Data Processing Policy

Effective date: October 1, 2015

The Parties



The purpose of the disclosure is to facilitate the provision of the DutySheet services (“the purpose”).

This Policy sets out the terms and conditions under which Data held by the Data Controller will be disclosed to the Data Processor. This Policy is entered into with the purpose of ensuring compliance with the Data Protection Act 1998 (“the Act”). Any processing of data must comply with the provisions of this Act.


The following words and phrases used in this Policy shall have the following meanings except where the context otherwise requires:

The expressions “Data”, “Data Controller”, “Data Processor”, “Personal Data”, “Sensitive Personal Data”, “Processing”, “Information Commissioner”, have the same meaning as in Sections 1, 2 and 6 of The Data Protection Act 1998 as amended.

“Private Data” means any Data including “Personal Data” and “Sensitive Personal Data” as above provided by the Data Controller to the Data Processor and as identified in the Purpose above.

“Aggregated Data” means Private data grouped together to the extent that no living individual can be identified from that Aggregated Data or any other Data in the possession of, or likely to come into the possession of any person obtaining the Aggregated Data.

The “Designated Manager” means any authorised user on behalf of the Data Controller or other such person as shall be notified to the Data Processor from time to time.

“Government Protective Marking Scheme” means a scheme for the classification of information.

“Policy” means this data processing Policy.

“Confidential Information” means any information relating to the Data Controller’s customers and prospective customers, current or projected financial or trading situations, business plans, business strategies, developments and all other information relating to the Data Controller’s business affairs including any trade secrets, know-how and any information of a confidential nature imparted by the Data Controller to the Data Processor during the term of this Policy or coming into existence as a result of the Data Processor’s obligations, whether existing in hard copy form or otherwise, and whether disclosed orally or in writing. This definition shall include all Personal Data.

Any reference to any enactment or statutory provision shall be deemed to include a reference to such enactment or statute as extended, re-enacted, consolidated, implemented or amended and to any subordinate legislation made under it; and

The word “including” shall mean including without limitation or prejudice to the generality of any description, definition, term or phrase preceding that word, and the word “include” and its derivatives shall be construed accordingly.

Information provision

The Private Data will be provided over a set time period to be agreed in advance by both Parties.

Ownership of the Private Data shall pass to the Company and the Company will accept full liability for the data until such time the services of DutySheet are discontinued by the Data Controller.

Use, Disclosure and Publication

The Private Data will be solely used for the purpose and no other.

Private Data will NOT be matched with any other Personal Data otherwise obtained by the Data Controller, or any other source, unless specifically authorised in writing by the Data Controller.

The Private Data will NOT be disclosed to any third party without the written authority of the Data Controller.

Access to the Private Data will be restricted to those employees/agents/contractors of the Data Processor, directly involved in the processing of the Private Data in pursuance of the Purpose.

No steps will be taken by the Data Processor to contact any Data Subject identified in the Private Data and no Private Data will be reproduced in any other format than the agreed digitalised system.

Personal Data used for research will not be published in identifiable form unless the persons concerned have given their consent and in conformity with other safeguards laid down by domestic law.

Data Protection and Human Rights

The use and disclosure of any Personal Data shall be in accordance with the obligations imposed upon the Parties to this Policy by the Act and the Human Rights Act 1998. All relevant codes of practice or data protection operating rules adopted by the Parties will also reflect the data protection practices of each of the parties to this Policy.

The Parties agree and declare that the information accessed pursuant to this Policy will be used and processed with regard to the rights and freedoms enshrined within the European Convention on Human Rights. Further, the Parties agree and declare that the provision of information is proportional, having regard to the purposes of the Policy and the steps taken in respect of maintaining a high degree of security and confidentiality.

The Parties undertake to comply with the provisions of the Act and to notify as required any particulars as may be required to the Information Commissioner.

The receipt by the Data Processor from any Data Subject of a request to access to the Data covered by this Policy must be reported immediately to the person nominated below representing the Data Controller, who will arrange the relevant response to that request.

If any Party receives a request under the subject access provisions of the Act and personal data is identified as belonging to another Party, the receiving Party will contact the other Party to determine if the latter wishes to claim an exemption under the provisions of the Act.

It is acknowledged that where a Data Controller cannot comply with a request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request, unless;

  1. the other individual has consented to the disclosure of the information to the person making the request; or
  2. it is reasonable in all the circumstances to comply with the request without the consent of the other individual. In determining whether it is reasonable, regard shall be had, in particular to:-
    • any duty of confidentiality owed to the other individual;
    • any steps taken by the data controller with a view to seeking consent of the other individual;
    • whether the other individual is capable of giving consent;
    • any express refusal of consent by the other individual.

If any Party receives a request for information under the provisions of the Freedom of Information Act 2000 identified as belonging to another Party, the receiving Party will contact the other Party to determine whether the latter wishes to claim an exemption under the provisions of the Act.

Where the Data Processor receives a request for information under the provisions of the Freedom of Information Act 2000 in respect of information provided by or relating to the Data Controller, the Data Processor will contact the person nominated below to ascertain whether the Data Controller wishes to claim any exemption including the determination of whether or not the Data Controller wishes to issue a response neither to confirm nor deny that information is held.

Where any Party receives a Notice under Section 10 of the Act, that Party will contact the person nominated below to ascertain whether or not to comply with that Notice.

The Data Processor shall give reasonable assistance as is necessary to the Data Controller in order to enable him to:

  • Comply with request for subject access from the Data Subjects;
  • Respond to Information Notices served upon him by the Information Commissioner;
  • Respond to complaints from Data Subjects;
  • Investigate any breach or alleged breach of the Act.

in accordance with his statutory obligations under the Act.

On reasonable notice, periodic checks may be conducted by the Data Controller to confirm compliance with this Policy.


The Data Processor shall not use or divulge or communicate to any person any Data obtained from the Data Controller, which it shall treat as private and confidential and safeguard accordingly.

The Data Processor shall ensure that any individuals involved in the Purpose and to whom Private Data is disclosed under this Policy are aware of their responsibilities in connection with the use of that Private Data and confirmed so in writing.

For the avoidance of doubt, the obligations or the confidentiality imposed on the Parties by this Policy shall continue in full force and effect after the expiry or termination of this Policy.

Respect for the privacy of individuals will be afforded at all stages of the Purpose.

This clause shall not apply where disclosure of the Private Data is ordered by a Court of competent jurisdiction, or subject to any exemption under the Act, where disclosure is required by a law enforcement agency or regulatory body or Chief Constable , or if required for the purposes of legal proceedings, in which case the Data Processor shall immediately notify the Data Controller in writing of any such requirement for disclosure of the Private Data in order to allow the Data Controller to make representations to the person or body making the requirement.

The restrictions shall cease to apply to any Data which may come into the public domain otherwise than through unauthorised disclosure by the Parties to the Policy.

Retention, Review and Deletion

The data will be reviewed periodically the Data Controller and where this Policy and Contract is terminated, the data will put into such a format that can be passed to the Data Controller with all remaining data deleted upon termination.


The Data Processor recognises that the Data Controller has obligations relating to the security of Data in his control under the Act. The Data Processor will continue to apply those relevant obligations as detailed below on behalf of the Data Controller during the term of this Policy.

The Data Processor agrees to apply appropriate security measures, commensurate with the requirements of principle 7 of the Act to the Data, which states that “appropriate technical and organisation measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. In particular, the Data Processor shall ensure that measures are in place to do everything reasonable to:

  • make accidental compromise or damage unlikely during storage, handling, use, processing transmission or transport
  • deter deliberate compromise or opportunist attack, And
  • promote discretion in order to avoid authorised access

During the term of this Policy, The Project Manager shall carry out any checks as are reasonably necessary to ensure that the above arrangements are not compromised.

The Data Controller may wish to undertake suitability checks on any persons having access to Private Data and further reserves the right to issue instructions that particular individuals shall not be able to participate in the Purpose without reasons being given for this decision. The Data Processor will ensure that each person who will participate in the Purpose understands this and provides their written consent as necessary.

The Data Processor will ensure that the personal data accessed is not used other than as identified within this Policy, and that the Policy is complied with.

The Data Controller reserves the right to undertake a review of security provided by any Data Processor and may request reasonable access during normal working hours to the Data Processor premises for this purpose. Failure to provide sufficient guarantees in respect of adequate security measures will result in the termination of this Policy.

Access to the Private Data will be confined to authorised persons only.

In consideration of the provision of the Private Data for the Purpose of the Data Processor undertakes to fully indemnify and keen indemnified the Data Controller against any liability, which may be incurred by the Data Controller as a result of the Data Processor’s breach of this Policy.

Provided that this indemnity shall not apply:

  1. where the liability arises from information supplied by the Data Controller which is shown to have been incomplete or incorrect, unless the Data Controller establishes that the error did not result from any wilful wrongdoing or negligence on his part
  2. to the extent that the Data Controller makes any admission which may be prejudicial to the defence of the action, claim or demand.


In the event of any dispute or difference arising between the Parties out of this Policy, authorised representatives of both parties shall meet in an effort to resolve the dispute or difference in good faith.

The Parties will, with the help of the Centre for Dispute Resolution, seek to resolve disputes between them by alternative dispute resolution. If the Parties fail to agree within 56 days of the initiation of the alternative dispute resolution procedure, then the Parties shall be at liberty to commence litigation.

Term, termination and Variation

The Term of this Policy is until such times as termination of the DutySheet Services.

The Data Controller may at any time by notice in writing terminate this Policy forthwith if the Data Processor is in material breach of any obligation under this Policy.


This Policy acts in fulfilment of part of the responsibilities of the Data Controller as required by paragraphs 11 and 12 of Schedule I, Part II of the Data Protection Act 1998.

This Policy constitutes the entire Policy between the Parties as regards the subject matter hereof and supersedes all prior oral or written Policys regarding such subject matter.

In any provision of this Policy is held by a Court of competent jurisdiction to be invalid or unenforceable, such invalidity or unenforceability shall not affect the remaining provisions of this Policy, which shall remain in full force and effect.

The validity, construction and interpretation of the Policy and any determination of the performance which it requires shall be governed by the Laws of England and the Parties hereby submit to the exclusive jurisdiction of the English Courts.