advice in relation to external service providers (PDF 44 KB)

THE UNIVERSITY OF DUBLIN
Trinity College
DATA PROTECTION ACTS
EXTERNAL SUPPLIERS OF SERVICES
Data Protection advice note No. 1
Purpose
This is to advise staff regarding the Data Protection implications for the handling of personal
data by external suppliers of services to the College.
Background
In the course of its activities Trinity College handles the personal data of individuals. The
Data Protection Act 1988 and the Data Protection (Amendment) Act 2003 govern the
processing of all personal data. The purpose of these Acts is to safeguard the privacy rights
of living individuals regarding the processing of their personal data by those who control
such data. In particular, it provides for the collection and use of data in a responsible way,
while providing against unwanted or harmful uses of data.
Contracts for services
There are times when, rather than discharge a service itself, the College may wish to
‘outsource’ the supply of a service to an external supplier. If the service involves the
processing of personal data on behalf of the College then there must be a written contract
between the College, known in this context as a ‘Data Controller’, and the supplier of the
service. As a general rule it is wise to provide for Data Protection obligations when
contracting with suppliers of services even where the handling of personal data is not
immediately the subject of the service. If there is no provision for Data Protection
compliance an additional agreement will have to be entered into wherever necessary. Data
Protection is relevant anytime where service providers would have access to the personal data
of individual students, residents or staff, which could occur, for example, in the context of
external information systems software development.
Definitions of Data Protection terms
• Data means information in a form that can be processed. It includes both automated
data and manual data.
Automated data means any information on computer, or information recorded with the
intention that it be processed by computer.
Manual data means information that is recorded as part of a relevant filing system or with
the intention that it form part of a system.
Relevant filing system means any set of information that, while not computerised, is
structured by reference to individuals, or by reference to criteria relating to individuals, so
that specific information relating to a particular individual is readily accessible.
• Personal data means data relating to a living individual who is or can be identified either
from the data or from the data in conjunction with other information that is in, or is likely
to come into, the possession of the College.
• Data controller is a body that processes information about living people. The Data
controller must be in a position to control the contents and use of a personal data file.
• Data processor is a body that processes personal data on behalf of a Data controller.
• Processing means performing any operation or set of operations on data, including:
- obtaining, recording or keeping the data;
- collecting, recording, organising, storing, altering or adapting the data;
- retrieving, consulting or using the data;
- disclosing the data by transmitting, disseminating or otherwise making it available; or
- aligning, combining, blocking, erasing or destroying the data.

Data Protection advice note No. 1
What to include in a contract
The Office of the Data Protection Commissioner advises that this contract ‘should stipulate at
least the following:
• the conditions under which data may be processed;
• the minimum security measures that the data processors must have in place;
• some mechanism or provision that will enable the data controller to ensure that the data
processor is compliant with the security requirement. (This might include a right of
inspection or independent audit.)’
The following is an example of a general Data Protection undertaking in the agreed terms of
business with a supplier.
Where [name of the supplier] (hereafter: the supplier) provides [name of school or
department etc.], Trinity College, Dublin (hereafter: the department) with services, the
department authorises the supplier to process personal data on behalf of the department
(hereafter: the data) in accordance with the Irish Data Protection legislation and other
similar legal requirements for the time being in force (hereafter: the relevant legislation).
The supplier shall act only on the instructions of the department, and shall comply at all
times with the relevant legislation whether as to the security of personal data or
otherwise. The supplier shall take any and all measures which are appropriate and/or
necessary to protect against
(a) unauthorised and/or unlawful processing of the data,
(b) damage to or loss or destruction of the data, and/or
(c) any other breach of the relevant legislation.
The supplier shall answer the reasonable enquiries of the department to enable the
department to monitor the supplier's compliance with this clause and the supplier shall
not sub-contract or otherwise outsource their processing of personal data without the
prior consent in writing of the department.
More particular requirements may be required depending on the nature of the personal data.
For example, if lists of students’ names and addresses were processed externally then it
would be worthwhile to ensure that such lists were kept securely, not copied or extracts
taken, used only for the purpose intended and returned following completion of the contract.
Information on data protection obligations is available from the Office of the Data Protection
Commissioner and copies of relevant booklets published by the Commissioner are also
available from the College Information Compliance Officer. Service providers should be
given this information.
Relevant extracts from the Data Protection Acts 1988 and 2003
Section 2C(3):
(3) Where processing of personal data is carried out by a data processor on behalf of a data
controller, the data controller shall—
(a) ensure that the processing is carried out in pursuance of a contract in writing or
in another equivalent form between the data controller and the data processor and
that the contract provides that the data processor carries out the processing only on
and subject to the instructions of the data controller and that the data processor
complies with obligations equivalent to those imposed on the data controller by
section 2(1)(d) of this Act,
(b) ensure that the data processor provides sufficient guarantees in respect of the
technical security measures, and organisational measures, governing the processing,
and
(c) take reasonable steps to ensure compliance with those measures.

Data Protection advice note No. 1
Section 2(1)(d):
2.-(1) A data controller shall, as respects personal data kept by him or her, comply with the
following provisions:
…
(d) appropriate security measures shall be taken against unauthorised access to, or
unauthorised alteration, disclosure or destruction of, the data, in particular where the
processing involves the transmission of data over a network, and against all other
unlawful forms of processing.
Other responsibilities of external Data Processors
The Data Processors are responsible for registering themselves with the Data Protection
Commissioner, where necessary, and for complying with the terms of the legislation.
Freedom of Information and external suppliers
All those who hold or held contracts for services are covered by the Freedom of Information
Acts 1997 and 2003 insofar as their records relate to the services provided. Please see the
Freedom of Information Advice Note No.4 Contracts for Services which is available at the
College’s Freedom of Information website, www.tcde.ie/foi/.
Procurement procedures
College procurement procedures are set out at www.tcd.ie/Treasurers_Office/procure1.htm.
Further information is available from the Procurement Officer.
Disclaimer
The foregoing information does not purport to be a legal interpretation of the Data
Protection Acts.
College’s Data Protection website
The College Data Protection website, http://www.tcd.ie/dataprotection/, includes advice
notes and other resources on Data Protection matters, including a link to the website of the
Data Protection Commissioner.
Contact information
The Information Compliance Officer may be contacted
by post to
by E-mail to
by FAX to
The Secretary’s Office,
West Theatre,
Trinity College,
Dublin 2;
tturpin@tcd.ie;
(01) 6710037 or
by telephone to (01) 896 2154.
T. Turpin
Information Compliance Officer July, 2005
Ref: DPAdviceNo1-ContractsForServices(a)