eduroam(UK) Data Protection Schedule

Download as PDFDownload as PDF

1.DEFINITONS

1.1.The following definition apply to this Data Protection Schedule

Agreement

means the agreement between Jisc and the Member for the provision of the Service;

Applicable EU Law

any law of the European Union (or the law of one of the Member States of the European Union);

Controller, Processor and Data Subject

shall have the meaning given to those terms in the GDPR;

Data Protection Legislation

means (a) any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) which relates to the protection of individuals with regards to the processing of Jisc Member Data to which a Party is subject, including EC Directive 95/46/EC (the DP Directive), the Data Protection Act 1998 (the DPA) and Privacy and Electronic Communications (EC Directive) Regulations 2003 (up to and including 24 May 2018) and the GDPR (on and from 25 May 2018), or, in the event that the UK leaves the European Union, all legislation enacted in the UK in respect of the protection of Personal Data; and (b) any code of practice or guidance published by the Regulator from time to time;

Data Protection Particulars

means, in relation to any Processing under this Agreement:

(a)       the subject matter and duration of the Processing;

(b)       the nature and purpose of the Processing;

(c)       the type of Personal Data being Processed; and

(d)       the categories of Data Subjects.

Data Subject Request

means an actual or purported subject access request or notice or complaint from (or on behalf of) a Data Subject exercising his rights under the Data Protection Legislation;

Data Transfer

means transferring the Personal Data to, and / or accessing the Personal Data from and / or Processing the Personal Data within, a jurisdiction or territory that is a Restricted Country;

GDPR

means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1, 4.5.2016;

Permitted Purpose

means the purpose of the Processing as specified in the Data Processing Particulars;

Personal Data

has the meaning given to it in the GDPR and for the purposes of this Agreement includes Sensitive Personal Data;

Personal Data Breach

has the meaning given to it in the GDPR and, for the avoidance of doubt, includes a breach of Clause 4.1.3;

Personnel

means all persons engaged or employed from time to time by Jisc in connection with this Agreement, including employees, consultants, contractors and permitted agents;

Processing

has the meaning given to it in the GDPR (and "Process" and "Processed" shall be construed accordingly);

Regulator

means the UK Information Commissioner's Office (including any successor or replacement body);

Regulator Correspondence

means any correspondence or communication (whether written or verbal) from the Regulator in relation to the Processing of the Personal Data;

Restricted Country

means a country, territory or jurisdiction outside of the European Economic Area which the EU Commission has not deemed to provide adequate protection in accordance with Article 25(2) of the DP Directive and/ or  Article 45(1) of the GDPR (as applicable);

Security Requirements

means the requirements regarding the security of the Personal Data, as set out in the Data Protection Legislation (including, in particular, the seventh data protection principle of the DPA and/ or the measures set out in Article 32(1) of the GDPR (taking due account of the matters described in Article 32(2) of the GDPR)) as applicable;

Sensitive Personal Data

means Personal Data that incorporates such categories of data as are listed in Article 9(1) of the GDPR;

Service

means the eduroam(UK) service;

Schedule

means this schedule which forms part of the Agreement.

Third Party Request

means a written request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by law or regulation;

2.ARRANGEMENT BETWEEN THE PARTIES

  1.  

2.1.The Parties shall each Process the Personal Data in accordance with the terms of this Schedule. The Parties acknowledge that the factual arrangement between them dictates the classification of each Party in respect of the Data Protection Legislation.  Notwithstanding the foregoing, the Parties anticipate and agree that the Member shall act as Controller and Jisc shall act as Processor, as follows:

2.1.1The Member shall be a Controller where it is Processing the Personal Data in relation to the services being supplied by Jisc; and

2.1.2Jisc shall be a Processor where it is Processing the Personal Data in relation to the Permitted Purpose in connection with the performance of its obligations under these service terms.

2.2.Each of the Parties acknowledges and agrees that the following table sets out an accurate description of the Data Protection Particulars:

The subject matter and duration of the Processing

Jisc requires management and system administrator contact information to be held in order to ensure the security and effectiveness of provision of the Service to Members.

In order to deliver the Service Jisc requires certain pieces of information which are transmitted between Members during the operation of the Service to be recorded. This enables the essential elements of the Service, namely provision of troubleshooting capability and connection events logging to be delivered.  

The duration of the Processing of contact information will be for the term of the Service agreement between the Member and Jisc.

The duration of the Processing of information gathered as part of the operation of the Service will be 12 months.

The nature and purpose of the Processing

The Personal Data will be Processed in order to provide the Service ordered by the Member.

The type of Personal Data being Processed

Management and system administrator contact details provided by the Member comprise the following types: first name; last name; job title; e-mail address; telephone number.

The only data types gathered by Jisc during the operation of the Service comprise: Calling Station Identity (MAC address) of a device; the username (which may be anonymous) and Operator-Name (which identifies the Member organisation that the device was at when using the Service).

The categories of Data Subjects

The Data Subjects are the managers and system administrators of the eduroam service operated by the Member.

The Data Subjects are users of the eduroam service operated by the Member: staff, students, contractors, associates and guests of the Member.

3.Controller Obligations

  1.  
  1.  

3.1.As the Controller in respect of the Processing of the Personal Data, the Member shall ensure that:

3.1.1it is not subject to any prohibition or restriction which would prevent or restrict it from disclosing or transferring the Personal Data to Jisc in accordance with the terms of this Schedule; and

3.1.2all fair processing notices have been given (and/ or, as applicable, consents obtained) and are sufficient in scope to allow the Member to disclose the Personal Data (including any Sensitive Personal Data) to Jisc for the delivery of the Service in accordance with the Data Protection Legislation.

4.Processor Obligations

  1.  
  1.  
    1. Jisc (as a Processor in relation to any Personal Data Processed by (or on behalf of) the Member pursuant to the Agreement) undertakes to the Member that it shall:

4.1.1process the Personal Data for and on behalf of the Member in connection with the performance of the Service only and for no other purpose in accordance with the terms of this Agreement and any instructions from the Member;

4.1.2unless prohibited by law, promptly notify the Member (and in any event within forty-eight (48) hours of becoming aware of the same) if it considers, in its opinion (acting reasonably) that it is required by Applicable EU Law to act other than in accordance with the instructions of the Member, including where it believes that any of the Member's instructions under Clause 4.1.1 infringes any of the Data Protection Legislation;

4.1.3implement and maintain appropriate technical and organisational security measures to comply with at least the obligations imposed on a Controller by the Security Requirements. If requested by the Member, Jisc will provide a description of the technical and organisational security measures that Jisc will implement and maintain;

4.1.4take all reasonable steps to ensure the reliability and integrity of any of the Personnel who shall have access to the Personal Data, and ensure that each member of Personnel shall have entered into appropriate contractually-binding confidentiality undertakings;

4.1.5notify the Member promptly, and in any event within forty-eight (48) hours, upon becoming aware of any actual or suspected, threatened or ‘near miss’ Personal Data Breach, and:

  1. implement any measures necessary to restore the security of compromised Personal Data;
  2. assist the Member to make any notifications to the Regulator and affected Data Subjects;

4.1.6notify the Member promptly (and in any event within ninety-six (96) hours) following its receipt of any Data Subject Request or Regulator Correspondence and shall:

  1. not disclose any Personal Data in response to any Data Subject Request or Regulator Correspondence without the Member's prior written consent; and
  2. provide the Member with all reasonable co-operation and assistance required by the Member in relation to any such Data Subject Request or Regulator Correspondence;

4.1.7not disclose Personal Data to a third party in any circumstances without the Member's prior written consent, other than:

  1. in relation to Third Party Requests where Jisc is required by law to make such a disclosure, in which case it shall use reasonable endeavours to advise the Member in advance of such disclosure and in any event as soon as practicable thereafter, unless prohibited by law or regulation from notifying the Member;
  2. to Jisc's employees, officers, representatives and advisers who need to know such information for the purposes of Jisc performing its obligations under this Agreement and in this respect Jisc shall ensure that its employees, officers, representatives and advisers to whom it discloses the Personal Data are made aware of their obligations with regard to the use and security of Personal Data under this Agreement; and
  3. to a sub-contractor appointed in accordance with Clause 5.

4.1.8not make (nor instruct or permit a third party to make) a Data Transfer without putting in place measures to ensure the Member's compliance with Data Protection Legislation;

4.1.9on the written request of the Member, and with reasonable notice, allow representatives of the Member to audit Jisc in order to ascertain compliance with the terms of this Clause 4 and/or to provide the Member with reasonable information to demonstrate compliance with the requirements of this Clause 4, provided that:

  1. the Member shall only be permitted to exercise its rights under this Clause 4.1.9 no more frequently than once per year (other than where an audit is being undertaken by a Member in connection with an actual or 'near miss' Personal Data Breach, in which case, an additional audit may be undertaken each year by the Member within thirty (30) days of the Member having been notified of actual or 'near miss' Personal Data Breach);
  2. each such audit shall be performed at the sole expense of the Member;
  3. the Member shall not, in its performance of each such audit, unreasonably disrupt the business operations of Jisc;
  4. the Member shall comply with Jisc's health and safety, security, conduct and other rules, procedures and requirements in relation to Jisc's property and systems which have been notified by Jisc to the Member in advance; and
  5. in no case shall the Member be permitted to access any data, information or records relating to any other Member of Jisc 

4.1.10except to the extent required by Applicable EU Law, on the earlier of:

  1. the date of termination or expiry of the Agreement (as applicable); and/or
  2. the date on which the Personal Data is no longer relevant to, or necessary for, the performance of the Service,

cease Processing any of the Personal Data and, within sixty (60) days of the date being applicable under this Clause 4.1.10, return or destroy (as directed, in writing, by the Member) the Personal Data belonging to, or under the control of, the Member and ensure that all such data is securely and permanently deleted from its systems, provided that Jisc shall be entitled to retain copies of the Personal Data for evidential purposes and to comply with legal and/or regulatory requirements;

4.1.11comply with the obligations imposed upon a Processor under the Data Protection Legislation; and

4.1.12assist the Member in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of Processing and the information available to Jisc, provided that Jisc shall be entitled to charge a fee to the Member (on a time and materials basis and at such rate notified by Jisc to the Member from time to time) in respect of providing any such assistance to the Member.

  1. Notwithstanding anything in this Agreement to the contrary, this Clause 4 shall continue in full force and effect for so long as Jisc Processes any Personal Data on behalf of the Member.

5.Sub-contractors

  1. Jisc may from time to time use sub-contractors to provide the Service and shall be permitted to disclose Personal Data to these sub-contractors (or allow these sub-contractors to access Personal Data) for Processing solely in connection with the provision of the Service. Where we use a sub-contractor to Process Personal Data for or on our behalf, we will ensure that the sub-contractor contract is on terms which are substantially the same as, and in any case no less onerous than, the terms set out in Clause 4.
  2. Jisc shall remain liable to the Member for the acts, errors and omissions of any of its sub-contractors to whom it discloses Personal Data, and shall, be responsible to the Member for the acts, errors and omissions of such sub-contractor as if they were Jisc’s own acts, errors and omissions to the extent that Jisc would be liable to the Member under this Agreement for those acts and omissions.