Data protection policy

These are external people/organisations who process personal data on our behalf to our order.

Officers must ensure that any processor we use:

1. has provided sufficient guarantees of having implemented appropriate technical and organisational measures to satisfy us that personal data will be safe.
2. do not engage another processor without our written authorisation.

In addition, any processing must be governed by a contract that is binding on the processor. It should set out the subject-matter and duration of the processing, the nature and purpose of the processing and the type of personal data and categories of individuals.

The contract must set out that:

• the processor will only process the personal data on documented instructions from us
• any person or organisation authorised to process personal data have committed
  • themselves to confidentiality
• that the processor puts in to place appropriate security measures
• assists us in complying with our obligations about requests by people to access their data
• assist us in complying with our security obligations, notifications to the ICO and to affected individuals and privacy impact assessments
• the processor deletes or returns all personal data to us after the end of the provision of the processing services
• the processor makes available to us all information necessary to demonstrate compliance with the above and to allow for and contribute to audits, including inspections etc.