Third parties working for and on behalf of the University
Suppliers handling personal data (Data Processors)
In some situations it will be necessary to provide an organisation external to the University with personal data of staff or students in order for that organisation to fulfil a task on behalf of the University. For example, an external organisation could be responsible for printing and distributing information on behalf of the University. To do so they would need the names and addresses and content for distribution in order to fulfil their obligation.
The contract between the University and such a third party needs to contain certain elements:
- It should identify the data controller, (the owner of the information), and the data processor, (the organisation carrying out the processes)
- details of the processing to be carried out
- details of the records management, including retention schedules and disposal procedures
- it should include a clause that requires the third party to acknowledge that the University is subject to the requirements of the Freedom of Information Act (FOIA) and the Environmental Information Regulations, which will require the third party to assist and cooperate with the University in providing data in a timely fashion to satisfy such requests
Professionals acting on behalf of the University
People working in a professional capacity on behalf of the University, such as PGCE and Social Work supervisors, are effectively contractors to the University. Unless their contract has specifically stated something to the contrary, the University is not the data controller of any documentation that they produce in the course of their work other than that specifically required as feedback to the University. Unless the notes kept by such contractors are kept electronically or in a structured filing system they will not be subject to data subject access under the Act. If personal data are held in one of these ways, the contractor is the data controller and should send a notification to the Office of the Information Commissioner. Any Data Subject Access Requests (DSARs) for this material should be sent directly to the contractor.
The contract between the University and such individuals should clarify who is the data controller (ie the owner of the data) and should specify the data processing, including data transfers, that either party might undertake where they are not the data controller.
E-mails that pass between the contractor and the University are on the University's system and therefore, the University is the data controller for them, and they are subject to data subject access requests in the same way as any other e-mails within the University with consideration taken as to whether information truly constitutes personal data and whether there is any third party information.