Step 9: Third parties
Contents
- Introduction
- Step 1: What do I need to know about data protection?
- Step 2: Who is responsible for what?
- Step 3: Appointing a Data Lead
- Step 4: Understanding data subjects' rights
- Step 5: Gathering data
- Step 6: Data discovery
- Step 7: Keep a record
- Step 8: Check your security
- Step 9: Third parties
- Step 10: Publish your privacy stance
- Step 11: Delete and destroy
- Step 12: Responding to a breach
Step 9: Third parties
The operation of a local Scout Group, District, County/Area/Region (Scotland) or Country (collectively known as ‘Scout Units’) will inevitably involve the services of other organisations or companies. In the case where these parties process the personal data you control on your behalf, they are known as third party data processors.
In the first instance you should discover all third parties your local Scout Unit Country are working with. During this process it is important to understand the type of relationship you have with the third party, these can be broken down as follows:
- Data controller to data processor, whereby the data controller enlists the services of the data processor to process data on their behalf
- Data controller to data controller, where both independently determine the purpose for processing but there is a transfer of data between them
- Joint data controllers would be acting together to decide the purposes and manner of data processing
In all cases it is advisable to have at least an agreement in place between you. The type of agreement is dependent on the relationship;
- Data controller to data processor – requires a formal data processing agreement – ICO guidance has more information
- Data controller to data controller – it is advisable to have a documented agreement or arrangement between them. This could be based on both having GDPR aligned privacy notices
- Joint data controllers - required to have a documented agreement or arrangement between them that determines each other’s responsibilities
Here are examples of Scouting scenarios:
- Data controller to data processor – Local Scout Unit to third party platform provider, such as Google (Google Suite) or Microsoft (Office 365)
- Data controller to data controller - Local Scout Unit to - an event organising company, that require participants data to manage event activities
- Joint data controllers – Unlikely to be used within Scouting, but an example could be a Scout Group working with another Scout Group on an event whereby both are equally responsible for administering a joint participant database.
It is advisable to maintain a record of all third-party relationships and to demonstrate that relationships align with the controls of the GDPR.
Third party due diligence
The procurement of new services or renewing of existing services with third parties should be completed with an appropriate level of due diligence.
When considering a third party for the provision of a service the following criteria can be used as a guideline to reduce the risk involved with using this third party:
- The reputation of this third party
- The location of the third party and their service (when the data is classified as personal data this should ideally be in the UK, the European Economic Area, or an adequate country. Alternatively, there must be an appropriate and EU Commission recognised safeguard in place, see the section below on Adequacy.
- The standards the third party measure themselves by, such as:
- ISO 27001
- ISO 27018
- ISO 27701
- ISO 9001
- PCI DSS
- SOC II
- Cyber Essentials Plus
The above detail is best captured directly from the third party. We have provided a Template Third Party Register to assist with collecting this information.
Where the service provider has the potential to introduce a data protection risk, this should be assessed further. A tool to assist with this assessment is the Data Protection Impact Assessment (DPIA), which helps guide you through an analysis of the services and the provider. The DPIA is a risk assessment tool that considers both data privacy and information security.
We have produced a Template DPIA which you can use for this.
The decision to progress with a third party and service should be based on the output of the above assessments and made by appropriate members of the local Scout Unit Trustee Board.
Contracts
You should review any existing contracts you have with the third party and check for its alignment to the GDPR. At a high level the agreement should consider the following when it is a data controller to data processor relations, this type of structure can also be used for other relationship agreements;
- the subject matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data and categories of data subject; and
- the obligations and rights of the controller;
- the processor must only act on the written instructions of the controller (unless required by law to act without such instructions);
- the processor must ensure that people processing the data are subject to a duty of confidence;
- the processor must take appropriate measures to ensure the security of processing;
- the processor must only engage a sub-processor with the prior consent of the data controller and a written contract;
- the processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
- the processor must assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
- the processor must delete or return all personal data to the controller as requested at the end of the contract; and
- the processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
The Information Commissioner’s Office (ICO) have provided comprehensive guidance on the structure of such an agreement.
Adequacy
In addition to the contract structure it is important to assess the third party based on the data location. This is known as the adequacy and is specifically focused on ensuring the third party are in the UK or an EU country, and hence bound by the GDPR, or they are in a nation that offers the same levels of data protection.
In cases where a nation has been found to align to the GDPR a relationship is brokered between themselves and the UK, known as an adequacy agreement. It is then the responsibility of the third party to become a subscriber to the nation’s agreement and be measured against it. An example is the EU Privacy Framework that exists between the United States and the EU. Companies and organisations that are in the US and processing data of EU and UK citizens should align to this framework. A list of adequate countries can be found on the ICO Website.
As the majority of cloud based solution providers reside in the US its worth checking the Data Privacy Framework register to see if the third party is part of the framework already.
Data sharing
Finally, consideration needs to be made when transferring data to a third party, specifically around the mechanism used to complete this transfer.
A data transfer can be anything from a paper form sent via post or electronic transfer via email or directly through websites. In all cases care should be taken to secure the transfer. Basic techniques for securing these kinds of transfers would be the use of special delivery services from the postal service and encryption for electronic systems.
On occasion, data sharing may be required with ad-hoc third parties with whom there is no contract relationship, but the sharing is necessary for certain conditions. These conditions could include the referral of a safeguarding concern to UK HQ, a request for information from a police officer or request from a member’s solicitor for data. Where these requests do not meet the criteria to be processed as a Subject Access Request they should be treated as followed:
- Request for information – Where a request is made to you for information it is important to make sure the request is assessed and responded to appropriately. This should include identifying the requestor and ensuring their grounds for data sharing are appropriate. In most cases it is not appropriate or possible to gain the consent of the data subject, therefore another lawful basis needs to be aligned.
- Disclosure of information – There may be occasions where the Local Scout Unit are looking to make a voluntary disclosure of information, such as to UK HQ for a safeguarding concern with a young person. In this case consent of the data subject is not an appropriate lawful basis, therefore this disclosure should be assessed and captured.
In both cases, where data is being disclosed or requested it is important that the assessment of the situation is expedient and balanced and should consider any safety to individuals first, the below are a series of guiding principles to consider with the sharing of data, specifically in safeguarding scenarios:
The sharing of information should be completed with justification and awareness. Please read the full guidance:
- Purpose - can I explain the activity? The purpose of the sharing needs to be clear and easy to understand so that the data subject gets a good idea of what is happening with their personal data.
- Minimisation - what do I need? The personal data being shared should be limited to only what is required for the purpose defined.
- Lawful - The data sharing should be aligned to a lawful basis, such as legitimate interest, consent, performance of a contract etc. In most cases this would be legitimate interest, or consent from the young person or their parents/carer.
- Accurate - is the data accurate and up to date? The personal data being shared should be accurate and up to date, this is an ongoing obligation.
- Secure - is the personal data secure in transfer and at the target? The personal data should be appropriately secured with the receiving party and during transfer
- Retention - how long is the personal data required? The sharing of personal data is still bound by a requirement to align a retention period, this is the obligation of the receiving party. In the example of the Scout Group transferring personal data to the Scout District, the Scout District should align a retention period for the data they receive. For example, the personal data is required to contact the young people or their parents/carers to inform them of the Explorer Scout programme. If the young person or their parent/carer do not respond or are not interested then the data should be deleted after a defined period. If the young person is enrolled for Explorer Scouts then this is a separate processing activity and susceptible to the Scout District’s retention policy.
- Transparency - is it clear to the data subject what is happening with their personal data? In all cases where data is being shared with another party the data subject should be informed of this. This should be added as part of your Privacy Policy (usually on your website or in paper form) or via a Privacy Notice on the form the young person or parent/carer completed, further guidance can be found here.
- Agreement - do we have an agreement between us? The detail captured as part of the review of the GDPR principles should form the basis of the agreement between the two parties.
Useful resources for Step 9