Data protection considerations when using contractors to produce your household notification letters

Data protection considerations when using contractors to produce your household notification letters

If you are sending data from the electoral register to a contractor or supplier to produce your household notification letters, or to provide an automated response service, you are using a processor to process personal data on your behalf.

Data protection legislation requires that you only appoint a processor that can provide sufficient guarantees that the requirements of data protection legislation will be met. This means that data protection needs to be integral in any tender exercise, and you should document your decision-making process to ensure you have an audit trail.

Whenever you use a processor, data protection legislation imposes a legal obligation to formalise the working relationship in a written agreement or contract which includes:

  • the subject matter, nature and purpose of the processing
  • the obligations and rights of the data controller
  • the duration of the processing
  • the types of personal data and categories of data subjects

In addition, data protection legislation requires that the contract must set out specific obligations on the processor, including that they:

  • comply with your instructions
  • are subject to a duty of confidentiality
  • keep personal data secure and notify you of any breach
  • maintain written records of the processing activities they carry out for you
  • only use a sub-processor with your consent
  • submit to audits and inspections and provide you with whatever information you need to ensure compliance with data protection requirements
  • delete or return all personal data to you as requested at the end of the contract

As the data controller, you remain ultimately responsible for ensuring that personal data is processed in accordance with data protection legislation. However, if a processor fails to meet any of its obligations, or acts against your instructions, then it may also be liable to pay damages or be subject to fines or other penalties or corrective measures. The ICO has provided guidance on Contracts and liabilities between controllers and processors  which you should consider in relation to your contracts with data processors.

You should ensure that when using a contractor you have robust proof-checking processes in place, including ensuring that you only provide the data required for each specific process. This could help detect any errors and avoid data breaches before they occur.

You can find more information in our data protection guidance for EROs and ROs.


Diweddarwyd ddiwethaf: 10 Mai 2024