1. An organisation that processes personal data (Data Controller/ the controller) is required to handle personal data in accordance with the data protection principles. A data controller may choose to use another organisation to process personal data on its behalf – a data processor. The data controller remains responsible for ensuring its processing complies with the DPA, whether it processes in-house or engages a data processor. Where a data processor is used the data controller must ensure that suitable security arrangements are in place in order to comply with the seventh data protection principle.
2. The seventh data protection principle provides that: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
3. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless – (a) the processing is carried out under a contract – (i) which is made or evidenced in writing, and (ii) under which the data processor is to act only on instructions from the data controller, and (b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle”.
4. The DPA requires the controller to have a written contract with their chosen processor. The contract must ensure that Framework Training Ltd:
a. may only use and disclose the personal data in accordance with their instructions; and
b. must take appropriate security measures to protect the data.
In summary, there are legal obligations that a Data Processor such as Framework Training Ltd is obliged to undertake when processing data on behalf of a client. However, the Data Protection Act and the Information Commissioners Office do not stipulate what measures should be undertaken. Instead they state:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
From May 2018 GDPR comes into force and defines specific legal obligations for the Data Processor and Data Controller. Articles 28-36 specify that The Processor must:
We have defined a set of data principles that go beyond the basic requirements of the DPA and ICO in order to allow clients to be confident in working with Framework Training. These principles have now been updated to include the requirements of GDPR.
Data of the following types will not be accepted by or processed by Framework Training Ltd:
1. Personal data on individuals such as Date of Birth, National Insurance number, marital status, passwords, sexual preferences or other similar personal data
2. Any data relating to persons under the age of 18
Framework Training Ltd will process data that is required for the successful fulfilment of its role as a provider of education, coaching and consultancy services. This may include sole traders and non-incorporated businesses.
This data can include:
1. Addresses, business names, contacts names, job titles, phone numbers, email address including similar and related data
2. Company data such as industry classification, number of employees, turnover and similar data
3. Past history of engagement, purchases, web site visits and related data
Framework Training Ltd takes appropriate measures to ensure that data is both safe and cannot be accidentally damaged or destroyed. These measures include:
1. Storing data on a resilient file system and/or database (regularly backed up)
2. Ensuring that access to the data is limited to approved staff members
3. Limiting access to staff members to prevent accidental destruction or damage to the data
4. Securing the database behind appropriate security systems to prevent unauthorised access.
5. Training all staff that process data to do so in an approved manner.
6. Remain ready to detect and deal with a data breach should it ever occur.
Process only on the written instructions of the controller
Framework Training Ltd does not process data outside the EEA nor does it allow data to leave the EEA except where compliant with Article 29 Working Party guidelines.