Re: Data Protection Act 1998 (the “Act”)
We refer to the proposed Agreement between your Company and UK Umbrella Service of Level 3 Wooten Lodge, 5 Mill Drove, Uckfield, East Sussex, TN22 5AB (the “Agreement”) and would like to introduce provisions relating to data protection in accordance with the Data Protection Act 1998 (the “Act”). The terms “Personal Data”, “Sensitive Personal Data”, “Data Subject”, “Data Controller” and “Data Processor” are all defined in the Act and are given the same meaning herein.
As you will be aware, in relation to the Personal Data which is supplied to you, your Company is a Data Controller. In processing such data on our behalf, UK Umbrella Service acts as a Data Processor. You will be aware that, as a Data Controller, we are required to comply with the Act and, in particular, the data protection principles set out therein (the “Principles”). Since UK Umbrella Service processes data on your behalf, it is necessary for the Agreement to be extended to ensure that Personal Data is processed in accordance with the Act.
Accordingly, we propose the following agreement
“(1) Both parties agree to comply with all provisions of the Data Protection Act 1998. In particular, both parties agree that any personal data processed pursuant to this Agreement shall be:
(a) processed fairly and lawfully;
(b) obtained only for one or more specified and lawful purposes;
(c) adequate, relevant and not excessive;
(d) accurate and kept up to date;
(e) kept for no longer than is necessary;
(f) processed in accordance with the rights of the data subjects;
(g) protected by appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss, destruction or damage;
(h) processed within the European Economic Area or other territory which provides an adequate level of protection for Data Subjects.
The requirement relating to security measures in Sub-Clause (1)(g) includes, but is not limited to, where appropriate, ensuring that: (i) Sufficient measures are utilised to prevent unauthorised access to Personal Data, such as the use of passwords and encryption; (ii) Personal Data in both electronic and manual forms is kept secure and all employees having access to such data are made aware of the data protection and confidentiality issues involved; (iii) Up to date virus detection and back-up equipment is used; (iv) All such measures are regularly reviewed.
(2) Where personal data is disclosed to UK Umbrella Service by your Company; or its affiliates, UK Umbrella agrees to:
(a) ensure that such personal data is only used in accordance with instructions received from your Company and
(b) notify your Company of any request received from a data subject for access to or changes in the personal data currently being or to be processed pursuant to this Agreement as soon as such request is received.
(3) Where personal data is to be transferred by UK Umbrella to a third party, pursuant to instructions from your Company , UK Umbrella must notify your Company of such transfer and the third party prior to the said transfer taking place. For the avoidance of doubt, where such transfer is made, UK Umbrella shall require the third party to agree to comply with clause (1) above.
(4) Where the Agreement is terminated or where it is no longer necessary to retain personal data, UK Umbrella Service will: (i) As requested by your Company; , promptly, either return all personal data to your Company or destroy all personal data in a suitably confidential manner and confirm the same to your Company except to the extent that UK Umbrella is required to retain copies of such personal data pursuant to any relevant legislation; (ii) Cease any further processing of data on behalf of your Company pursuant to this Agreement.
(5) Any reference to personal data in this clause includes sensitive personal data.
In all other respects the terms and conditions of the Agreement remain unaffected.
We confirm that we agree to comply with the Criminal Records Bureau’s ‘Code of Practice’. We understand that the CRB are empowered to refuse an Application for Disclosure should they have reason to believe that the Code has not been complied with. We confirm that we have the right to ask exempt questions under the Rehabilitation of Offenders Act 1974 (as amended). We confirm that our organisation has a policy in place for the recruitment of ex-offenders and the secure use, storage, retention & disposal of Disclosure information and will produce copies of these to UK Umbrella Service if requested. We have completed the separate document, ‘Third Party Side Letter relating to Data Protection’ and agree to be bound by its terms. We also agree that we will pay the current set CRB fee for the appropriate level of Disclosure plus the UKUS administration fee of £15.00 per application (plus £15.00 if using the ‘Veri-fy’ service for ID checking, plus £11.00 should we require POVAFirst checks).
We agree to pay the fees immediately (or within 14 days should we have been granted account facilities with UK Umbrella Service) and also agree to be bound by the general Terms and Conditions of Business set out by UK Umbrella Service Ltd.