In this section

Data protection compliance

As an authority, the Council will only appoint a processor that provides sufficient guarantees to implement appropriate technical and organisational measures to ensure their processing meets the requirements of Data Protection legislation.

To demonstrate this, your business will have set out the management support and direction for data protection compliance in a framework of policies and procedures. Your business monitors compliance with data protection policies and regularly reviews the effectiveness of data handling / processing activities and security controls. Your business has developed and implemented a needs based data protection training programme for all staff.

The Council will assess the appropriate level of security the processor has; it shall take account in particular of the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

Doing business with the Council

To process data lawfully in line with Data Protection legislation, when doing business with the Council a written contract will be put in place which will be binding, and will set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.

That contract shall stipulate, in particular, that the processor:

May only processes the personal data (including transfers to a third country) in the ways described in the written contract, or in ways they are legally required to, due to law. If the later, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

Must ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

The processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, amongst other things, as appropriate. This will take account of the context and purposes of processing as well as the risk to individuals rights to privacy. This will include, but not limited to:

The pseudonymisation and encryption of personal data;
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Compliance check list for Contractors

A check list can be found here

Information Commissioners Office

Information Commissioners Website

Helpline: 0303 123 1113

Need to contact us?

Our contact details can be found here

Feedback & Share

Was this page useful? *

Yes - this was useful
No - this wasn't useful