a lawful ground (eg legitimate interests); (b) the receiving party does not use the personal data in a way that places the disclosing controller in breach of the GDPR (eg disclosure based on the legitimate interests balancing test may be undermined if the receiving controller uses the data for wider purposes than those anticipated); and (c) the disclosing controller’s privacy notice is not non-compliant with the GDPR as a result of the receiving controller using the data for another purpose. The receiving controller will usually want assurance that it can receive and process the personal data as it intends without breaching the requirements of this principle of the GDPR or associated transparency obligations under Article 14 (information to be provided where personal data has not been obtained from the data subject) of the GDPR. For example: —the receiving party will want to know that personal data it receives has been collected in a compliant manner —if the receiving party is processing based on informed consents obtained by and / or privacy notices given by the disclosing controller, it will want to ensure that such notices and consents are sufficient and valid under the GDPR
Principle: Purpose limitation	Ensure the sharing and any processing the recipient will undertake is consistent with the purposes for which the personal data was collected. Note that Article 13(3) of the GDPR requires a controller to notify the data subjects before any further processing for a purpose other than that for which the personal data was originally collected.
Principle: Data minimisation	Ensure the other controller is only provided with the minimum personal data necessary to achieve the agreed purpose. If the objective could reasonably be achieved in a less intrusive way the personal data should not be shared. Consider if it is possible to strip out unnecessary personal data and still achieve the purposes, eg by anonymising the personal data, in which case the data may not be personal data at all and therefore fall outside the scope of the GDPR.
Principle: Accuracy	Ensure the shared data is accurate and up to date. Organisations should consider putting in place mechanisms: —to ensure personal data is accurate before it is shared, especially given the difficulties which can be encountered in correcting information once it has been shared —procedures for amending the personal data if required once shared The receiving controller may seek a contractual obligation from the disclosing controller that, as the personal data is updated, such changes are notified to it to enable it to satisfy the obligation to ensure data is accurate. Especially where personal data is being pooled or shared systematically back and forth between controllers, each controller may want to consider placing contractual obligations on the other controller to take every reasonable step to ensure all inaccurate personal data is rectified or erased.
Principle: Storage limitation	This principle requires personal data to be kept in a form that permits the identification of data subjects for no longer than is necessary. Establish clear time limits for erasure (or for a periodic review) of the personal data. Generally, personal data should only be archived where the controller still needs to hold the information, otherwise it should be deleted and when personal data is deleted at the end of the retention period, this should also be deleted from any backup. How long shared data should be retained should be documented. Consider including retention schedules in an agreement setting out how long different types of personal data can be kept. Consider if the personal data should have been disposed of already, or if the shelf life of the data is so restrictive that the objectives may not be achievable.
Principle: Integrity and confidentiality (and Article 32 of the GDPR)	In summary, controllers must process personal data securely, with organisational and technical measures in place that are appropriate to the nature, scope, context and purpose of the processing and the risks posed to the rights and freedoms of individuals. Controllers must take into account the state of the art and costs of implementation when determining what measures are appropriate in the circumstances. Steps which should be taken Whenever an organisation shares or receives personal data it should: —undertake an information risk analysis and document conclusions (this assessment should take into account the nature of the data (eg if it is special category personal data)) —consider reviewing the personal data received to ensure it knows its origin and whether any conditions are attached to its use —consider reviewing the personal data shared with other organisations to ensure it knows who has access to it and what they will use it for —ensure appropriate technical and organisational security measures are in place (including information security, encryption, physical security and resilience in the event of a fire, power cut or other incident) —ensure all staff in both organisations involved in data sharing understand the importance of protecting personal data and have clear instructions about the security steps that need to be followed when sharing information by multiple methods, eg phone, fax, post, email, online or face to face —provide a suitably high level of security when sharing special category or sensitive data —identify who within the organisation should have access to personal data that has been received and adopt a ‘need to know’ approach which avoids giving all staff access to the data if only a few of them need it —impose any necessary restrictions on the onward sharing of data with third parties (eg non-dislosure agreements and training obligations) —consider the impact a personal data breach may have on individuals —regularly test, assess and evaluate security provisions (including the transmission and the way data will be handled afterward) Consider whether the data security measures in place before, during and after the transfer of personal data, are adequate. Responsibility for recipient controller’s failings At present, it is unclear to what extent and in what circumstances, a disclosing controller might be held liable for security failings by a receiving controller that is also subject to the DP legislation regime. The Draft Data Sharing Code states: ‘Organisations that you share data with take on their own legal responsibilities for the data, including its security. However you should still take reasonable steps to ensure that the data you share will continue to be protected with adequate security by the recipient organisation.’ Undertaking a DPIA can help minimise risks and disclosing controllers should also: —ensure that the recipient understands the nature and sensitivity of the information —take reasonable steps to be certain that appropriate technical and organisational security measures are in place, particularly to ensure that the recipient has incorporated an agreed set of security standards into a data sharing agreement (where there is one) (e.g. that data will not be shared on unencrypted memory sticks and that the organisation has appropriate systems (e.g. training and vetting) in place to ensure that its staff comply with all relevant data protection laws) —resolve any difficulties before sharing the personal data in cases where the disclosing and recipient organisations have different standards of security, IT systems, procedures or protective marking systems The impact a personal data breach (in terms of cost, reputational damage or lack of trust from customers or clients) may be particularly acute where an organisation shares personal data with a recipient organisation that fails to protect that data. The receiving party is likely to want assurance that data will only be transferred to it in a secure form (e.g. not on an unencrypted USB stick) so as to minimise the risk of the recipient party being in breach of its own obligations under the DP legislation (e.g. if data or the media it is on is lost shortly after delivery). It will also be in the interests of all parties to ensure the controllers are aligned on how the data will be shared—using incompatible systems to share data may lead to the loss, corruption or degradation of data in transit.
Principle: Accountability	That controllers must be responsible for, and be able to demonstrate, compliance with the GDPR’s data protection principles is one of the most significant changes introduced by the GDPR. Each controller must: —implement risk assessments and due diligence on the proposed arrangement (plus formal DPIAs where appropriate) (see above) —implement data protection by design and by default (see below) —implement workable governance and change control procedures (see below) —keep appropriate records —implement appropriate security measures (see above) —record any personal data breaches, and report them where necessary
Data protection by design and default	Article 25 of the GDPR requires controllers to integrate data protection concerns into every aspect of their personal data processing activities. In summary: —data protection by design is an approach to ensure the controller considers privacy and data protection issues at the design phase of any data sharing and then throughout the lifecycle —data protection by default requires controllers to ensure that they only share or otherwise process the personal data that is necessary to achieve a specific purpose The ICO has produced guidance on data protection by design and default.
Data subjects’ rights under Chapter III of the GDPR	The data sharing arrangements must be drafted and structured so that each controller can comply with its own obligations under the GDPR (such as having policies and procedures that allow individuals to exercise their data subject rights with ease and responding correctly to requests to exercise those rights).
Cross-border transfers	Ensure the arrangement contains appropriate restrictions on cross-border transfers.

Transferring personal data outside of the EEA

It is important that City does not transfer personal data outside of the EEA (the European Economic Area) when sharing data with a third party, or when a third party processes personal data on City’s behalf, unless there are adequate controls in place to secure the safety of personal data. Transfers within the EEA are considered to be protected by adequate safeguards.

The ways in which an international transfer of City personal data outside of the EEA could be deemed acceptable is through one of the following:

If there is a written contract in place that includes Standard Contractual Clauses (SCCs) approved by the European Commission;
The company to whom the personal data is being transferred has Binding Corporate Rules (BCRs) approved by the European Commission;
If an international transfer is to the US and the third party in the US is Privacy Shield certified;
If the country that the data is being transferred to has an Adequacy Decision;
With the explicit consent of each individual whose personal data is being transferred.

You should be aware that the use of a server outside of the EEA to host the website is considered a transfer of personal data. Where the third party server or storage location or its employees providing the services are located outside of the EEA you must contact the Information Assurance Team for specific guidance (see DP Reps below or email dataprotection@city.ac.uk).

Please also see the module on International Transfers in the Data Protection section on the Staff Hub.

Standard Contractual Clauses (SCCs)

As above, SCCs may be used if you choose to transfer personal data outside of the EEA. These would need to be signed in addition to any data sharing agreement, either as a stand-alone agreement or a schedule to the data sharing agreement.

The European Commission has so far issued two sets of standard contractual clauses for data transfers from data controllers in the EU to data controllers established outside the EU or European Economic Area (EEA).

It has also issued one set of contractual clauses for data transfers from controllers in the EU to processors established outside the EU or EEA.

EU controller to non-EU or EEA controller (login required)

EU controller to non-EU or EEA processor (login required)

The ICO has also issued clause-by-clause guidance on how SCCs work:

Controller to controller template

Controller to processor template

Who to Contact for Further questions?

Data Protection Representatives (‘DP Reps’) (login required) are your first port of call for any data protection queries you may have.

When you contact one of our DP reps, please ensure that you include the DP mailbox (dataprotection@city.ac.uk). You may also contact your relevant SIRO.