Working with the University
- Working with the University
- Recruit students
- Placements
- Data protection agreement
Data Protection Agreement for Placement Learning and Internships
- DEFINITIONS
The following definitions shall apply:
|
"Controller", "Processor" "Data Subject" and "Data Protection Officer" |
shall have the meaning given to those terms in the applicable Data Protection Laws; |
|
"Data Protection Laws" |
Means all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR, the Data Protection Act 2018; the Privacy and Electronic Communications Regulations 2003, and any successor legislation; |
|
"Data Processing Particulars" |
means, in relation to any Processing under this Agreement: (a) the subject matter and duration of the Processing; (b) the nature and purpose of the Processing; (c) the type of Personal Data being Processed; and (d) the categories of Data Subjects; as set out in Appendix 1. |
|
"Data Subject Request" |
means a request or notice from or on behalf of a Data Subject in relation to Personal Data; |
|
"ICO" |
means the UK Information Commission Office, or any successor or replacement body from time to time; |
|
"Personal Data" |
means any personal data (as defined in the Data Protection Laws) Processed by either Party in connection with this Agreement (as such Personal Data is more particularly described in Appendix 1 (Data Processing Particulars)); |
|
"Personal Data Breach" |
has the meaning set out in the Data Protection Laws; |
|
"Processing" |
has the meaning set out in the Data Protection Laws (and "Process" and "Processed" shall be construed accordingly); |
|
"Restricted Country" |
means a country, territory or jurisdiction outside of the |
|
“Shared Personal Data” |
means the Personal Data to be shared between the parties; |
|
"UK GDPR" |
Has the meaning given in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018; |
2. DATA PROTECTION
2.1 Nature of the Processing
2.1.1 This Agreement sets out the framework for the sharing of Personal Data when one Controller (the “Data Discloser”) discloses Personal Data to another Controller (the “Data Receiver”).
2.1.2 Each Party agrees that the nature of the Processing under this Agreement will be as follows:
(a) the Parties shall each Process the Personal Data;
(b) each Party shall act as a Controller in respect of the Processing of the Personal Data on its own behalf and in particular each shall be a Controller of the Personal Data acting individually and in common, as follows:
(i) The University shall be a Controller where it is Processing Personal Data in relation to the student’s progression
(ii) the Host Organisation shall be a Controller where it is Processing Personal Data in relation to the employment of the student during a placement or internship.
2.2 Data Handling Obligations
2.2.1 Each Party shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws.
2.2.2 Without limiting the generality of the obligation set out in Paragraph 2.2.1, in particular, each Party shall:
(a) where required to do so make due notification to the ICO;
(b) ensure it is not subject to any prohibition or restriction which would:
(i) prevent or restrict it from disclosing or transferring the Personal Data to the other Party as required under this Agreement;
(ii) prevent or restrict it from granting the other Party access to the Personal Data as required under this Agreement; or
(iii) prevent or restrict either Party from Processing the Personal Data, as envisaged under this Agreement;
(c) ensure that it processes the Shared Personal Data fairly and lawfully. Each party shall ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party to Process the Personal Data as required in order to obtain the benefit of its rights and to fulfil its obligations under this Agreement in accordance with the Data Protection Laws;
(d) ensure that appropriate technical and organisational security measures are in place to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it. Where requested, the Provider shall provide to the other Party evidence of its compliance with such requirements promptly, and in any event within forty-eight (48) hours of the request;
(e) on receipt of a request from a Data Subject for Shared Personal Data, the Party in receipt shall contact the other party or parties to this Agreement to notify them of receipt of such a request. The Party who receives the request shall have overall responsibility for responding to the request unless more than one party receives an identical or similar request from the same Data Subject. In those circumstances, the Parties shall promptly discuss and implement the most effective way of discharging their responsibilities under the Data Protection Legislation to the Data Subject who has made the request(s). The Parties each agree to provide such assistance as is reasonably required to enable the other party to comply with Subject Rights Requests within the time limits imposed by the Data Protection Legislation;
(f) use reasonable endeavours to notify the other Party if it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law;
(g) notify the other Party in writing without undue delay and, in any event, within twenty-four (24) hours of it becoming aware of any actual or suspected Personal Data Breach in relation to the Personal Data received from the other Party and shall, within such timescale to be agreed by the Parties (acting reasonably and in good faith):
(i) implement any measures necessary to restore the security of compromised Personal Data; and
(ii) support the other Party to make any required notifications to the ICO and affected Data Subjects;
(h) take reasonable steps to ensure the reliability of any of its personnel who have access to the Personal Data;
(i) not do anything which shall damage the reputation of the other Party or that Party's relationship with the Data Subjects;
(j) not transfer any Shared Personal Data to a Restricted Country unless it complies with the provisions of Article 26 of the UK GDPR (in the event the third party is a Joint Controller) and ensures that (i) the transfer is to a country approved under the Data Protection Legislation as providing adequate protection; (ii) there are appropriate safeguards or binding corporate rules in place pursuant to the Data Protection Legislation; or (iii) the transferor otherwise complies with its obligations under the applicable Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; or one of the derogations for specific situations in the Data Protection Legislation applies to the transfer;
(k) hold the information contained in the Personal Data confidentially and ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
(l) at the written request of the Data Discloser, the Data Receiver shall delete or return Personal Data and copies thereof to the Controller on termination of the relevant Placement or Internship Agreement unless required by Data Protection Laws to store the Personal Data.
2.2.3 If the Data Receiver appoints a third party Processor to process the Shared Personal Data it shall comply with Article 28 of the UK GDPR and shall remain liable to the Data Discloser for the acts and omissions of the Processor.
3. INSURANCE
3.1 Each Party agrees obtain and keep in full force and effect at all times a policy of insurance covering liability for damage arising to persons as a result of its failure to comply with the Data Protection Laws.
Appendix 1
Data Protection Particulars
|
The subject matter and duration of the Processing
|
The subject matter of the Processing is Personal Data current students registered at the University attending a placement or internship with the Host Organisation. Each of the parties shall Process the personal data for the duration of the applicable Placement or Internship Agreement or as otherwise specified in the data protection provisions. |
|
The nature and purpose of the Processing
|
The University will Process the Personal Data provided to it by the Host Organisation in relation to the assessment and recording of the students’ academic progress and academic achievements, together with the support of students’ training, health, and safety and welfare requirements. The Host Organisation will Process the Personal Data provided by the University in relation to its employment of the student during the placement or internship. |
|
The type of Personal Data being Processed
|
The type of Personal Data being Processed concerns the following categories:
|
|
The categories of Data Subjects |
The Personal Data concerns current students on University degree courses or recent graduates from the University. |