International College Dundee Data processing agreement

This agreement is entered into between:

The University of Dundee, a registered Scottish Charity (charity number SC 015096) having its principal office at Nethergate, Dundee DD1 4HN hereinafter referred to as the “University”;

And Oxford International Education and Travel Limited (registered Company No. 02666738), trading as ‘Oxford International Education Group’ (OIEG) or ‘Oxford International’ and/or ISIS Greenwich (registered Company number 2666738), whose registered office is at New Kings Court Tollgate, Chandler’s Ford, Eastleigh, Hampshire, SO53 3LG (“OIEG”) - hereinafter referred to as the “Data Processor”, (each a “Party, and together the “Parties”).

Whereas:

1. The University and the Data Processor entered into an Agreement on or around January 2017 and as a consequence thereof the Parties are required to share personal data to facilitate the effective operation of the arrangements under the Agreement.
2. The University is the data controller of the Personal Data and so as to comply with the Data Protection Act 1998 (as amended) (the “Act”) and all subordinate legislation the Data Processor must enter into this Data Processing Agreement (“DPA”) with the University relating to the processing of personal data.

Now therefore the Parties agree as follows:

Definitions

In this Agreement unless the context requires otherwise:

• “Data Processing” is any processing, operation or action taken with the Personal Data which constitutes ‘processing’ in terms of the Act including, without limitation, collection, use, disclosure, destruction and holding of the data and “process” and “processing” is construed accordingly.
• “Data Processor” means the organisation defined above which will receive Personal Data from the University for further processing in accordance with the terms of the Agreement and this DPA;
• “Data Processor Personnel” means the Data Processor and/or its subcontractors and the officers, employees, agents, consultants, representatives and other personnel of the Data Processor and its subcontractors;
• “Data Subject” is the individual which the Personal Data identifies;
• “FOISA” means the Freedom of Information (Scotland) Act 2002 as amended or replaced;
• “Model Clauses” means The European Commission Model Contract for the transfer of personal data to third countries (EU Controller to Non-EU/EEA Processor) (Commission Decision C (2010) 593) the particulars of which are set out in Appendix 1 and Appendix 2 of this DPA;
• “Personal Data” is data processed under this DPA which identifies a living individual and as defined by the Act.
• “Services” the services to be provided by the Data Processor under the Agreement.

References to any act or omission or breach or non-compliance by or on the part of the Data Processor shall be deemed to include a reference to any act, omission, breach or non-compliance by any subcontractor or any Data Processor Personnel.

Data Protection

The Data Processor shall:-

• comply at all times with the requirements of the Act and this DPA and shall perform its obligations in such a way as to ensure that the University does not or is not likely to breach any of its obligations under the Act.
• without prejudice to Clause 2.1 act in accordance with all reasonable instruction from the University and process the Personal Data only to the extent and in such manner as is necessary for the proper performance of its obligations under this DPA or as is required by law or any regulatory body. The Data Processor will assist the University with all subject access requests from Data Subjects and if it receives any such requests directly shall promptly inform the University in writing.
• exercise in respect of Personal Data passed to it by the University under this DPA no lesser security measures and degree of care than those which the Data Processor applies to its own personal data and confidential information. Ensure that the Personal Data is only disclosed to/accessed by Data Processing Personnel who are informed of the confidential nature of the Personal Data and who reasonably require
• access to it for the Data Processor to comply with this DPA and provide the Services. Enter into a written contract on equal terms to this DPA with any sub-contractor appointed by it to perform the Services on Its behalf.
• not acquire any rights in the Personal Data and will keep the Personal Data separate from data held or stored by or under the control of the Data Processor comprising or including personal data other than the Personal Data.
• notify the University that it has become aware of any disclosure or processing of any Personal Data that has been made by the Data Processor or is likely to be made in breach of the terms of this DPA and the University shall be entitled at its sole discretion to either suspend the right of the Data Processor to process the Personal Data pursuant to the terms of this DPA and /or the Agreement; or terminate this DPA and /or the Agreement on ten (10) working days written notice.

Freedom of Information

The Data Processor acknowledges that the existence of this DPA may be subject to requests made pursuant to FOISA and that subject to any applicable exemptions, as determined by the University, the content of this DPA may be disclosed pursuant to FOISA.

Insurance Cover

The Data Processor shall hold throughout the term of this DPA a satisfactory level of and appropriate insurance cover with a reputable insurer to cover the Data Processor’s obligations to the University including without limitation public liability cover of at least five million pounds sterling. The Data Processor will provide satisfactory evidence of such insurance cover to the University upon request.

Liability and Warranties

The Data Processor shall be liable for and fully indemnify the University against each and every action, proceeding, liability, loss, damage, cost, claim, fine, expense and/or demand suffered or incurred by the University which arise from or in connection with or pursuant to any act or omission of or the performance of the Data Processor’s obligations under this DPA, including without limitation those arising out of third party demand, claim or action or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with this DPA or any part of the Act by the Data Processor or its personnel or any claim referred to in Clause 5.2.

The Data Processor acknowledges to and agrees with the University that it shall be liable (to the exclusion of the University, as between the University and Data Processor) for any damages that may be due to or awarded to any Data Subject by any court, authority or person of competent jurisdiction and that the indemnity set out in Clause 5.1 shall apply in respect of any such damages.

The Data Processor warrants, represents and undertakes that it has full power and authority to receive, store and process the Personal Data, give the warranties and indemnities and enter into and perform its obligations under and in terms of this DPA and it will comply with the Act (as if it were a data controller) and in particular the data protection principles set out in the Act and the Model Clauses.

Transborder Data Flows

In respect of any Personal Data provided to it by or on behalf of the University the Data Processor shall at all times comply with the additional contractual provisions set out in the Model Clauses.

Termination

This DPA may be terminated by the University in the circumstances set out in 2.5 or 8.3 or upon termination of the Agreement for whatever reason by giving ten (10) working days notice.

Any termination will be without prejudice to any other rights or remedies of the Parties and will not affect any accrued rights or liabilities of any party at the date of termination. The provisions of clauses 5 and 7 shall survive the expiration or termination of this DPA.

Miscellaneous

Nothing in this DPA is intended to or shall operate to create a partnership or joint venture of any kind between the parties or to authorise a party to act as an agent for the other.

If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability shall not affect the other provisions of this DPA and all provisions not so affected shall remain in full force and effect. The Parties agree to substitute for such provision a valid and enforceable provision which achieves to the greatest extent possible the economic, legal and commercial objectives of the invalid or unenforceable provision.

Neither of the parties shall be in breach of this DPA or liable for delay in performing or failure to perform any of its obligations hereunder if that delay or failure results from events, circumstances or causes beyond its reasonable control and the affected party shall be entitled to a reasonable extension of time to perform its obligations provided that after a period of non- performance of six weeks the other party may terminate this DPA by giving ten (10 days) notice to the affected party.

This DPA supersedes any previous agreement between the Parties in relation to the matters dealt with herein and represents (together with the documents referred to herein) the entire agreement between the Parties hereto. All warranties, representations or undertakings that may be implied by law are excluded to the fullest extent permitted by law and each party hereby expressly excludes any and all rights and/or remedies that it may have hereunder. (4)

This DPA shall be governed by and construed in accordance with the laws of Scotland.

IN WITNESS WHEREOF this Agreement consisting of this and the preceding four (4) pages and the attached appendices (2) are subscribed by the parties as follows:

Appendix 1 to the standard contractual clauses

This Appendix forms part of the Model Clauses and must be completed and signed by the parties. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter (the University)

The data exporter is (please specify briefly your activities relevant to the transfer):

The data exporter is delivering various degree programmes in collaboration with the partner institution. Students taught during this collaboration are students of the University of Dundee and OIEG provide the first period or year of English language and academic discipline instruction to enable the full transition to the University of Dundee for the second year, or period of study.

Data importer (the Partner)

The data importer is (please specify briefly activities relevant to the transfer):

The data importer (OIEG) requires a number of student personal records to enable the fair and accurate delivery and assessment of the educational programme.

In accordance with the Collaboration Agreement - data is provided by the University to permit the routine administration of education provision and delivery of education, Any additional use of the data, for example student welfare, financial management, marketing or other purposes will require the expressed permission of the University.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

• Students admitted and jointly registered by the parties;
• Relatives, guardians and associates of the students above

Categories of data

The personal data transferred concern the following categories of data (please specify):

• Personal Details;
• Education and Training Details;
• Student Records (where necessary);
• Financial Details (where appropriate);
• Family, Lifestyle and Social Circumstance (where appropriate);
• Nationality, home location and address;
• Names of the students’ parents and/or responsible person in country of origin;
• Other contact information (for example telephone numbers for parents or other nominee).

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

• Physical or Mental Health or Conditions (required to ensure appropriate adjustments can be accommodated);
• Racial or Ethnic Origin (where appropriate, required for educational provision);
• Offences (including Alleged Offences) (where appropriate, required for educational provision);
• Religious or other Beliefs (where appropriate, required for educational provision);

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

• Processing activities: administration of education and training (e.g. registration and monitoring, calculation and publication of exam results, provision of references); provision of education (e.g. planning curricula and exams, producing educational materials); administration of student awards and fees;
• Return data: New data will be returned to the University of Dundee in the form of marks, assessment, and attendance data, all identified by University matriculation number. This is required to record the progress of the students within the University student record system. Additional relevant data may also be transferred to and recorded in the University system.
• The scope and purpose: Data processing of the elements described above is to permit the effective delivery of education and the effective recording of assessment achievements of the students by OIEG
• Duration: The duration of the data processing shall be for the term of the UoD - OIEG Collaboration Agreement first completed in August 2016. Data retention shall be subject to the information contained in Appendix 2.

Appendix 2 to the standard contractual clauses

This Appendix forms part of the Model Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with the DPA:

The Data Importer is required to maintain and communicate the University data in a secure manner. This will require the use of data encryption, secure authentication, access by approved staff only, and appropriate physical security of the data stores.

These measures are likely to include:

• Carrying out an information risk assessment and identifying an individual within the organisation who is responsible for security measures;
• Vetting staff through processes which comply with the data exporter’s requirements;
• Establishing management controls such as ensuring password access to computerised copies of personal data, limiting access to certain individuals etc.;
• Ensuring physical security and preventing unauthorised physical access to any part of such computer systems, networks and rooms in which the personal data is stored;
• Not transmitting personal data unless that personal data is encrypted and the key or password to decrypt that personal data is communicated separately;
• Restricting the number of paper copies of the data made and/or kept by the data importer to the minimum number reasonably required in order to discharge or exercise the data importer’s rights and obligations;
• Preventing unauthorised physical access to any such paper copies (unless they have been shredded);
• Generally restricting access to the personal data that is in the data importer’s possession in accordance with good practice for an academic institute (or such institute as applies); and
• Compliance with any applicable confidentiality guidelines.

Data shall be retained only as long as required for OIEG to provide educational services to the student and for the student to appeal any marks achieved whilst in receipt of services from OIEG. This will normally be one year after completion of an OIEG programme and the provision of data to the University securely. Any request to vary this period by the partner should be made in writing to the University with a supporting rationale. The University may instruct the partner to vary their retention period at any time informed by regulatory changes or industry best practice.