Information Services Division


Working with third parties

What is meant by a 'third party'?

Third parties in research typically include transcribers, survey tools, and database services. Some may be advertising the security of their services as a primary feature. In fact, these are organisations which process data but they do not play a role in determining the purpose for processing personal data: 'data processors'. This advice applies equally to data that are pseudonymised.

There may be a good reason for using a third party, where UCL are the Data Controller, for carrying out specific tasks, provided you have a legal basis to do so. When entering an agreement with a third party to handle personal data, a contract is required with specific clauses for handling personal data, called a 'data processing agreement' (see 'data processing' here). As an organisation, UCL has staff that can help negotiate these contracts, in procurement services.

It is really important that you do not assume without checking that there is a data processing agreement in place with your service provider. Your service provider will likely not ask you if you want to negotiate a data processing agreement with them! In most cases they will be happy with a basic license agreement which obliges you to pay for the service. Sometimes these agreements give a lot of room for the provider to pass on their customer's data to other third parties. If that happens, you will have completely lost control of your data and this would need to be reported as an incident.

Often a third party has played an important role when designing a research project. This does not mean by default that they have a legal basis for accessing any of the data arising from the project. In research with personal data, the organisation which sponsors the study (in health research) or which provides the resources and direction of study in non-health-related research will be the Data Controller under data protection legislation, including the GDPR, and, ostensibly and legally, must determine the purpose for all processing of personal data (see guidance on data controllers in research for more detail). Significant third parties, including funders, collaborators, suppliers of services, consultants and/or partner organisations other than the Data Controller are at most data processors, which means they are acting under instruction from the Data Controller. This may seem at odds with an important study partner if the responsibility for determining the purpose has been shared. Critically, the Data Controller will be held accountable for any breaches of data protection.

Any use of personal data that is not determined by the Data Controller is unlawful, so, for policy and procedure, you must not rely on a data processor's policies. Similarly, if you are acting as a data processor, you must follow the Data Controller's policy and procedures for handling personal data and, if not possible, refer to the Data Controller for advice.

Why is a contract important?

Sharing data processing responsibilities with a third party creates a risk that needs to be managed. Some third parties help you to manage that risk by providing assurances. They might use certification schemes to support those assurances which can be helpful too. Contracts are fallback assurances that guarantee the validity of any other assurances. That is why it is so important to get contracts signed off by your own organisation, through UCL procurement services, and the third party.

What about anonymised data?

Adequately anonymised data is usually, although not always, OK to share with a third party, provided this is done within the scope of UCL policy, securely and where no link remains to the identifiable data subject. However, data can be restricted by a contract, irrespective of whether they are personal data, so the restrictions applied by data providers can limit the freedom to use third parties in practice.

UK/EEA-based third parties

Organisations operating within the European Economic Area (EEA) which includes the UK or within certain other countries listed here are subject to the General Data Protection Regulation. If you are entering an agreement with an organisation where the processes are to be carried out exclusively within these countries, then you can expect your data processing agreement to be enforced by that jurisdiction.