Third parties working for and with the University
Suppliers handling personal data (Data Processors)
In some situations it will be necessary to provide an organisation external to the University with personal data of staff or students in order for that organisation to fulfil a task on behalf of the University. For example, an external organisation could be responsible for printing and distributing information on behalf of the University. To do so they would need the names and addresses and content for distribution in order to fulfil their obligation.
This extends to software, including software as a service (SaaS), and cloud hosted tools, for example Microsoft O365, Blackboard and Canvas.
Where we are using Data Processors, we are required, by law, to have specific clauses within a legally binding contract. We are also responsible for the security of the information, which requires us to perform due diligence on that supplier, including security assessments.
We also consider corporate risks in relation to indemnities and liabilities, international transfers, and licensing.
Contracts (which includes Terms and Conditions of use) must only be entered into by members of staff with the necessary delegation rights to do so. This includes Procurement, Legal Services, RES and UEB.
If you are procuring services that involve third parties processing personal data, please take advice so that we can ensure we are meeting all out obligations.
Requests for software use should be directed to your DTS Business Partner in the first instance.