Data protection policy
Council use of data processors
These are external people/organisations who process personal data on our behalf to our order.
Officers must ensure that any processor we use:
- has provided sufficient guarantees of having implemented appropriate technical and organisational measures to satisfy us that personal data will be safe.
- do not engage another processor without our written authorisation.
In addition, any processing must be governed by a contract that is binding on the processor. It should set out the subject-matter and duration of the processing, the nature and purpose of the processing and the type of personal data and categories of individuals.
The contract must set out that:
- the processor will only process the personal data on documented instructions from us
- any person or organisation authorised to process personal data have committed
- themselves to confidentiality
- that the processor puts in to place appropriate security measures
- assists us in complying with our obligations about requests by people to access their data
- assist us in complying with our security obligations, notifications to the ICO and to affected individuals and privacy impact assessments
- the processor deletes or returns all personal data to us after the end of the provision of the processing services
- the processor makes available to us all information necessary to demonstrate compliance with the above and to allow for and contribute to audits, including inspections etc.