Step 9: Third parties
Step 9: Third parties
The operation of a local Scout Group, District, County/Area/Region (Scotland) or Country will inevitably involve the services of other organisations or companies. In the case where these parties process the personal data you control on your behalf, they are known as third party processors.
In the first instance you should discover all third party processors your local Scout Group, District, County/Area/Region (Scotland) or Country are working with. During this process it is important to understand the type of relationship you have with the third party, these can be broken down as follows:
- Data controller to data processor (third party processor)
- Data controller to data controller, where both independently determine the purpose for processing but there is a transfer of data between them
- Joint data controllers would be acting together to decide the purposes and manner of data processing
- Data controllers in common who share a common data set but determine the processing purposes independently
In all cases it is advisable to have at least an agreement in place between you. The type of agreement is dependent on the relationship;
- Data controller to data processor – requires a formal data processing agreement – ICO guidance can be found here
- Data controller to data controller – advisable to have a documented agreement or arrangement between them. This could be based on both having GDPR aligned privacy notices
- Joint data controllers - required to have a documented agreement or arrangement between them that determines each other’s responsibilities
- Data controllers in common – usually this would be bound by organisational rules, such as POR, no further formal agreement is required
The below could be examples of these different scenarios:
- Data controller to data processor – Local Scout Group, District, County/Area/Region (Scotland) or Country to third party events management company
- Data controller to data controller - Local Scout Group, District, County/Area/Region (Scotland) or Country to another within the Movement structure
- Joint data controllers – Unlikely to be used within Scouting
- Data controllers in common – Local Scout Group, District, County/Area/Region (Scotland) or Country with UK headquarters for adult volunteer joining. The commonality here is the data within the Scouts membership database (Compass).
It's required to maintain a record of all third-party relationships and to demonstrate that relationship is GDPR and DPA 2018 aligned.
Initially you should review any existing contracts you have with the third party and check for its alignment to the GDPR. At a high level the agreement should consider the following when it is a data controller to data processor relations, this type of structure can also be use for other relationship agreements;
In addition to the contract structure it is important to assess the third party based on the data location. This is known as the adequacy and is specifically focused on ensuring the third party are in an EU country, and hence bound by the GDPR, or they are in a nation that offers the same levels of data protection. In cases where a nation has been found to align to the GDPR a relationship is brokered between themselves and the EU, known as an adequacy agreement. It is then the responsibility of the third party to become a subscriber to the nations agreement and be measured against it. An example is the EU Privacy Shield that exists between the United States and the EU. Companies and organisations that are in the US and processing data of EU citizens should align to this framework.
A list of adequate countries can be found here.
As the majority of cloud based solution providers reside in the US its worth checking the Privacy Shield register to see if the third party is part of the framework already.
Data sharing and transfers
Finally, consideration needs to be made when transferring data to a third party, specifically around the mechanism used to complete this transfer.
A data transfer can be anything from a paper form sent via post or electronic transfer via email or directly through websites. In all cases care should be taken to secure the transfer. Basic techniques for securing these kind of transfers would be the use of special delivery services from the postal service and encryption for electronic systems.