Data protection considerations when using contractors to produce your household notification letters
Data protection considerations when using contractors to produce your household notification letters
If you are sending data from the electoral register to a contractor or supplier to produce your household notification letters, or to provide an automated response service, you are using a processor to process personal data on your behalf.
Data protection legislation requires that you only appoint a processor that can provide sufficient guarantees that the requirements of data protection legislation will be met. This means that data protection needs to be integral in any tender exercise, and you should document your decision-making process to ensure you have an audit trail.
Whenever you use a processor, data protection legislation imposes a legal obligation to formalise the working relationship in a written agreement or contract which includes:
the subject matter, nature and purpose of the processing
the obligations and rights of the data controller
the duration of the processing
the types of personal data and categories of data subjects
In addition, data protection legislation requires that the contract must set out specific obligations on the processor, including that they:
comply with your instructions
are subject to a duty of confidentiality
keep personal data secure and notify you of any breach
maintain written records of the processing activities they carry out for you
only use a sub-processor with your consent
submit to audits and inspections and provide you with whatever information you need to ensure compliance with data protection requirements
delete or return all personal data to you as requested at the end of the contract
As the data controller, you remain ultimately responsible for ensuring that personal data is processed in accordance with data protection legislation. However, if a processor fails to meet any of its obligations, or acts against your instructions, then it may also be liable to pay damages or be subject to fines or other penalties or corrective measures. The ICO has provided guidance on Contracts and liabilities between controllers and processors which you should consider in relation to your contracts with data processors.
You should ensure that when using a contractor you have robust proof-checking processes in place, including ensuring that you only provide the data required for each specific process. This could help detect any errors and avoid data breaches before they occur.