ISP-4 Outsourcing and third party compliance policy
This is a sub-policy of the ISP-01 Information security policy.
Summary
This policy seeks to ensure that when the University works with external parties, the security of its data and systems is maintained. It outlines the need for careful risk assessments, contracts, and due diligence to protect information. The policy also addresses data protection laws, ensuring any third party access complies with legal standards. This helps minimise risks and ensures that any outsourced services meet the University's security expectations.
| Control information | Control detail |
|---|---|
| Owner | Chief Information Security Officer, IT Services |
| Author | Information Security Manager, IT Services |
| Sponsor | Chief Information Security Officer, IT Services |
| Consulted | Director of Procurement, Information Governance Manager and Data Protection Officer, Information Governance and Security Advisory Board (IGSAB) |
| Approved by | Information Governance and Security Advisory Board (IGSAB) |
| Responsible area | IT Services |
| Version | 5 |
| Approval date | 14 November 2025 |
| Effective date | 14 November 2025 |
| Interim review effective date | Not applicable |
| Full review period | 1 year |
| Date of next full review | 30 September 2026 |
| EIA completion date | Not applicable |
| DPIA completion date | Not applicable |
| SIA completion date | Not applicable |
| Reporting requirements | Not applicable |
| Applicable statutory, legal or best practice requirements |
|
| Keywords | breach notification, confidential data, contractual considerations, data processing agreement, data protection, Data Protection Impact Assessment (DPIA), due diligence, information classification, Information Commissioner’s Office (ICO), information security, outsourcing, procurement policy, risk assessment, third party compliance, UK GDPR |
On this page
1. Updates to this policy
1.1. This policy has been updated to align to the new University of Bristol policy management framework.
2. Introduction
2.1. This policy is a sub-policy of the ISP-01 Information security policy and outlines the conditions that are required to maintain the security of the University’s data and systems when third parties, other than the University’s own staff or students, are involved in their operation.
3. Scope
3.1. The policy applies to all members of the University who are considering engaging a third party to provide a service that may involve access to the University’s information assets. It covers activities where third parties are used for cloud computing services, software services, or the design, development, or operation of University information systems. It also applies when third party access is granted remotely to University systems. The policy does not cover individual sharing of documents and information by staff and students with third parties, which is addressed in the ISP-07 Information handling policy.
4. Definitions
4.1. A member of the University: This is defined in University Constitution: Ordinance 9, section 7.
4.2. Confidentiality clauses: Contract terms that require third parties to protect sensitive information and prevent its unauthorised disclosure.
4.3. Data processing agreement: A formal contract outlining the responsibilities and terms under which personal data is being processed.
4.4. Data Protection Impact Assessment (DPIA): A process to assess risk when gathering, storing, transferring or processing personal data, ensuring compliance with data protection laws.
4.5. Formal outsourcing: The process of contracting third parties with a clear agreement on security, services, and risks, ensuring compliance with policies.
4.6. Information security policies: Rules and guidelines set to ensure the confidentiality, integrity, and availability of the University’s information assets.
4.7. International Data Transfer Agreement (IDTA): A contract used when transferring personal data outside the UK to ensure compliance with UK data protection laws.
4.8. Outsourcing risk: The potential for loss or damage to the University’s data, systems, or reputation when third parties are involved in services or operations.
5. Responsibilities
5.1. University Members: Engaging with third parties must assess outsourcing risks, conduct due diligence, and ensure compliance with the University's information security and data protection requirements. They must consult with relevant departments such as IT Services, Legal Services and Secretariat, and Procurement to manage third party risks effectively.
5.2. Procurement Team: Supports the outsourcing process by ensuring contracts are in place with third parties, including necessary security provisions, confidentiality clauses, and compliance with the University’s policies on data handling, ensuring risks are minimised.
5.3. IT Services: Must support the due diligence process for onboarding third parties to ensure that data protection and security requirements are met before implementing the third party system or service.
5.4. Legal Services and Secretariat: Responsible for providing legal advice on contract terms, ensuring all outsourcing agreements meet legal and regulatory requirements, and assisting with the development and review of data protection and confidentiality clauses.
5.5. Outsourced Third Party Service Providers: Are responsible for adhering to the University's information security policies, ensuring data security, and complying with all contractual terms related to data protection and breach notification requirement.
6. Managing outsourcing risk
6.1. Before outsourcing or allowing a third party access to the University systems or University data classified as Open or above, a decision must be taken by staff of appropriate seniority that the risks involved are clearly identified and acceptable to the University. The level of staff seniority will depend on the classification of the data involved (as per University Information Classification Scheme) and the value and complexity of the contract. Advice must be sought from Information Security, Legal Services and Secretariat and Procurement during the work request approval process.
7. Formal outsourcing
7.1. Where a service is formally outsourced by the University, the process must be managed by the relevant University staff and a contract that covers standards and expectations relating to information security (see Contractual considerations) must be in place.
8. Due diligence
8.1. The process of selecting a third party service provider must include due diligence of the third party in question, a risk assessment and a review of any proposed terms and conditions to ensure that the University is not exposed to undue risk.
8.2. This process may involve advice from members of the University, or engaged external professionals, with expertise in contract law, IT, information security, data protection and human resources. This process must also include the consideration of any information security policies or similar information available from the third party and whether they are acceptable to the University.
9. Contractual considerations
9.1. Use of third party services must not commence until the University is satisfied with the information security measures in place and a contract has been signed.
9.2. All third parties that are given access to the University systems or University data classified as Open or above must agree to follow the University’s information security policies, or the terms set out in any agreed deviation from those policies with appropriate University signoff.
9.3. Advice should be sought from Legal Services and Secretariat and/or Procurement in relation to contractual arrangements. University standard terms should be used where possible: Standard Terms and Conditions for the Supply of Goods and Services - short form terms and conditions v8 (PDF, 253kB).
9.4. Confidentiality clauses must be used in all contractual arrangements where a third party is given access to University data classified as Open or above.
9.5. Contracts must also contain the support arrangements with third parties, especially in the event of a security breach. These will include data breach notification requirements, hours of support, emergency contacts and escalation procedures.
9.6. Contracts must include provisions to ensure the continued security of data and systems if a contract is terminated or transferred to another supplier.
9.7. All contracts for the supply of services to the University by external suppliers must be monitored and reviewed to ensure that information security requirements are satisfied.
10. UK data protection law
10.1. The Data Protection Impact Assessment (DPIA) screening process must be completed at the outset of any project that will potentially involve data classified as Confidential and above being accessed by a third party. Any outsourcing arrangement involving the transfer of data classified as Confidential and above to a third party must include the acceptance of the University’s standard personal data processing terms or a negotiated equivalent incorporating the same standards. All contracts that require the processing of personal data must have an agreed purpose and lawful basis for processing that data.
10.2. If the outsourcing involves the transfer of personal data outside the UK to a country or territory that the UK recognises ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data, then transfers can take place without any further authorisation (Art.45 UK GDPR). The Information Commissioner’s Office (ICO) provides a list of countries it has deemed to provide an adequate level of protection. If the outsourcing involves the transfer of personal data outside the UK to a country or territory that the UK does not recognise as providing an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data, then the UK International Data Transfer Agreement (IDTA) or the Addendum may be used as a contractual transfer tool to comply with Art.46 UK GDPR when making personal data transfers. Guidance on the appropriate use of the IDTA should always be sought from the University’s Data Protection Officer.
10.3. The University’s Data Protection Policy: https://www.bristol.ac.uk/secretary/data-protection/policy/
11. Informal outsourcing
11.1. There are extensive online IT solutions for which the University will have no formal agreement or contract in place with - examples include email services and cloud storage providers.
11.2. Users of such services are required to accept the provider’s set terms and conditions and the University cannot negotiate terms as it would via the formal outsourcing procedure.
11.3. The use of such services for storing and/or handling of University data presents a risk to the University as there is no way the University can ensure the confidentiality, integrity and availability of the information without a formal agreement in place. The storage of data classified as Confidential or above with such providers is likely to be a breach of the UK data protection law for which the University could be penalised by the Information Commissioner.
11.4. In light of these risks, wherever possible University staff must only use services provided or endorsed by the University for conducting University business. The University recognises, however, that there are occasions when it is unable to meet the legitimate requirements of its members. In these circumstances University members are expected to engage with IT Services and Procurement to begin the required due diligence (see Contractual considerations) allowing adequate time for assessment to take place ahead of any defined deadlines. Third party terms and conditions must not be accepted prior to the completion of this approval process.
11.5. For further guidance on placement of University data on non-University systems refer to the Removal of Information section of the ISP-07 Information handling policy.
11.6. University data subject to UK data protection law or data that has a classification of Confidential or above must be stored using University facilities or with third parties subject to a formal, written, legal contract with the University.
11.7. Those wishing to engage third parties in this way must have a Data Processing Agreement in place before data is transferred.
12. Third party physical access
12.1. A risk assessment must be completed prior to allowing a third party to have access to secure areas of the University where confidential information and assets may be stored or processed.
12.2. This assessment must take into account:
- What computing equipment the third party potentially could have access to.
- What information they could potentially access.
- Who the third party is.
- Whether they require supervision.
- Whether the third party access request places other existing contractual terms at risk.
- Whether any further steps can be taken to mitigate risk.
Request this policy in an alternative format
If you need this policy in a different format, email uob-policymanager@bristol.ac.uk. In your message, include the format you need, for example: plain text, braille, BSL, large print or audio.