Department for Education data protection compliance toolkit: Relationships with suppliers
13th June, 2018
One of the biggest changes in data protection law to emerge from GDPR is the emphasis now placed on businesses that you trust to process personal data. They must share with you overall responsibility for data protection to a far greater extent.
In this, our final look at DfE’s Beta version “Data protection: a toolkit for schools” we focus on the relationship you will now want to have with your suppliers where personal data needs to be accessed by the supplier.
As data controller for most of the personal data you work with in school, it will be clear to you that there are a raft of legal responsibilities associated with the management and processing of that data. It is increasingly the case that, to operate your school effectively, you need to rely on third parties to provide you with support in areas such as facilities management (CCTV and catering, for example) and supporting you in delivering the curriculum through the provision of educational software, including your learning platform and apps for use by pupils.
GDPR creates new legal obligations for processors who must satisfy various requirements of the legislation in their processing of personal data on behalf of a data controller. The DfE toolkit looks at this issue in the context of data mapping – Step 3 in the toolkit. Data mapping is an important exercises and an essential starting point to help you realise just how much personal data may flow out of your school into the hands of other for processing.
Where it could be said that the toolkit needs further development is in the area of how you manage your relationship with suppliers who process personal data. There are a number of steps that need to be worked through when looking to assure yourself that a supplier you work with can be trusted to meet its data protection obligations. Here are the key steps that we think you will want to be aware of:
It’s not now a case of trusting the supplier – you should be auditing compliance
There are questions to ask of the supplier such as:
- What security arrangements apply to your data when held by the supplier?
- Does the supplier sub-contract aspects of the service it provides meaning others see the data?
- Does the supplier meet particular industry standards for cyber security eg Cyber Essentials?
Audit questionnaires are now increasingly used in the education system to cover these and many other issues where you will want some comfort. Many suppliers are now producing guides to their security and cyber threat prevention strategies. Keep hold of this information as this demonstrates that you have taken the time to review how the supplier operates.
Do you have a confidentiality clause in your contract with the supplier?
GDPR expects you not to take confidentiality for granted. There must be a contractual term in place committing the supplier to respecting the confidentiality of the personal data that it receives. You might want to investigate further how the confidentiality is maintained within the supplier’s business. If the supplier is gaining access to significant amounts of student data, has it taken steps to segregate data using pseudonymisation – in other words, creating separate databases for the user details and for the educational information with only authorised staff in a position to link the two together?
Your instructions to the data processor must be documented
In the past few weeks you will have seen many of your suppliers updating their terms and conditions of business. It is this principle that has been the main driver for suppliers doing this. If you have a supplier handling personal data who has not yet proposed new terms and conditions this should be investigated. It may be that the existing contract is already clear as to what processing you are authorising but that is unlikely.
Make sure you have a say if the supplier starts to use a sub-contractor or switches sub-contractors
GDPR requires the supplier to tell you (before the event) if it intends to appoint a sub-contractor or change who it works with. You should review any proposal of this kind carefully and look to see evidence that the sub-contracting does not harm your school’s interests. You could look, for example, at whether the supplier has carried out a privacy impact assessment when selecting the sub-contractor. You can object if you are unhappy with the proposal put to you.
Be sure that the arrangements you have in place for the supplier accessing personal data are sound
Some suppliers that you work with will have a very sophisticated understanding of data protection laws. Others less so. In the field of education apps you may find yourself working with relatively small businesses. The process of setting up users to benefit from using the app may be rudimentary with you passing details on through an Excel or similar spreadsheet. This information should be encrypted when you transfer it. You will want to ensure that once users are set up, if the supplier has no need to retain the data provided that it is immediately deleted.
And finally, should things go wrong…….
Your contract with the supplier must require the supplier to co-operate with you where there is a data breach. You can set out requirements for immediate notification to you when an issue arises – we recommend that you set up a dedicated data breach notification email address – but, at the same time, insist on verbal notification when a breach is likely to have significant consequences for you.
You should also, of course, look to see what the contract says about your costs in managing a data breach caused by your supplier. It’s only right, after all, that you are compensated, but this needs to be written into the contract as GDPR is silent on the point.
Data Protection: Keeping you informed
This is the last in our series of newsflashes. We are constantly monitoring developments in this tricky area of compliance. We expect the next development to be publication of ICO’s guidance on children and GDPR. Watch out for our commentary on the guidance (which it will be mandatory to follow) as soon as the guidance becomes available.
If you have any questions about your response to GDPR or any of the issues raised in our series of briefings, please contact Frank Suttie.