Third Party Service Agreements
Unlike data controllers, data processors have a very limited set of responsibilities under the Data Protection Act. These responsibilities concern the necessity to keep personal data secure from unauthorised access, disclosure, destruction or accidental loss. In addition all data processors, whose business consists wholly or partly in processing personal data on behalf of data controllers who are required to register, are also required to register with the Data Protection Commissioner as a data processor.
A data processor is defined as a person who processes personal information on behalf of a school/ETB as the data controller, but does not include an employee of a data controller who processes such data in the course of their employment. The Act places responsibilities on such entities in relation to their processing of the data.
Some examples of “data processors” in a school/ETB context: external company providing HR services (assistance with payroll etc.); external IT services companies; school text service providers; biometric systems operators; an external company monitoring the school’s CCTV system; external company providing “cloud computing” electronic storage facilities for the school; off-site archiving company who store old files on behalf of the school.