Content of the Service Agreement
What needs to be in a Service Level Agreement/Data Processing Agreement?
The Data Protection Acts require the service level agreement/data processing agreement to be in writing. The agreement/contract must impose certain minimum obligations on the data processor:
- To act only on the instruction of the data controller (ie the school/ETB)
- To comply with the obligations imposed on data controllers by section 2(1)(d) of the Data Protection Acts (i.e. to ensure that appropriate steps are taken against the accidental destruction, damage or loss of data)
- To ensure that the data processor provides sufficient guarantees in respect of technical security measures and organisational measures governing the processing.
The items numbered (1) – (3) above are legally required to be in the agreement/contract. However, the school/ETB may wish to ensure that the contract/agreement also covers the following issues: - A warranty and indemnity from the data processor to the school/ETB for any breaches of the provisions of the contract or the data processor’s obligations under law. This should include a warranty to use trained, competent and compliant staff. There should be a full indemnity to the school/ETB where this warranty is breached.
- A commitment to provide prompt and full assistance to enable the school/ETB to comply with any access request received by the school/ETB.
- An agreement to inform the school/ETB immediately where there are any data security breaches in the data processor’s company (giving the name and contact details of the individual within the school/ETB who should be notified in the event of such a breach. In such circumstances, the principal of the school should be contacted immediately (and in the case of an ETB school, both the principal and the chief executive officers should be contacted).
- A right to engage in an adequacy audit and/or compliance audit to check compliance with the commitments in the agreement/contract (especially the security obligations).
- Ensure that a copy of the school/ETB’s Personal Data Security Breach Code of Practice is given to the data processor and that the data processor is committed to complying with the terms of that Code of Practice. The school's/ETB’s Personal Data Security Breach Code of Practice could be incorporated into the agreement/contract between the school/ETB and the data processor (e.g. by way of an appendix in the agreement/contract, with reference in the main body of the agreement/contract stating that the data processor agrees to be bound by and will fully comply with the terms of the school's/ETB’s Code of Practice).
- The agreement should require that on termination or expiry of the contract for any reason, all personal data held by the data processor should be either returned to the data controller or deleted entirely from the data processor’s systems and files.
Where a school/ETB already has a contract in place with a third party providing data processing services to the school/ETB and the contract does not contain the provisions set out at (1) – (9) above, the school/ETB may wish to review the contractual arrangements with their data processor.