Data protection terms

1. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and Hackney Education is the Processor. Hackney Education is the education department of The London Borough of Hackney. 

2. The Parties acknowledge that the Terms and Conditions listed herewith relate to Personal Data collected and processed by Hackney Education in order to provide the Products and Services specified on the Services for Schools website (“Traded Services”).  

3. Hackney Education shall provide all reasonable assistance to the Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Customer, include: 

3.1. a systematic description of the envisaged processing operations and the purpose of the processing; 

3.2. an assessment of the necessity and proportionality of the processing operations in relation to the Traded Services; 

3.3. an assessment of the risks to the rights and freedoms of Data Subjects; and 

3.4. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. 

4. Hackney Education shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: 

4.1 only process that Personal Data for the purpose for which it is collected (i.e. to provide the Traded Service), unless Hackney Education is required to do otherwise by Law. If it is so required Hackney Education shall promptly notify the Customer before processing the Personal Data unless prohibited by Law; 

4.2. ensure that it has in place Protective Measures, which have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event having taken account of the: 

4.2.1. nature of the data to be protected; 

4.2.2. harm that might result from a Data Loss Event; 

4.2.3. state of technological development; and 

4.2.4 cost of implementing any measures. 

4.3. ensure that: 

4.3.1. Hackney Education Personnel do not process Personal Data except in accordance with this Agreement; 

4.3.2. it takes all reasonable steps to ensure the reliability and integrity of any Hackney Education Personnel who have access to the Personal Data and ensure that they: are aware of and comply with Hackney Education’s duties under this clause and as a Public Authority; are subject to appropriate confidentiality undertakings with Hackney Education or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data. 

4.4. not transfer Personal Data outside of the EU unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: 

4.4.1. the Customer or Hackney Education has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Customer; 

4.4.2. the Data Subject has enforceable rights and effective legal remedies; 

4.4.3. Hackney Education complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and 

4.4.4. Hackney Education complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; 

4.5. at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Agreement unless Hackney Education is required by Law to retain the Personal Data. 

5. Subject to clause 1.6, Hackney Education shall notify the Customer immediately if it: 

5.1. receives a Data Subject Access Request (or purported Data Subject Access Request); 

5.2. receives a request to rectify, block or erase any Personal Data; 

5.3. receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; 

5.4. receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; 

5.5. receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or 

5.6. becomes aware of a Data Loss Event. 

6. Hackney Education’s obligation to notify under clause 1.5 shall include the provision of further information to the Customer in phases, as details become available. 

7. Taking into account the nature of the processing, Hackney Education shall provide the Customer with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing: 

7.1. the Customer with full details and copies of the complaint, communication or request; 

7.2. such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; 

7.3. the Customer, at its request, with any Personal Data it holds in relation to a Data Subject; 

7.4. assistance as requested by the Customer following any Data Loss Event; 

7.5. assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner's Office. 

8. Hackney Education shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Contractor employs fewer than 250 staff, unless: 

8.1. the Customer determines that the processing is not occasional; 

8.2. the Customer determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and 

8.3. the Customer determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 

9. Hackney Education shall allow for audits of its Data Processing activity by the Customer or the Customer’s designated auditor. 

10. Hackney Education shall designate a data protection officer if required by the Data Protection Legislation. 

11. Before allowing any Sub-processor to process any Personal Data related to this Agreement, Hackney Education must:

11.1. notify the Customer in writing of the intended Sub-processor and processing; 

11.2. obtain the written consent of the Customer; 

11.3. enter into a written agreement with the Sub-processor which give effect to the terms set out in the Terms and Conditions such that they apply to the Sub-processor; and 

11.4. provide the Customer with such information regarding the Sub-processor as the Customer may reasonably require. 

12. Hackney Education shall remain fully liable for all acts or omissions of any Sub-processor. 

13. The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Customer may on not less than 30 Working Days’ notice to Hackney Education amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.