We provide fun, challenge and adventure to
over 400,000 girls and boys across the UK
a a a  A A
Disclosures Compass POL Print Centre

GDPR Step 9: Third parties

Version 2, April 2019

The operation of a local Scout Group, District, County/Area/Region (Scotland) or Country will inevitably involve the services of other organisations or companies. In the case where these parties process the personal data you control on your behalf, they are known as third party processors.

In the first instance you should discover all third party processors your local Scout Group, District, County/Area/Region (Scotland) or Country are working with. During this process it is important to understand the type of relationship you have with the third party, these can be broken down as follows:
• Data controller to data processor (third party processor)
• Data controller to data controller, where both independently determine the purpose for processing but there is a transfer of data between them
• Joint data controllers would be acting together to decide the purposes and manner of data processing
• Data controllers in common who share a common data set but determine the processing purposes independently

In all cases it is advisable to have at least an agreement in place between you. The type of agreement is dependent on the relationship;
• Data controller to data processor – requires a formal data processing agreement – ICO guidance can be found here
• Data controller to data controller – advisable to have a documented agreement or arrangement between them. This could be based on both having GDPR aligned privacy notices
• Joint data controllers - required to have a documented agreement or arrangement between them that determines each other’s responsibilities
• Data controllers in common – usually this would be bound by organisational rules, such as POR, no further formal agreement is required

The below could be examples of these different scenarios:
• Data controller to data processor – Local Scout Group, District, County/Area/Region (Scotland) or Country to third party events management company
• Data controller to data controller - Local Scout Group, District, County/Area/Region (Scotland) or Country to another within the Movement structure
• Joint data controllers – Unlikely to be used within Scouting
• Data controllers in common – Local Scout Group, District, County/Area/Region (Scotland) or Country with UK headquarters for adult volunteer joining. The commonality here is the data within the Scouts membership database (Compass).

It is required to maintain a record of all third-party relationships and to demonstrate that relationship is GDPR and DPA 2018 aligned.
 

Contracts

Initially you should review any existing contracts you have with the third party and check for its alignment to the GDPR. At a high level the agreement should consider the following when it is a data controller to data processor relations, this type of structure can also be use for other relationship agreements;
Compulsory
• the subject matter and duration of the processing;
• the nature and purpose of the processing;
• the type of personal data and categories of data subject; and
• the obligations and rights of the controller;
• the processor must only act on the written instructions of the controller (unless required by law to act without such instructions);
• the processor must ensure that people processing the data are subject to a duty of confidence;
• the processor must take appropriate measures to ensure the security of processing;
• the processor must only engage a sub-processor with the prior consent of the data controller and a written contract;
• the processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
• the processor must assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
• the processor must delete or return all personal data to the controller as requested at the end of the contract; and
• the processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.

The Information Commissioner’s Office (ICO) have provided comprehensive guidance on the structure of such an agreement, here.

To assist local Scouting you can use the GDPR Third Party Processor Checklist, this is a checklist that can be used to communicate with the identified third party and start the process of assessing the contract position for GDPR alignment.

Adequacy

In addition to the contract structure it is important to assess the third party based on the data location. This is known as the adequacy and is specifically focused on ensuring the third party are in an EU country, and hence bound by the GDPR, or they are in a nation that offers the same levels of data protection. In cases where a nation has been found to align to the GDPR a relationship is brokered between themselves and the EU, known as an adequacy agreement. It is then the responsibility of the third party to become a subscriber to the nations agreement and be measured against it. An example is the EU Privacy Shield that exists between the United States and the EU. Companies and organisations that are in the US and processing data of EU citizens should align to this framework.
 
A list of adequate countries can be found here.

As the majority of cloud based solution providers reside in the US its worth checking the Privacy Shield register to see if the third party is part of the framework already.

Data sharing and transfers

Finally, consideration needs to be made when transferring data to a third party, specifically around the mechanism used to complete this transfer.

A data transfer can be anything from a paper form sent via post or electronic transfer via email or directly through websites. In all cases care should be taken to secure the transfer. Basic techniques for securing these kind of transfers would be the use of special delivery services from the postal service and encryption for electronic systems.

Controller to controller

As above, the transfer of data from one data controller to another is permissible but needs to be thought through to ensure it is transparent, in line with GDPR principles and documented. An example of data controller to data controller transfer could be the sharing of young people's personal data from a Scout Group to the local Scout District. In this example the Scout District require the personal data to be able to work directly with the young people who may be looking to join the District’s Explorer Scout Section. In this case the local Scout Group would transfer the contact details of the young people to the Scout District so that the Scout District could contact them to inform them and potentially enrol them into Explorer Scouts.

To achieve the above, or any other data controller to data controller transfer, it is important that the following has been thought through. The GDPR principles need to be considered and aligned to the data transfer, these are:
- purpose - can I explain the activity? The purpose of the data transfer needs to be clear and easy to understand so that the data subject gets a good idea of what is happening with their personal data.
- limited - what do i need? The personal data being transferred should be limited to only what is required for the purpose defined. The receiving data controller may request further personal data from the data subject once they have the transferred data but this will be a direct relationship.
- lawful - The data transfer should be aligned to a lawful basis, such as legitimate interest, consent, performance of a contract etc... In most cases this would be legitimate interest (which requires a balance test to have been completed, a Legitimate Interest Assessment tool is available here) or consent from the young person or their parents/carer.
- accurate - is the data accurate and up to date? The personal data being transferred should be accurate and up to date, this is an ongoing obligation.
- secure - is the personal data secure in transfer and at the target? The personal data should be appropriately secured with the receiving data controller and during transfer
- retention - how long is the personal data required? The transfer of personal data is still bound by a requirement to align a retention period, this is the obligation of the receiving data controller. In the example of the Scout Group transferring personal data to the Scout District, the Scout District should align a retention period for the data they receive. For example, the personal data is required to contact the young people or their parents/carers to inform them of the Explorer Scout programme. If the young person or their parent/carer do not respond or are not interested then the data should be deleted after a defined period. If the young person is enrolled for Explorer Scouts then this is a separate processing activity and susceptible to the Scout District’s retention policy.
- transparency - is it clear to the data subject what is happening with their personal data? In all cases where data is being transferred to another data controller the data subject should be informed of this. This should be added as part of your Privacy Policy (usually on your website or in paper form) or via a Privacy Notice on the form the young person or parent/carer completed, further guidance can be found here.
- agreement - do we have an agreement between us? The detail captured as part of the review of the GDPR principles should form the basis of the agreement between the two data controllers.

 

CEOP
© Copyright The Scout Association 2019. All Rights Reserved.
Charity Numbers 306101 (England and Wales) and SC038437 (Scotland).
Registered address: The Scout Association, Gilwell Park, Chingford, London, England E4 7QW