Guidance on the actions that need to be taken is detailed on this page. This is a slightly complicated process as it involves sending a first letter, then discussing some details of the proposed change with suppliers and then sending a second letter with those details filled in.
Departments should write as soon as possible to contractors in accordance with the first template letter attached.
Amendments to existing contracts
New data protection legislation is due to come into force on 25 May 2018, replacing the current Data Protection Act 1998. The new data protection legislation comprises the General Data Protection Regulation (GDPR) and the new Data Protection Act 2018 (subject to Royal Assent).
There are a number of changes that will affect existing commercial contracts with your department’s suppliers.
To accommodate these changes, local authorities are recommended to apply the provisions of PPN 03/17 (the 'Policy Note'), issued by the Crown Commercial Service. The Policy Note sets out how we should amend both new and existing contracts.
Departments will need to update existing relevant contracts with their suppliers. Relevant contracts are those that involve personal data. Not all contracts will need to be amended, only those where there is personal data involved.
Personal data means any information relating to an identified or identifiable natural person (that is a ‘data subject’), an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, address or an online identifier. An IP address or roll number can therefore amount to personal data.
For the department's existing relevant contracts which include personal data the following process should be followed:
The department will write to its suppliers notifying them that it intends to make changes to relevant contracts (the first letter see attached). This is so that suppliers know as early as possible what the department is doing, and that the suppliers are prepared for the change process.
The department will then communicate again with the identified suppliers after having had a discussion with them. In particular, the details in Schedule 1 Annex 1 to the first letter will need to be completed by the department and agreed in discussions with the supplier. This Annex 1 is used to describe what sort of departmental data is being processed by the supplier, and what processing they will do on behalf of the department. This discussion with the supplier can take place by phone or email for speed and convenience.
Once the processing details in Annex 1 of the variation letter have been agreed in principle with the supplier, the complete variation letter (second letter) can be formally executed as described in point 4.
Two identical copies of the variation letter (second letter) will be sent to the supplier signed by a department authorised signatory. The supplier will sign and date both copies, keeping one fully signed copy for themselves, and returning a fully signed copy to the department. This will then legally change the existing contract(s) to comply with the new data protection laws.
Departments will then need to manage which variation letters have been sent out to suppliers to be signed, and what signed variation letters have been returned by the supplier. Properly completed variation letters should be retained by the department for storage and audit purpose.
- Should a supplier have any difficulties completing Annex 1 of second letter, a letter should be sent setting out a pathway to resolve (see third letter attached to this page).
Potential joint controllers
A number of providers/suppliers have not been willing, as yet, to agree our variation of contract for GDPR on the basis that they believe they may be joint controllers, rather than processors, under Article 26 of GDPR.
However, we consider that there are only very limited circumstances where a Data Controller to Data Controller legal relationship will exist. Accordingly, unless and until we are satisfied to the contrary, we will continue to be of the view that we will remain the Data Controller and the contractor/supplier will remain the Data Processor. This means we will seek the contractual variations sought in the letters that have been issues to all relevant contractors/suppliers.
However, if a contractor continues to assert that it is, in fact, a Joint Controller under GDPR, we would expect that contractor to provide us with a detailed legal rationale of its reasoning.
If you have any queries please contact Simon Hobbs, Data Protection Officer, email: firstname.lastname@example.org or tel: 01629 538306.