Emailed about DPA and contractual agreements

smithers
smithers Online Community Member Posts: 4 Listener
in Coffee lounge
Hi, this morning I was emailed from my council with a few attachments titles action needed data protection. The documents don’t make any sense to me, I’m on uc and pip and don’t work and I’m confused as to what this is. I don’t recall having a contract in any way with anyone, and I don’t often feel comfortable giving out such details to unknown situations or for what’s it’s for exactly. Please can I have some advice 

Here’s one of the attachments 
Dear Sir/Madam

 Data protection and contractual arrangements

 

 The Data Protection Act 2018 and UK GDPR (data protection legislation) imposes legal obligations on controllers and processors to formalise their working relationship, in line with the law and our requirements. This is to ensure the parties are clear about their role regarding compliance and protection of personal and special category data that is being processed.

 West Northamptonshire Council (WNC) is undertaking a review of all contracts that involve the processing of personal and special category data as defined by articles 5 and 9 of the UK General Data Protection Regulation (UK GDPR). The purpose of this review is to demonstrate accountability and due diligence when engaging a data processor to work on behalf of WNC; and ensure that those organisations

are fully aware of their legal responsibilities when processing data.

 

Personal data may include sensitive special category data.

Examples of personal date may include and is not limited to the following identifiers:

• Name;
• Date of birth;
• Address;
• Telephone number;
• Email address;
• Financial data;
• Identification number, such as National Insurance Number;
• Location data; and
• Online identifiers, such as IP address and cookie identifiers.

Article 9 UK GDPR defines the special categories of personal data, that relate to sensitive personal information regarding an individual’s:

• Race;
• Ethnic origin;
• Political opinions;
• Religious or philosophical beliefs;
• Trade union membership;
• Genetic data;
• Biometric data (where this is used for identification purposes);
• Health data;
• Sex life; or
• Sexual orientation.

 

We take this opportunity to set out below the main areas of law which impact you as a data processor acting on our behalf.

 The UK GDPR states that:

 Processing must meet the requirements of the Regulation

 

Data processors are required to process personal and special category data in accordance with the data controller's instructions. It is in the interest of both parties to make sure their obligations are clearly set out.

 

Imposes restrictions on Sub-Contracting

 

UK GDPR gives data controllers a wide degree of control regarding the processor’s ability to sub-contract. Data processors require prior written consent from the data controller. The data processor is required to inform the data controller of any new sub-processors, giving the data controller time to object. If there is an objection, the sub-processing may not continue. The lead processor in a sub-contracting arrangement is required to reflect the same contractual obligations it has with the data controller, in a contract with any sub-processors. The data processor remains liable to the controller for the actions or inactions of any sub-processor (Article 28(4) UK GDPR).

 

Highlights the need for a Controller / Processor Contract

 

A contract is required where a data controller uses a data processor to process personal data, to bind the processor to the controller in respect of its processing activities (Article 28(3) UK GDPR). 

 

There are several specific requirements including that the personal data is processed only on documented instructions from the controller, and requirements to assist the controller in complying with many of its obligations. The data processor has an obligation to tell the data controller if it believes an instruction to hand information to the data controller breaches the GDPR or any other law.

 

Imposes the need for security measures

 

Data controllers may only appoint data processors that provide sufficient guarantees over appropriate technical and organisational measures to ensure processing meets the requirements of UK GDPR.  

 

Data processors are required to implement ‘appropriate’ security measures. What is ‘appropriate’ is assessed in terms of a variety of factors including the sensitivity of the data, the risks to individuals associated with any processing or breaches of security, the state of the currently available technologies, the costs of implementation and the nature of the processing. These measures might include pseudonymisation and encryption. Regular testing of the effectiveness of any security measures is also required where appropriate.

 

Has a breach notification requirement

 

Processors are required to notify the data controller of any breach without undue delay after becoming aware of it. This is to allow data controllers to assess the breach and notify the Information Commissioner’s Office within the 72-hour required timeframe. 

 

Imposes rules around transfers to third countries

 

The data processor must exercise a degree of independence from the data controller when deciding whether it can transfer personal data to a third country. While

processors are required to follow the data controller's instructions, they may only transfer personal data to a third country (in the absence of an adequacy decision) if appropriate safeguards have been provided and data subjects have enforceable rights in that country with respect to the data.

 

We are therefore writing to you in relation to our respective contractual obligations to request: 

 

• An update on what changes you intended to make to these contract(s) to ensure they remain compliant with data protection legislation and UK GDPR; and
• Your timetable for effecting such changes.
• Confirmation that the contract(s) held do not involve the processing of personal or special category data
• Alternatively, should you believe that you have no contract in place with WNC, please respond andconfirm that no contract is held

 

Contracts must also include as a minimum the following terms.  When amending terms, please ensure that thefollowing information is included:

 

• The subject matter (what processing is being done and duration of the processing).
• The nature and purpose of the processing.
• The specific types of personal and special category data.
• The categories of data subject.
• That the data processor can only act on the written instructions of the data controller.
• Those processing the data are subject to a duty of confidence.
• How you take appropriate measures to ensure the security of processing.
• That you may only engage sub-processors with the prior consent of the data controller and under a written contract.
• Detail any transfers to third countries.
• Assist the controller in providing subject access and allowing data subjects to exercise their rights under the UK GDPR.
• Assist the controller in meeting its UK GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
• Delete or return all personal data to the controller as requested at the end of the contract. 
• Submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the data controller immediately if it is asked to do something infringing the UK GDPR or other data protection law of the EU or a member state.

 

In the interests of the parties concerned and our data subjects, we would like to ensure that contracts are appropriately varied, and our respective data protection obligations are clarified and adhered to. We please request that you promptly respond to this letter with either a variation or a new contract, which includes the UK GDPR data protection requirements.

 

If you do not have ready prepared documentation covering the above points and the contract is based on WNC’s terms and conditions, please complete and return the processing schedule template (Appendix A).

 

If the contract is based on your terms and conditions, please complete and return the processing guidance, questions and declaration form (Appendix B).

 

Comments

  • Alex_Alumni
    Alex_Alumni Scope alumni Posts: 7,538 Championing
    I would wonder whether it's been sent out in error @smithers as it talks about the recipient as a "data processor" which I take to mean someone who handles the kind of personal data they've listed. 

    I think perhaps someone has pressed the "Send to All" button by mistake. I would contact your local council just to make sure this is the case, but from what I can tell I don't think it was intended for you.
  • smithers
    smithers Online Community Member Posts: 4 Listener
    I believe it was sent by mistake as well as I have no idea what any of it means and it’s not addressed to me personally. The email came from a council email but it wasn’t directly addressed to me so I assume again it was sent to all and I had recently emailed my housing officer. 

Categories