WHAT HAPPENS IF I EMPLOY A THIRD PARTY TO DO SOMETHING WITH PERSONAL INFORMATION ON MY BEHALF?
If you employ a third party to do something with personal information on your behalf, but they have no rights to use the information other than in the manner set out by you, it is a legal requirement that you have a written agreement in place, and that agreement has to include certain, speci c clauses. For example, if you use a mailing house to send out regular mailings to your donors or contacts. This is known as a data processing arrangement, and you need a data processing agreement in place to do this.
This is particularly important if you use IT consultants to carry out work for you and they have access to your IT systems and the data held on them, as this may be a processing arrangement and require a processing agreement.
ARE THERE ANY AREAS WHERE WE NEED TO BE PARTICULARLY CAREFUL?
If you are using any cloud software, you need to be particularly aware of the seventh and eighth data protection principles, which state that you must ensure adequate levels of security, and you cannot send personal information outside of the EEA without equivalent legal protections being in place.
In terms of security, you need to be con dent that your cloud provider provides adequate and reasonable security. It is essential that you have someone
on board who understands some of the more technical aspects of cloud computing, as you are responsible for ensuring that the information you store in the cloud is secure.
The ICO has been clear that a lack of understanding about IT is not a valid excuse when something goes wrong and you can be held liable for breaches
if you have not taken steps to ensure that you understand your IT systems. Responsibility can mean being sued by individuals, but can also mean being  ned by the ICO. Recent cases have made it clear that voluntary organisations and charities are treated in exactly the same way as commercial organisations.
Cloud providers will not necessarily guarantee that your information is stored on servers that are located in the EEA. If this is the case for the provider you are choosing, you have to be sure that the information will still have the same level of protection that it would have, if it were subject to the law of the UK. Your
Chapter 11 213