fbpx
News

Suppliers: are we data processors or data controllers?

Back to previous page

It is very important that schools understand whether their suppliers of products and services are data controllers or data processors. We are aware that there is a lot of confusion around this in schools and in some instances amongst school suppliers so we thought we would try to clarify the difference.

Why is it important?

If you, as the supplier is data controller, it is important that you handle data in accordance with the GDPR compliance standards, however, there is no liability on the school.

However, if you, as the supplier is a data processor and the school is the data controller, you share responsibility. In this instance, it is very important that you demonstrate to schools that you are managing their data appropriately and correctly.

How do we know which we are?

There is no clear-cut rule but here’s some pointers that we hope will help you and your client schools establish which you each fall under.

Suppliers as data controllers

All suppliers will be data controllers for some of your data.

You ask schools for the main contact’s name and details to allow them to do business with you. This is a B2B relationship in which you are the data controller and the school contact is the data subject. All responsibility of keeping that data safe is with you. The school contact can exercise their rights as a data subject to ask you about the data you hold on them, just as a parent can ask a school via a Subject Access Request (SAR).

Examples where suppliers are data controllers:

  • All suppliers – B2B information
  • Training organisation
  • Equipment and Food suppliers (unless schools give you individual names relating to special requests, i.e. the school supply medical information of a pupil or member of staff at school for specialised equipment/food request)
  • Shopping portals
  • etc, etc

Suppliers as data processors

The GDPR makes it clear that the responsibility of keeping data safe is equally shared between the data controller and the data processor.

If large quantities of data are leaving the school to go to another organisation you can be pretty sure that the school is the data controller and the receiving organisation (you) is the data processor. In addition, you are a data processor if the school is passing on information about individuals which is more than is needed for you to do business with the school.

Examples:

  • Local authorities
  • Ofsted
  • Examination boards
  • DfE
  • Teachers pensions
  • HR and Payroll systems
  • School meals
  • etc, etc

In addition, there are commercial companies which are also your data processors.

  • Messaging and Parent Engagement systems
  • Payment and school meals’ services
  • Online safeguarding software
  • Teaching and learning portals which ask you to upload pupil or staff data
  • System integrators which pull data from 1 place and move it to another
  • etc, etc

Each supplier must provide schools with evidence of their compliance for the school’s data protection impact assessments (DPIA) or as part of their review of compliance and the school’s culture on use of data.

Suppliers that produce software to allow schools to process data

There are many systems in schools where the software processes data but it never leaves the premises. Whilst the suppliers in this instance are not data processors they have a responsibility to ensure their software can allow schools to meet compliance. We would expect these suppliers to provide schools with much of the evidence as if they were a data processor even though they do not process the data.

  • Local applications such as Word and Excel (not Office 365 Online), where data is held, often in templates or mark sheets
  • Local hosted MIS
  • Various teaching software loaded locally where children or staff enter their names or access is controlled by the computer login
  • etc, etc

It is important to note that if any of these suppliers change the system to an offering online or they undertake remote support and have access to the data, then they become a data processor.

Careful consideration is needed when schools approach you for information about your compliance, or how you support the school’s own compliance.  GDPRiS has already provided guidance about the questions schools are likely to ask you should you be a data processor, or where you can help schools with their compliance. This should help in your responses to schools.

If you are purely working on a B2B basis with schools then a simple statement pointing this out to the school, referring to your Privacy Notice and actions you have taken as a data controller to ensure compliance, should be sufficient.

    Our members

    Looking for quality education products and services? BESA members sign up to our Code of Practice, so you can be confident you are spending wisely with companies you can trust.

    Code of Practice

    This Code of Practice is a mandatory membership commitment given by members to BESA

    Our Team

    The BESA secretariat is a small, dedicated team that works hard to find channels to market for education suppliers

    Research

    BESA publishes over 20 market research reports each year on a wide range of topics. Access our latest reports and the full research archive.

    UK Education Statistics

    There are currently 32,770 schools in the UK. Of these, 3,714 are nurseries or early-learning centres

    News

    Keep up to date with member news, announcements and BESA activities.

                Policy Updates

                Our weekly roundup of policy news, debate and initiatives.

                Great British Classroom

                Running as part of BESA’s exhibitions programme showcasing the world’s best education products and services

                Resource Our Schools

                The Resource Our Schools campaign has been initiated by the British Educational Suppliers Association (BESA), working with a coalition of organisations and suppliers.

                Summer Business Insight Day 2024

                BESA's annual summer member event returns for 2024 at The Oval Cricket Ground this July!

                Special Interest and Working Group meetings

                BESA recognises the importance of bringing together members with common interests to share ideas, information and maintain a tight focus on each market place.

                GESS Dubai 2024

                Join the UK Pavilion at GESS Dubai 2024 - Unleashing Educational Excellence.

                Special Interest Groups

                With such a diverse market, BESA recognises the importance of bringing together members with common interests to share ideas

                International

                BESA works with UK education suppliers to help maximise their export potential, regardless of their stage in their export journey.

                Discounts and Opportunities

                We work hard to identify high-quality providers to the education suppliers sector, and negotiate discounts on behalf of our members.

                Code of Practice

                This Code of Practice is a mandatory membership commitment given by members to BESA.

                LendED

                LendED enables you to search, preview and test education technology products before you buy them, so you can be sure they will meet your needs.

                Supplier Directory

                Looking for quality education products and services? BESA members sign up to our Code of Practice, so you can be confident you are spending wisely with companies you can trust.

                  Sponsorship

                  Learn more about BESA’s sponsorship opportunities.