Accessibility statement

Data Protection Agreement for Placement Learning



The following definitions shall apply:

"Controller",   "Processor"  "Data Subject" and "Data Protection Officer"

shall have the meaning given to those terms in the applicable Data Protection Laws;

"Data Protection Laws"

means the GDPR, the Data Protection Act 2018, and any successor legislation;

"Data Processing Particulars"

means, in relation to any Processing under this Agreement:

(a) the subject matter and duration of the Processing;

(b) the nature and purpose of the Processing;

(c) the type of Personal Data being Processed; and

(d) the categories of Data Subjects;

as set out in Appendix 1.

"Data Subject Request"

means a request or notice from or on behalf of a Data Subject in relation to Personal Data;


means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1, 4.5.2016;


means the UK Information Commissioner's Office, or any successor or replacement body from time to time;

"Personal Data"

means any personal data (as defined in the Data Protection Laws) Processed by either Party in connection with this Agreement, and for the purposes of this Agreement includes Sensitive Personal Data (as such Personal Data is more particularly described in Appendix 1 (Data Processing Particulars));

"Personal Data Breach"

has the meaning set out in the Data Protection Laws;


has the meaning set out in the Data Protection Laws (and "Process" and "Processed" shall be construed accordingly);

"Restricted Country"

means a country, territory or jurisdiction outside of the European Economic Area which the EU Commission has not deemed to provide adequate protection in accordance with Article 45(1) of the GDPR;

"Security Requirements"

means the requirements regarding the security of Personal Data, as set out in Article 32(1) of the GDPR (taking due account of the matters described in Article 32(2) of the GDPR);

"Sensitive Personal Data"

means Personal Data that reveals such special categories of data as are listed in Article 9(1) of the GDPR;


2.1             Nature of the Processing

2.1.1        Each Party agrees that the nature of the Processing under this Agreement will be as follows:

(a)             the Parties shall each Process the Personal Data; 

(b)             each Party shall act as a Controller in respect of the Processing of the Personal Data on its own behalf and in particular  each shall be a Controller of the Personal Data acting individually and in common, as follows:

(i)               The University shall be a Controller where it is Processing Personal Data in relation to the student’s progression

(ii)              the Host Organisation shall be a Controller where it is Processing Personal Data in relation to the employment of the student during a placement.

2.2             Data Controller Obligations

2.2.1        Each Party shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws.

2.2.2        Without limiting the generality of the obligation set out in Paragraph 2.2.1, in particular, each Party shall:

(a)             where required to do so make due notification to the ICO;

(b)             ensure it is not subject to any prohibition or restriction which would:

(i)               prevent or restrict it from disclosing or transferring the Personal Data to the other Party as required under this Agreement;

(ii)              prevent or restrict it from granting the other Party access to the Personal Data as required under this Agreement; or

(iii)             prevent or restrict either Party from Processing the Personal Data, as envisaged under this Agreement;

(c)              ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party to Process the Personal Data as required in order to obtain the benefit of its rights and to fulfil its obligations under this Agreement in accordance with the Data Protection Laws;

(d)             ensure that appropriate technical and organisational security measures are in place sufficient to comply with at least the obligations imposed on the Controller by the Security Requirements and where requested provide to the other Party evidence of its compliance with such requirements promptly, and in any event within forty-eight (48) hours of the request;

(e)             notify the other Party promptly, and in any event within forty-eight (48) hours of receipt of any Data Subject Request or ICO correspondence which relates directly or indirectly to the Processing of Personal Data in connection with this Agreement and together with such notice, provide a copy of such Data Subject Request or ICO correspondence to the other Party and reasonable details of the circumstances giving rise to it. In addition, each Party shall provide the other Party with all reasonable co-operation and assistance required by the other Party in relation to any such Data Subject Request or ICO correspondence;

(f)               use reasonable endeavours to notify the other Party if it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law;

(g)             notify the other Party in writing without undue delay and, in any event, within twenty-four (24) hours of it becoming aware of any actual or suspected Personal Data Breach in relation to the Personal Data received from the other Party and shall, within such timescale to be agreed by the Parties (acting reasonably and in good faith):

(i)               implement any measures necessary to restore the security of compromised Personal Data; and

(ii)              support the other Party to make any required notifications to the ICO and affected Data Subjects;

(h)             take reasonable steps to ensure the reliability of any of its personnel who have access to the Personal Data;

(i)               not do anything which shall damage the reputation of the other Party or that Party's relationship with the Data Subjects;

(j)               not transfer any Personal Data it is processing to a Restricted Country; and

(k)              hold the information contained in the Personal Data confidentially.


3.1             Each Party agrees obtain and keep in full force and effect at all times a policy of insurance covering liability for damage arising to persons as a result of its failure to comply with the Data Protection Laws.


Appendix 1

Data Protection Particulars

The subject matter and duration of the Processing


The subject matter of the Processing is Personal Data current students registered at the University attending a placement with the Host Organisation. Each of the parties shall Process the personal data for the duration of this Agreement or as otherwise specified in the data protection provisions.

The nature and purpose of the Processing


The University as Data Controller:

The University will Process the Personal Data provided to it by the Host Organisation in relation to the assessment and recording of the students’ academic progress and academic achievements, together with the support of students’ training, health, and safety and welfare requirements.

The Host Organisation as Data Controller:

The Host Organisation will Process the Personal Data provided by the University in relation to its employment of the student during the placement.

The type of Personal Data being Processed


The type of Personal Data being Processed concerns the following categories:

  • Names and addresses
  • Other contact information
  • Academic qualifications
  • Immigration status
  • Medical data
  • Language test results where required

The categories of Data Subjects

The Personal Data concerns current students on University degree courses or recent graduates from the University.