Use of Third Party Services

The General Data Protection Regulation (GDPR) imposes stricter controls on the way we allow third parties to handle personal data for us.  The University occasionally uses third party organisations or companies to process data on its behalf.  When this takes place on a significant scale there should always be a contract and a data processing agreement put into place.

However, staff and students or others undertaking University business in one capacity or another might overlook the fact that very basic, every-day, free services we use are third party processors to whom we supply personal data in one form or another. Survey tools, meeting organization tools, batch communications tools etc all fall into this category. In these instances we are often bound by their Terms and Conditions of service which may not be compliant with the requirements of the GDPR.

It may not be possible to provide hard and fast guidance on each of the services available (especially as terms and conditions are revised over time) but the advice below should be taken into account when considering what third party service to use if there is no internal option available.

1. Read Terms and Conditions

Always read the Terms and Conditions of Service. Do they adequately consider data security and detail the technology employed?  Do they detail how long they retain personal data or specify who will have access to it?  Do they note compliance with the General Data Protection Regulations?  If these things are not adequately explained, then it is advisable to avoid using this service.

2. Find out where the date is held

It is important to know whether the data that they are provided with (by you/Aberystwyth University directly or by individual participants) will be held on servers within the EU/EEA or the UK.  If these details are not immediately provided, or if they state that their servers are held outside the EU/EEA then you should not use this service provider without first discussing the matter with the Data Protection Officer.

3. Surveys

Any survey information collected online must be done in a manner that complies with the data protection legislation (specifically, GDPR and the Data Protection Act 2018) though this is not relevant if a survey is comprehensively anonymous and that no identifying data is involved.

A number of online survey services, currently store data outside the EEA/EU, and this automatically means that they are non-compliant. Aberystwyth University, along with most UK Universities recommends using JISC Online Surveys (formerly BOS) in most circumstances.  Smartsurvey also hold their data in the UK and are indicating broad compliance with GDPR.

All surveys must be accompanied by a data protection or privacy notice.  If a survey is intended to be anonymous, this must also be clearly stated.

4. Online calendar, meeting and event booking services

Here again, be aware of terms and conditions and particularly any information regarding the location of where data is held.  How long do they retain data, and what rights do they have over any additional content such as uploaded photographs or text?  It is preferable for you to have the ability to delete any data that is held in relation to your use of the service rather than relying on the service provider, especially if they have no declared retention period.

5. Bulk mailing services

Email marketing is particularly affected by both data protection and privacy in electronic communications legislation and so it is essential to discuss any new emailing/marketing projects with the Data Protection Officer before commencement.  Online/cloud services which offer this facility should be avoided if possible.  If use of such a service is unavoidable, again check the Terms and Conditions for those issues noted above.  In such cases it is recommended that you use one of the largest suppliers, as they are more likely to offer services and privacy levels that are compliant with GDPR. 

6. Document Storage

The University provides Sharepoint and OneDrive and also AU-sited shared drives for document storage.  As noted above, you should avoid other storage solutions, particularly cloud services where servers hold data outside the EEA/EU. If there appears to be no alternative, take note of points 1 and 2 above, and consult with the Data Protection Officer.