Information Compliance

External data hosting: Using another organisation to process personal data on behalf of the University

We are legally responsible for data security

If the University of Kent decides to use another organisation to process personal data for us, we will remain legally responsible for the security of the data and for protecting the rights of the individuals whose data is being processed.

Assessing data security

In deciding what security measures are appropriate, we need to take into account the sort of personal data we are dealing with, the harm that might result from its misuse, the technology that is available to protect the data and the cost of ensuring appropriate security for the data.

The University should endeavour to use reputable organisations who offer suitable guarantees as to their ability to ensure the security of personal data.

When assessing new systems the Information Services Requirements team have included security questions on their requirements list which can be sent out to potential suppliers.  Please contact the Information Compliance Officer if you would like more information. 

Subsequently, any contract arrangements with the external organisation should ensure that they:

  • may only use and disclose the personal data in accordance with our instructions; and
  • must take appropriate security measures to protect the data.

Special considerations for the international transfer of personal data

The Data Protection Act prohibits the transfer of personal data from the UK to a country outside the European Economic Area (EEA) unless that country ensures an adequate level of protection for the rights and freedoms of the individuals whose data is being transferred. Therefore, if you transfer personal data, for example, to a call centre based in Asia or a processor based in the USA, you will need to ensure that your data subjects’ rights are adequately protected.

Please contact the Information Compliance Officer if you would like more information.

This advice is based on guidance provided by the Information Commissioner.   More information can be found on their website within the guidance document “Outsourcing - a guide for small and medium-sized businesses”.

The above checks help us comply with the seventh and eighth data protection principles.  If you have any questions about this or other Data Protection matters please contact the University’s Information Compliance Officer.

Information Compliance - © University of Kent

The Registry, The University of Kent, Canterbury, Kent, CT2 7NZ, T: +44(0)1227 823671

Last Updated: 25/07/2014