This Joint Controller Agreement is made between Single Central Record Ltd, bearing company number, 10926999 and registered office address as Unit 5, The Courtyard, Old Court House Road, Bromborough, Wirral, United Kingdom, CH62 4UE (“the Company”) (“Party 1”) and NAME OF THE SCHOOL (“Party 2”), each a party together the parties.
- Party 1 provides a service as follows (“Service”) to Party 2 (the “Agreement”): Online Single Central Record and Pre-employment checks for the different types of staff (permanent teaching, permanent non teaching, casual staff, temporary, volunteers, agency, contractors, governors).
- The General Data Protection Regulation ((EU) 2016/679) (the “GDPR”) requires agreements between data controllers and their data processors to contain certain contractual terms. The GDPR also requires joint controllers to determine, in a transparent manner, their respective responsibilities for compliance with the obligations under the GDPR by means of an arrangement between them.
- The terms in this Joint Data Controller agreement (the “Joint Controller Agreement”) will govern the sharing and exchange of personal data to and from between Party 1 and Party 2 and the processing by either party of that personal data on the other’s behalf.
- Where (in respect of personal data) there is conflict between the terms of the Agreement and this Joint Controller Agreement, the terms of the latter take precedence (together, the “Agreements”)
The parties agree:
1. definitions and interpretation
The following definitions and rules of interpretation apply in this Joint Controller Agreement:
Data Protection Legislation: the GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any amendments or replacements to them and all other applicable laws and regulations relating to the processing of personal data and privacy.
The Data Controller: a party to this Joint Controller Agreement who determines the purposes and means of the processing of personal data.
The Data Processor: a third party (other than the parties) to this Joint Controller Agreement processing personal data on the other party’s behalf.
Privacy Notice: means a statement provided at the point of data collection which advises the data subject the means by which the data controller will use, share and manage their data.
2. data protection legislation
Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.
The parties acknowledge that for the purposes of the Data Protection Legislation and at various times throughout the term of the Agreements, they are joint data controllers, and each may process personal data on behalf of the other. Annex 1 sets out the scope and duration of processing by the parties, the types of personal data and the categories of data subject.
4. PURPOSES OF DATA PROCESSING
Personal data is shared, exchanged between, and processed by the parties to this Joint Controller Agreement in connection with, and for the purposes of, expediting the Service (the “Agreed Purposes”). ANNEX A describes the subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which Party 1 may process to accomplish the Agreed Purposes.
5. SHARED PERSONAL DATA
For the purposes detailed above, the parties may share, exchange and process the categories of personal data outlined in Annex 1 (the “Shared Personal Data”).
6. DATA RETENTION AND DELETION
6.1 Party 2 shall undertake to retain, transfer, process and ultimately destroy the Shared Personal Data, in a manner which is compliant with their obligations under the Data Protection Legislation and the Agreements and the Privacy notices issued by the Company and also as required from time to time by the Company.
6.2 Party 2 shall not retain or process Shared Personal Data for longer than is necessary to carry out the Agreed Purposes.
6.3 Notwithstanding clause 6.2, Party 2 may continue to retain Shared Personal Data in accordance with any statutory or professional retention periods, provided that Party 2 shall inform Party 1 in writing if this is the case.
6.4 Party 2 shall ensure that at the request of Party 1, any Shared Personal Data is either deleted from its systems (so far as reasonably practical) or otherwise destroyed or returned to Party 1 in the following circumstances:
(i) on termination or expiry of this agreement for whatever reason;
(ii) on expiry of the Agreement;
(iii) once processing of the Shared Personal Data is no longer necessary for the purposes they were originally shared for.
7. COLLECTING SHARED PERSONAL DATA
7.1 Party 2 and Party 1 shall acquire any and all additional information necessary directly from the data subject and both parties shall acquire all such information in compliance with the Data Protection Legislation; and Party 1 shall be responsible for providing data subjects with a privacy notice as appropriate. Such privacy notices can be found at www.onlinescr.co.uk
7.2 Party 1 shall, in respect of Shared Personal Data, ensure that any privacy notices are clear and provide sufficient information to data subjects in order for them to understand what of their personal data the parties are sharing, the circumstances in which they will be shared, the purposes for the data sharing and either the identity of the party the Shared Personal Data are shared with or a description of the type of organisation that will receive the Shared Personal Data.
7.3 For the purposes set out above, each party shall ensure that it processes the Shared Personal Data only on the basis of one of the legal grounds set out in Article 6 paragraph 1 of the GDPR.
7.4 For the purposes set out above, each party shall ensure that it processes sensitive personal data only on the basis of one of the legal grounds set out in Article 9 paragraph 2 of the GDPR.
8.1 For the purposes of this clause, a subprocessor is any third party (such as GroupCall) to whom transfers of the Shared Personal Data is made by Party 2, and shall include, but is not limited to, the following:
(i) subcontracting the processing of Shared Personal Data to data processors located outside the EEA.
(ii) granting third parties located outside the EEA access rights to the Shared Personal Data.
8.2 Party 2 shall not appoint subprocessors nor share the Shared Personal Data with a subprocessor without the express written permission of Party 1.
8.3 Where express written permission has been granted further to clause 8.2, Party 2 shall not disclose or transfer Shared Personal Data outside the EEA without ensuring that adequate and equivalent protections will be afforded to the Shared Personal Data.
8.4 Party 2 shall separately manage the commercial and data management activities of any respective subprocessors (where appropriate), providing them with such personal information as the subprocessors may reasonably require in respect of the Agreed Purposes.
8.5 The instructions given by Party 2 to any respective subprocessors, shall at all times be in accordance with the Data Protection Legislation, and such arrangements shall be formalised within a written contract in order to protect the Shared Personal Data.
9. DATA SECURITY
9.1 Each party undertakes to implement the appropriate organisational and technological measures in such a manner that meets the requirements of applicable law, in particular the Data Protection Legislation, in order to protect the Shared Personal Data in their possession against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure, and to ensure the protection of the rights of the data subjects.
9.2 Each Party must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
(i) the pseudonymisation and encryption of personal data;
(ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
(iv) a process for regularly testing, assessing and evaluating the effectiveness of security measures.
9.3 Shared Personal Data shared or transferred between the parties shall be limited to the Shared Personal Data set out above, and the party collecting such data will ensure that the data collected is accurate. If either party becomes aware of any inaccuracies in the Personal data, it shall promptly notify the other party.
10. DATA BREACHES
10.1 The parties are under a strict obligation to notify any potential or actual losses of the Shared Personal Data to the other party as soon as reasonably practical and, in any event, within 1 Business Day of identification of any potential or actual loss to enable the parties to consider what action is required in order to resolve the issue in accordance with the Data Protection Legislation.
10.2 Clause 10.1 also applies to any breaches of security which may compromise the security of the Shared Personal Data.
10.3 The parties agree to provide reasonable assistance as is necessary to each other in order to facilitate the handling of any data security breach in an expeditious and compliant manner including:
(i) assisting with any investigation;
(ii) providing the other party with physical access to any facilities and operations affected;
(iii) facilitating interviews with the affected party’s employees, former employees (where reasonably practical) and others involved in the matter;
(iv) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required; and
(v) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data processing.
10.4 Party 1 agrees that Party 2 has the sole right to determine whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Customer’s discretion, including the contents and delivery method of the notice. Party 2 shall indemnify Party 1 on demand in the event of any cost claim or liability arising from Party 2’s decision under this clause 10.4.
10.5 In the event of a dispute or claim brought by a data subject or the relevant data protection authority concerning the processing of Shared Personal Data against either or both parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion. Party 1 reserves its right, in its sole discretion, to have control over any such proceedings.
11. RIGHTS OF DATA SUBJECTS
11.1 Data subjects have the right to obtain certain information about the processing of their Shared Personal Data through a subject access request. Data subjects may also request rectification, erasure or blocking of their personal data.
11.2 The parties shall maintain a record of subject access requests, the decisions made and any information that was exchanged. Records must include copies of the request for information, details of the data accessed and shared and where relevant, notes of any meetings, correspondence or phone calls relating to the request.
11.3 The parties agree that the responsibility for complying with a subject access request falls to `the party receiving the subject access request in respect of the Shared Personal Data held by that party. The parties agree and warrant that where it is responsible under this Joint Controller Agreement for responding to a subject access request, it will do so within one month from the date of receipt of the subject access request, and in all other respects in accordance with Data Protection Legislation.
11.4 The parties agree to provide reasonable and prompt assistance (within 5 Business Days of such a request for assistance) as is necessary to each other to enable them to comply with Subject Access Requests and to respond to any other queries or complaints from data subjects.
12. WARRANTIES AND INDEMNITIES
12.1 Party 2 warrants and undertakes that it will:
(i) Process the Shared Personal Data in compliance with the Data Protection Legislation and all other applicable laws, enactments, regulations, orders, standards and other similar instruments that apply to its personal data processing operations.
(ii) Make available upon request to the data subjects who are third party beneficiaries a copy of this Joint Controller Agreement.
(iii) Where applicable, maintain registration with all relevant data protection authorities to process all Shared Personal Data for the agreed purpose.
(iv) Take all appropriate steps to ensure compliance with this Joint Controller Agreement and the Data Protection Legislation.
12.2 Party 2 shall indemnify Party 1 against all costs, expense (including legal expenses), damages, loss (including loss of business or loss of profits), liabilities, demands, claims, actions or proceedings which Party 1 may incur arising out of any breach of this Joint Controller Agreement howsoever arising for which the Data Protection Commissioner may be liable.
13. DATA PROCESSING TERMS
13.1 When this clause applies. This clause 13 applies and takes precedence where either party to this Joint Controller Agreement processes personal data on behalf of the other party to this Joint Controller Agreement. The party processing personal data on behalf of the other Joint Controller will be known as the Data Processor for the purpose of this clause 13. The party processing on whose behalf the data processor processes personal data will be known as the Data Controller for the purpose of this clause 13.
13.2 The Data Processor’s Responsibilities. The Data Processor shall, in relation to any personal data processed in connection with the performance by the Data Processor of its obligations under this Joint Controller Agreement:
(i) process that personal data only on the written instructions of the Data Controller, unless the Data Processor is otherwise required to do so by the laws of any member of the European Union or by the laws of the European Union that apply to the Data Processor (“Applicable Laws”). Where the Data Processor is required by Applicable Laws to process personal data, the Data Processor shall promptly notify the Data Controller of this before performing the processing required by the Applicable Laws unless those Applicable Laws prevent the Data Processor from notifying the Data Controller;
(ii) ensure that it has appropriate technical and organisational measures in place in order to protect against any unauthorised or unlawful processing of personal data, accidental loss or destruction of personal data, and damage being caused to personal data. These measures shall be appropriate to (a) the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage of the personal data, and (b) the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
(iii) not transfer any personal data outside of the European Economic Area unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled: (i) the Data Processor and Data Controller has provided appropriate safeguards in relation to the transfer; (ii) the data subject has enforceable rights and effective legal remedies; (iii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred; and (iv) the Data Processor complies with reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the personal data;
(iv) ensure only personnel required for the purposes of carrying out the Agreement have access to personal data, and that all personnel who have access to and/or process personal data are obliged to keep the personal data confidential;
(v) if the Data Controller is unable to access the relevant information, to assist the Data Controller, and in any event, at the Data Controller’s cost, promptly provide reasonable assistance in responding to any request from a supervising authority or a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(vi) notify the Data Controller without undue delay on becoming aware of a personal data breach;
(vii) in accordance with the Data Processor’s standard policies for backup as provided to the Data Controller from time to time, delete, or return (at the Data Controller’s cost) in a format determined by the Data Processor, personal data and copies thereof, on termination of the Agreement, unless required by any Applicable Laws to continue to store the personal data; and
(viii) maintain complete and accurate records and information to demonstrate its compliance with this clause and allow for audits to be carried out by the Data Controller, or the Data Controller’s designated auditor, only so far as is necessary in order to demonstrate compliance, provided that the Data Controller (a) provides the Data Processor with no less than 30 days’ notice of such audit or inspection; (b) refunds the Data Processor for all reasonable costs and expenses that it incurs as a result of any such audit or inspection; and (c) both parties agree the scope, duration and purpose of such audit or inspection. If the Data Controller becomes privy to any confidential information of the Data Processor as a result of this clause, the Data Controller shall hold such confidential information in confidence and, unless required by law, not make the confidential information available to any third party, or use the confidential information for any other purpose. The Data Controller acknowledges that the Data Processor shall only be required to use reasonable endeavours to assist the Data Controller in procuring access to any third party assets, records or information as part of any audit.
13.3 The Data Controller’s Responsibilities. The Data Controller:
(i) will ensure, and warrants that, it has all necessary and appropriate consents and notices in place to ensure that it can lawfully transfer the personal data to the Data Processor, for the duration and purposes of the Agreements;
(ii) shall, unless otherwise provided for in the Agreements, be solely responsible for the legality, security, confidentiality, integrity, availability, accuracy and quality of any data it transfers and processes;
(iii) shall provide the Data Processor with a detailed description of the data processing activities, including the personal data concerned, as set out in Annex 1, and warrants that such description will be accurate, complete, and sufficient to satisfy the Data Protection Legislation;
(iv) is solely responsible for responding to any request from a data subject and in ensuring its own compliance with its obligations under Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators.
14. GOVERNING LAW
This Joint Controller Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.
Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this Joint Controller Agreement or its subject matter or formation.
ANNEX 1 – SCOPE AND DURATION OF PROCESSING, TYPES OF PERSONAL DATA AND TYPES OF DATA SUBJECTS
SCOPE AND DURATION OF PROCESSING
Party 1 will process the personal data for the completion of the work under the Agreement.
TYPES OF PERSONAL DATA – this list is non-exhaustive and is indicative of the personal data which PARTY 1 will process
- Applicant data:- date of birth, title, forename, any middle names, surname, any previous names/surnames, gender, place of birth (town), birth county, birth nationality, email address, home landline number, mobile number, mothers’ maiden name, national insurance number, passport details, driving licence details, 5 years address history, position applied for, teacher reference number.
CATEGORIES OF DATA SUBJECT – this list is non-exhaustive and is indicative of the personal data which PARTY 2 will process
- Job applicants.
- Agencies and Contractors.