Data Sharing Agreement
Data Sharing Agreement |
![]()
|
BETWEEN
The Data Controller – As entered above
AND
The Data Processor – The Assessment Foundation CIC, 1651 Pershore Road, Birmingham, B30 3DR, registered company number 06247396.
BACKGROUND
The Assessment Foundation provide online assessment systems for the use of schools under a Service Contract.
The personal data provided is used to set up an online system allowing detailed assessment of pupil’s academic achievements which the school may use to analyse and improve pupil attainment.
1) DEFINITIONS AND INTERPRETATION
1.1 The following words and phrases used in this Agreement shall have the following meanings except where the context requires otherwise.
1.2 "Data Subject" means an individual who is the subject of personal data
1.3 “Personal Data” means data that relate to a living individual who can be identified from that data, or from those data and other information that is in the possession of, or is likely to come into the possession of, the data controller or data processor. The personal data to be processed under this agreement consists of:
1.3.1 In the category of data subjects - Pupil Data: Name, UPN, Date of Birth, Gender, contextual information chosen by the Data Controller.
1.3.2 In the category of data subjects - Teacher Data: Name, Contact Details (email and phone number).
1.4 “Process” or ‘processing” has the same meaning as what the current Data Protection legislation states.
1.5 “Services” means the provision of systems and user support under contract by the Data Processor.
1.6 “Service Contract” means the contract between the Data Processor and Data Controller for the provision of the services.
2) OBLIGATIONS OF THE DATA CONTROLLER
2.1 The Data Controller shall provide the Personal Data to the Data Processor together with such other information as the Data Processor may reasonably require in order for the Data Processor to provide the Services.
2.2 The instructions given by the Data Controller to the Data Processor in respect of the Personal Data shall at all times be in accordance with the laws of the United Kingdom.
3) OBLIGATIONS OF THE DATA PROCESSOR
3.1 In any situation where there is any doubt, the Data Processor will process the personal data strictly in compliance with current Data Protection legislation.
3.2 The Data Processor undertakes that it shall process the Personal Data only in accordance with the Data Controller's instructions for the processing of that personal data as defined by the Service Contract. The Data Processor will not process the data in any way or for any purpose other than those set out in this agreement, except where authorised by the Data Controller.
3.3 The Data Processor undertakes that it shall process the Personal Data within the following scope, nature and purpose;
3.3.1 Subject Matter – provision of software products and services as ‘software as a service’ for the purpose of online assessment.
3.3.2 Nature – computing and storage.
3.3.3 Purpose – Set up and provision of ‘software as a service’:
3.3.3.1 To set up and create an account to allow the Data Controller to use the online system in accordance with the terms of the Service Contract.
3.3.3.2 To support and communicate with staff of the Data Controller regarding use of the software.
3.3.3.3 To provide reasonable communication with the staff of the Data Controller for administrative purposes and, where consent if given, regarding other services of the Data Processor.
3.4 The Data Processor will process the Personal Data for the duration of the Service Contract. In the event of termination of the Service Contract, the Data Processor will retain the Personal Data for a maximum of three years on the instruction of the Data Controller for inspection purposes.
3.4.1 In the event of termination of the Service Contract, the Data Processor will obtain written instruction from the Data Controller regarding removal or retention of data.
3.4.2 Upon receiving written instructions regarding removal of the data, the Data Processor will ensure that the personal data is securely removed from their systems and any printed copies securely destroyed in the timeframe specified by the Data Controller. In complying with this clause, electronic copies of the personal data shall be securely destroyed by either physical destruction of the storage media or secure deletion using appropriate electronic shredding software.
3.5 The Data Processor will ensure that access to the personal data is limited to only those employees who require access for the purpose of the Data Processor carrying out the processing specified herein and complying with its obligations under this Agreement.
3.6 All staff employed by the Data Processor with access to the Data Controller’s data will receive suitable training on information security and Data Protection. Audit trails on access to personal data and incidents involving personal data will be maintained by the Data Processor and made available to the Data Controller on request.
3.7 The Data Processor agrees to assist the Data Controller promptly with all subject access requests that may be received from the data subjects as specified in current data protection legislation and without undue delay.
3.8 The Data Processor will not disclose the personal data to a third party in any circumstances other than at the specific written request of the Data Controller, unless the disclosure is required by law. Where the disclosure is required by law, the Data Processor will inform the Data Controller immediately.
3.9 The Data Processor will not transfer the personal data outside of the United Kingdom for any reason.
3.10 Signature of this contract will be understood by both parties as written agreement to the use of sub-processors listed under SCHEDULE A of this agreement.
3.11 With the exception of sub-processors listed in SCHEDULE A of this agreement, the Data Processor will not sub-contract any of the processing without explicit written agreement from the Data Controller. Where such written agreement is provided, the Data Processor will ensure that any sub-contractor it uses to process the personal data complies with the terms of this agreement.
3.12 The Data Processor will ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
3.13 The Data Processor will not keep the personal data on any laptop or other portable drive or device unless the use of such equipment is necessary for the delivery of the Services, and only when that device is encrypted and shall use all reasonable security practices and systems applicable to the use of the data to prevent, and take prompt and proper remedial action against, unauthorized access, copying, modification, storage, reproduction, display or distribution of the Data. Where this is necessary, the Data Processor will keep a clear record of all devices the personal data are stored.
3.14 Any breach of security involving the loss, theft, damage, inappropriate access to or corruption of personal data – or equipment on which it is stored - supplied by the Data Controller to the Data Processor will be reported to the Data Controller immediately, and no later than two working days after the incident is identified. The Data Processor will provide any necessary assistance required to manage or investigate the causes of any such incident, liaise with the Information Commissioner or correct any breaches. The same level of assistance will be provided should any complaint be received from a data subject about the Services covered by this agreement.
3.15 The Data Controller is entitled to make any check it considers reasonable to ensure that information is properly secured and handled, and to check compliance with this agreement, subject to appropriate notice to the Data Processor.
SCHEDULE A – APPROVED SUB-PROCESSORS
Amazon Web Services (UK registration - 08650665)
Salesforce (SEC CIK #0001108524)
Xero (UK registration - 06071722)
The Data Controller – As entered above
AND
The Data Processor – The Assessment Foundation CIC, 1651 Pershore Road, Birmingham, B30 3DR, registered company number 06247396.
BACKGROUND
The Assessment Foundation provide online assessment systems for the use of schools under a Service Contract.
The personal data provided is used to set up an online system allowing detailed assessment of pupil’s academic achievements which the school may use to analyse and improve pupil attainment.
1) DEFINITIONS AND INTERPRETATION
1.1 The following words and phrases used in this Agreement shall have the following meanings except where the context requires otherwise.
1.2 "Data Subject" means an individual who is the subject of personal data
1.3 “Personal Data” means data that relate to a living individual who can be identified from that data, or from those data and other information that is in the possession of, or is likely to come into the possession of, the data controller or data processor. The personal data to be processed under this agreement consists of:
1.3.1 In the category of data subjects - Pupil Data: Name, UPN, Date of Birth, Gender, contextual information chosen by the Data Controller.
1.3.2 In the category of data subjects - Teacher Data: Name, Contact Details (email and phone number).
1.4 “Process” or ‘processing” has the same meaning as what the current Data Protection legislation states.
1.5 “Services” means the provision of systems and user support under contract by the Data Processor.
1.6 “Service Contract” means the contract between the Data Processor and Data Controller for the provision of the services.
2) OBLIGATIONS OF THE DATA CONTROLLER
2.1 The Data Controller shall provide the Personal Data to the Data Processor together with such other information as the Data Processor may reasonably require in order for the Data Processor to provide the Services.
2.2 The instructions given by the Data Controller to the Data Processor in respect of the Personal Data shall at all times be in accordance with the laws of the United Kingdom.
3) OBLIGATIONS OF THE DATA PROCESSOR
3.1 In any situation where there is any doubt, the Data Processor will process the personal data strictly in compliance with current Data Protection legislation.
3.2 The Data Processor undertakes that it shall process the Personal Data only in accordance with the Data Controller's instructions for the processing of that personal data as defined by the Service Contract. The Data Processor will not process the data in any way or for any purpose other than those set out in this agreement, except where authorised by the Data Controller.
3.3 The Data Processor undertakes that it shall process the Personal Data within the following scope, nature and purpose;
3.3.1 Subject Matter – provision of software products and services as ‘software as a service’ for the purpose of online assessment.
3.3.2 Nature – computing and storage.
3.3.3 Purpose – Set up and provision of ‘software as a service’:
3.3.3.1 To set up and create an account to allow the Data Controller to use the online system in accordance with the terms of the Service Contract.
3.3.3.2 To support and communicate with staff of the Data Controller regarding use of the software.
3.3.3.3 To provide reasonable communication with the staff of the Data Controller for administrative purposes and, where consent if given, regarding other services of the Data Processor.
3.4 The Data Processor will process the Personal Data for the duration of the Service Contract. In the event of termination of the Service Contract, the Data Processor will retain the Personal Data for a maximum of three years on the instruction of the Data Controller for inspection purposes.
3.4.1 In the event of termination of the Service Contract, the Data Processor will obtain written instruction from the Data Controller regarding removal or retention of data.
3.4.2 Upon receiving written instructions regarding removal of the data, the Data Processor will ensure that the personal data is securely removed from their systems and any printed copies securely destroyed in the timeframe specified by the Data Controller. In complying with this clause, electronic copies of the personal data shall be securely destroyed by either physical destruction of the storage media or secure deletion using appropriate electronic shredding software.
3.5 The Data Processor will ensure that access to the personal data is limited to only those employees who require access for the purpose of the Data Processor carrying out the processing specified herein and complying with its obligations under this Agreement.
3.6 All staff employed by the Data Processor with access to the Data Controller’s data will receive suitable training on information security and Data Protection. Audit trails on access to personal data and incidents involving personal data will be maintained by the Data Processor and made available to the Data Controller on request.
3.7 The Data Processor agrees to assist the Data Controller promptly with all subject access requests that may be received from the data subjects as specified in current data protection legislation and without undue delay.
3.8 The Data Processor will not disclose the personal data to a third party in any circumstances other than at the specific written request of the Data Controller, unless the disclosure is required by law. Where the disclosure is required by law, the Data Processor will inform the Data Controller immediately.
3.9 The Data Processor will not transfer the personal data outside of the United Kingdom for any reason.
3.10 Signature of this contract will be understood by both parties as written agreement to the use of sub-processors listed under SCHEDULE A of this agreement.
3.11 With the exception of sub-processors listed in SCHEDULE A of this agreement, the Data Processor will not sub-contract any of the processing without explicit written agreement from the Data Controller. Where such written agreement is provided, the Data Processor will ensure that any sub-contractor it uses to process the personal data complies with the terms of this agreement.
3.12 The Data Processor will ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
3.13 The Data Processor will not keep the personal data on any laptop or other portable drive or device unless the use of such equipment is necessary for the delivery of the Services, and only when that device is encrypted and shall use all reasonable security practices and systems applicable to the use of the data to prevent, and take prompt and proper remedial action against, unauthorized access, copying, modification, storage, reproduction, display or distribution of the Data. Where this is necessary, the Data Processor will keep a clear record of all devices the personal data are stored.
3.14 Any breach of security involving the loss, theft, damage, inappropriate access to or corruption of personal data – or equipment on which it is stored - supplied by the Data Controller to the Data Processor will be reported to the Data Controller immediately, and no later than two working days after the incident is identified. The Data Processor will provide any necessary assistance required to manage or investigate the causes of any such incident, liaise with the Information Commissioner or correct any breaches. The same level of assistance will be provided should any complaint be received from a data subject about the Services covered by this agreement.
3.15 The Data Controller is entitled to make any check it considers reasonable to ensure that information is properly secured and handled, and to check compliance with this agreement, subject to appropriate notice to the Data Processor.
SCHEDULE A – APPROVED SUB-PROCESSORS
Amazon Web Services (UK registration - 08650665)
Salesforce (SEC CIK #0001108524)
Xero (UK registration - 06071722)