The assessment is provided based on the information provided by the Third Party and the configuration of the C2k Network in operation at the time of assessment. Capita cannot be held liable for inaccuracies or omissions in the information provided by the Third Party or for any changes to the configuration of the C2k Network that subsequently may impact on the expected operation of the Third Party Product once implemented. Capita is not responsible for ensuring or enforcing 3rd party solutions for any school or for any GDPR compliance by the school or the Third Party, data losses caused by the school or the Third Party or security issues arising from the 3rd party solution. Capita will not be carrying out a full assessment of any SIMS integration solution and schools along with the 3rd party supplier must adhere to the guidelines in section 4.3. A charge maybe made for schools to get ports opened up on the firewall by Capita and any requests must come in via the C2K Service Desk.
When authorising a 3rd party to design, implement and support a 3rd party solution, each individual school is solely responsible for:
- Informing EA / C2k of any 3rd party system or device connected to the EN(ni) managed service / C2k network and nothing is implemented until approval is given.
- Follow instructions and guidelines provided by EA / C2k and or Capita for any 3rd party solution traversing or connecting to the EN(ni) managed service / C2k network.
- Security requirement:
- Adhering to security and acceptable use policies.
- Minimum access is provided for 3rd party accessing systems.
- Third Party Software is not installed on the SIMS Servers and a separate INT server may be required.
- Third Party Suppliers do not have direct access to the SIMS Server.
- Third Party Supplier should not use school staff C2k and/or SIMS usernames or be set up with a TP Super User Account
- GDPR compliance:
- If the school is using any 3rd party software solutions that are not part of the C2k provider service, and these solutions are processing personal data, then the school as a data controller is responsible for GDPR compliance by the school and the Third Party data processor.
- A Data processing agreement should be in place between the Supplier and the School that meets GDPR requirements. This should include the following:
- the subject matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data and categories of data subject; and
- the school’s obligations and rights.
- Processing only on the documented instructions of the controller.
- Duty of confidence.
- Appropriate security measures.
- Using sub-processors.
- Data subjects’ rights.
- Assisting the controller.
- End-of-contract provisions.
- Audits and inspections.
- Update the school’s privacy notice(s) as required.
- Complete a Data Protection Impact Assessment in relation to the 3rd party solution which should be submitted to the School’s Data Protection Officer for review.
- Ensure minimum amount of personal data is shared with the 3rd party.
- Ensure that appropriate access controls are put in place to ensure that personal data is only accessible by the data subjects the information relates to or authorised school staff.
- Any potential or actual data loss incidents during or after implementation of the 3rd party solution must be reported immediately to the school’s Data Protection Officer.
If any school is in doubt about these obligations they should contact the EA information governance team on GDPR compliance matters and EA / C2k on technical or security queries.
All 3rd parties engaging with a school or number of schools are responsible for:
· Ensuring a separate data processing agreement that meets GDPR requirements is in place for each school.
· Complying with their obligations under such data processing agreements.
· Complying with their obligations as a data processor under GDPR.
· Engaging and cooperating with each school to ensure full GDPR compliance.