Getting it right when adding suppliers.
Further to our recent email regarding adding suppliers to our Supplier Product Directory, we have put together a a flow chart for users to follow in order to clarify if the supplier they wish to add really does process personal data. We recommend you print the chart and follow it for each supplier you believe you need to add to GDPRiS.
This process does not affect you selecting suppliers that are already in GDPRiS just those that you believe you need to add.
Which suppliers are which?
Use our guidance on data processors and data controllers to help clarify if a supplier you wish to add to GDPRiS should be added.
Suppliers: are they data processors or data controls?
It is important to understand if suppliers of products and services are data controllers or processors.
If the supplier is a controller, although it is important for them to handle data to the GDPR
compliance standards, there is no liability on the school. However, if the supplier is a data processor
and you are the data controller, you share responsibility. It is very important for them to
demonstrate to you that they are managing your data appropriately and correctly.
What to look for
There is no clear-cut rule but here’s some pointers.
Suppliers as data controllers
All will be data controllers for some of your data.
Every supplier will ask you for the main contact’s name and details to allow them to do business with
you. This is called a business to business relationship (B2B) in which the supplier is the data
controller and you are the data subject. All responsibility of keeping your data safe is with the
supplier. You can exercise your rights as a data subject to ask the supplier about the data they hold
on you, just as a parent can ask as in a Subject Access Request (SAR).
Examples where suppliers are data controllers:
• All suppliers – B2B information
• Training organisation, unless they ask for more than basic information to identify the trainee
• Equipment and Food suppliers (unless you give them individual names relating to special requests), ie medical information of a pupil or member of staff at school for specialised equipment/food request
• Shopping portals
• etc, etc
Suppliers that are data processors
The GDPR makes it clear that the responsibility of keeping data safe is an equally shared between
the data controller and data processor. A data processor can only process the data under the
instructions of the data controller. They cannot make decisions to do anything else with that data.
If large quantities of data are leaving your school to go to another organisation you can be pretty
sure that you are the data controller and the receiving organisation is the data processor. In
addition, the supplier is a data processor if you are passing on information about individuals which is
more than the most basic information. These include:
• Local authorities
• DFE and Ofsted
• Examination boards
• Teachers pensions, HR and Payroll systems
• School meals
• etc, etc
Suppliers as data processors
In addition, there are many commercial companies which are also your data processors.
• Messaging and Parent Engagement systems
• Payment and school meals’ services
• Online safeguarding software
• Teaching and learning portals which ask you to upload pupil or staff data
• System integrators which pull data from 1 place and move it to another
• etc, etc
Each supplier needs to provide you with evidence of their compliance for your data protection
impact assessment (DPIA).
Suppliers that produce software to allow schools to process data
There are many systems in schools where the software processes data but it never leaves the
premises. Whilst the suppliers are not data processors they have a responsibility that their software
can allow you to meet compliance. You would expect these suppliers to provide you with much of
the evidence as if they were a data processor even though they do not process the data.
• Local copies of Word and Excel (not Office 365 Online)
• Local hosted MIS
• Various teaching software loaded locally where children or staff enter their names
• etc, etc
Remember if any of these suppliers change to a system online, or they undertakes remote support
and have access to your data, then they become a data processor.
If you have any concerns ask your supplier to confirm the relationship you have with them. There are
several forums where you can ask such as Edugeek or Capita SIMS GDPR MyAccount forum.