BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

Similar documents
AlixPartners, LLP. General Data Protection Statement

Data Protection Consent Clause and Policy Background

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

DATA PROTECTION POLICY

Article 29 Working Party Issues Opinion on Cloud Computing

Data Protection Policy June 2014

DATA PROTECTION POLICY

technical factsheet 176

singapore american school

Data Protection Policy

How To Understand The Data Protection Act

The Manitowoc Company, Inc.

Information Sharing Policy

Clause 1. Definitions and Interpretation

Data protection compliance checklist

Information Governance Framework. June 2015

DATA AND PAYMENT SECURITY PART 1

Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy

Third Party Security Requirements Policy

(a) the kind of data and the harm that could result if any of those things should occur;

Merthyr Tydfil County Borough Council. Data Protection Policy

Data Protection Policy

Recommendations for companies planning to use Cloud computing services

Data controllers and data processors: what the difference is and what the governance implications are

Appendix 11 - Swiss Data Protection Act

Data Processing Agreement for Oracle Cloud Services

Freedom of information guidance Exemptions guidance Section 41 Information provided in confidence

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

Data Protection in Ireland

The potential legal consequences of a personal data breach

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

John Leggott College. Data Protection Policy. Introduction

DATA PROTECTION CORPORATE POLICY

Rick Parsons Information Governance Officer County Hall

Privacy and Electronic Communications Regulations

Data Protection Act. Conducting privacy impact assessments code of practice

DATA PROTECTION POLICY

GSK Public policy positions

Information Security Risks when going cloud. How to deal with data security: an EU perspective.

Scottish Rowing Data Protection Policy

Office 365 Data Processing Agreement with Model Clauses

Standard conditions of purchase

The Anti-Corruption Compliance Platform

Data Protection and Privacy Policy

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Last updated: 30 May Credit Suisse Privacy Policy

DATA PROTECTION POLICY

Cloud Software Services for Schools

UNILEVER PRIVACY PRINCIPLES UNILEVER PRIVACY POLICY

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;

CORK INSTITUTE OF TECHNOLOGY

ACCESS TO MEDICAL RECORDS. By Felicia Jolaoye Blavo & Co Solicitors Ltd.

Cloud Software Services for Schools

The HR Skinny: Effectively managing international employee data flows

ANGUS COUNCIL SUPPLEMENTARY CONDITIONS OF CONTRACT. SC 01 - Contract Performance Guarantee Insurance

Data Security and Extranet

UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY

ATMD Bird & Bird. Singapore Personal Data Protection Policy

ASPEN AUSTRALIA BRANCH PRIVACY POLICY

Johnson Controls Privacy Notice

Data Protection Act Guidance on the use of cloud computing

Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person.

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

Privacy Policy MacID. Document last updated Sunday, 28 December 2014 Property of Kane Cheshire

Information Governance Policy

Software Support and Maintenance Terms

Caedmon College Whitby

The supplier shall have appropriate policies and procedures in place to ensure compliance with

Corporate Information Security Policy

Decision 131/2008 Mr N and East Ayrshire Council. Tender Documents. Reference No: Decision Date: 7 October 2008

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

3. Consent for the Collection, Use or Disclosure of Personal Information

Data Protection for the Guidance Counsellor. Issues To Plan For

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data protection issues on an EU outsourcing

You may purchase additional Services from us, which will also, once we have accepted an order, be subject to this Agreement.

MENTAL HEALTH TRIBUNAL FOR SCOTLAND: RECORDS MANAGEMENT POLICY. Ensuring Information is Accurate and Fit for Purpose

Information Integrity & Data Management

Data Protection Breach Management Policy

Public Health England, an executive agency of the Department of Health ("We") are committed to protecting and respecting your privacy.

Transcription:

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org

CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and expectations 2 DATA SHARING 3 DATA PROCESSING 3 Acting on the code 4 Appendix 1: EXAMPLE QUESTIONS AND REQUIREMENTS FOR PROSPECTIVE SUPPLIERS 5 Appendix 2: USEFUL SOURCES 6 BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

Purpose of the code Scope of the code The British Council takes data protection seriously. This code sets out our commitment to protecting personal data when working with partners and suppliers. It does not constitute a contract between the British Council and its partners. This code applies where personal data is exchanged between the British Council and: Suppliers of goods and services. Project partners. It covers data sharing arrangements where the British Council and its partners exercise joint control over the data, as well as data processing arrangements in which one side processes data on the instructions of the other. Personal data means any information relating to an identifiable living person, i.e. the information is obviously about that person or is capable of being used to learn, record or decide something about them. It does not have to be confidential or private and could relate to anyone, including employees, students, project participants and members of target audiences. BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS 1

The British Council s data protection commitment and expectations The British Council s global policy is to work to the data protection principles in the UK Data Protection Act 1998, unless more stringent local law applies. These principles represent the minimum international standard the British Council operates to in the absence of more stringent local regulation. The British Council expects its delivery partners and suppliers to work to the same minimum standards. This means that in any data sharing or data processing arrangement with the British Council, the personal data will: Be obtained and used in ways that are fair to the individual the British Council and its partners or suppliers will be transparent over what they do with the data and who they disclose it to; will only use it in ways the individual might reasonably expect and do nothing that would have an unjustifiably adverse effect on the individual. Be obtained and used only for specified and legitimate purposes the British Council and its partners or suppliers will be clear about their reasons for using the data and do nothing incompatible with those purposes. Be protected from unauthorised use and disclosure or against accidental loss, destruction and damage the British Council and its partners or suppliers will take appropriate measures to guard personal data against such risks, and where appropriate provide evidence of compliance with ISO/IEC 27001. Not be transferred to other countries unless there is adequate protection for the rights of individuals in relation to their personal data the British Council and its partners or suppliers will ensure adequate protection exists before making such transfers. The British Council recognises that it will be necessary to depart from or limit these principles in situations corresponding to the exemptions in the UK Data Protection Act 1998. For example, in order to comply with local law or official functions; to meet existing obligations on disclosure and confidentiality; to facilitate legal proceedings and negotiations; to prevent crime and to enable special purposes such as research and journalism. Be maintained to appropriate quality and retention standards the British Council and its partners or suppliers will ensure the data is relevant, adequate and accurate for its purpose and retained for no longer than is necessary. Be handled in line with the individual s rights, primarily to access their data the British Council and its partners or suppliers will aim to disclose personal data on request provided it does not compromise the privacy of others. BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS 2

Data sharing DATA PROCESSING Where the British Council and a partner have a data sharing arrangement, i.e. they both exercise control over a set of personal data, they will (unless agreed otherwise): Only collect and use the personal data for the purposes that have been agreed or are clearly implied by the circumstances. Not transfer or disclose the personal data to third parties without the consent of the other unless it has already been agreed or is clearly implied by the circumstances. Not transfer the personal data to other countries without first notifying the other unless the transfer has already been agreed or is clearly implied by the circumstances. In addition to the data sharing commitments, where the British Council and a supplier have a data processing arrangement, i.e. the supplier processes the data on behalf, or on the instructions, of the British Council, they will: Ensure the processing is carried out under a written contract in which the supplier processes the data on the instructions of the British Council. Ensure the contract requires the processor takes appropriate measures to protect the data from unauthorised or unlawful processing and from accidental loss, damage or destruction. Use, where appropriate, EU model clauses to protect personal data being transferred to countries outside the European Economic Area. Promptly notify each other of any complaints or access requests in respect of the personal data and assist in resolving them. Co-operate in meeting the standards contained in this code including, where appropriate, being audited on compliance procedures. BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS 3

ACTING ON THE CODE Adherence to this code should be proportionate to the circumstances. The level of protection will depend on the expectations of the data subjects, the sensitivity of the data and the likely consequences of its loss or misuse. The British Council use this code during procurement to make its commitment to data protection clear and to seek suppliers and partners who demonstrate a similar commitment. Example questions the British Council may ask at procurement are included in the appendix. This code is for guidance only and does not constitute a contract. BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS 4

Appendix 1: EXAMPLE QUESTIONS AND REQUIREMENTS FOR PROSPECTIVE SUPPLIERS These examples are for illustration only and are not necessarily the ones that will be used in an actual supply situation. Pre-qualification questionnaire: 1. Is the supplier registered with [insert name of national data protection regulator]? If so, please give the name in which the supplier is registered. 2. Has the supplier or any of its subcontractors been subject to an investigation or any finding, decision, notice or undertaking by any court or [insert name of national data protection regulator]? If so, please give details. 3. Will the supplier use subcontractors? If so, please identify all subcontractors, their functions and geographic locations. 4. Will the supplier or any subcontractors be transferring the data outside [insert name of country]? If so, please give details. Invitation to tender: 1. What organisational and technical measures does the supplier (and subcontractor) have in place to guard against the unlawful or unauthorised processing of the data and to protect it from accidental loss, damage or destruction? In practice this might be broken down into further questions depending on the scenario, for example access control, encryption of data, secure transmissions, data deletion, staff access and training. 2. Please confirm where the data, including any backups, will be hosted. 3. Is the supplier (and subcontractor) certified against ISO/IEC 27001? If so, please provide a copy of certification. 4. Is the supplier (and subcontractor) a member of [insert name of voluntary data protection scheme, e.g. US Safe Harbor]? BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS 5

Appendix 2: USEFUL SOURCES UK Information Commissioner www.ico.gov.uk ISO/IEC 27001 (information security standard) http://en.wikipedia.org/wiki/iso/iec_27001 British Council 2012 / C650 The British Council is the United Kingdom s international organisation for cultural relations and educational opportunities. BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information