I've had several queries recently regarding whether it is acceptable for a company acting as a data processor to process information on behalf of the school or academy as a data controller when the processing actually takes place away from school.
Under GDPR and the Data protection Act 2018 organisations that act as processors, or act as controllers that engage processors, should have reviewed the requirements associated with appointing processors. In particular, they should have reviewed their existing data processing agreements and considered whether any amendments were required. Obviously, any new data processing agreements should be drafted in accordance with the requirements of the GDPR.
In addition, each organisation that acts as a processor should:
identify the data processing activities for which it is a processor;
ensure that it understands its responsibilities as a processor under the GDPR; and
ensure that it has appropriate processes and templates in place for identifying, reviewing and (to the extent required) promptly reporting data breaches to the relevant controller.
None of these requirements have the effect of meaning processing can't be conducted away from the premises of the data controller; the processor has a legal obligation to keep data safe and secure, and return or destroy it at the end of the agreement.
An example, which is used with the kind permission of Michael Brennan, the Managing Director of fit4 schools (to be found at fit4schools.co.uk) who deliver a range of PE and activities in primary schools in Birmingham and surrounding areas. Some schools have felt the need to ask for consent to pass personal data on to fit4schools as a data processor acting on their behalf whilst other s have quite rightly felt that the company is being commissioned as a data processor to assist in delivery of the curriculum which is a statutory obligation, and therefore no consent is actually needed.
It is clear that schools need to inform families where data processors are being used and ensure the processor is meeting their legal obligations. This should be done via a privacy notice rather than by trying to seek consent. If a parent or carer refuses to give their consent, how does the curriculum get delivered to their child? The answer is simple it can't if you are relying on consent as the basis for processing the data - this is why we should use statutory duty.,