The Schedule of Processing Activities is available at this link.
1. Subject Matter, Duration, Nature, and Purpose
| Item | Details |
| Subject Matter | Conducting investigations on behalf of the Data Controller. |
| Duration | From the Effective Date until completion of Services or termination. |
| Nature | Processing personal data to gather evidence, conduct interviews, and produce investigation reports. |
| Purpose | Supporting disciplinary proceedings, appeals, safeguarding, or regulatory compliance within higher education. |
2. Types of Personal Data and Data Subjects
| Item | Details |
| Personal Data | Names, contact details, employment/student records, correspondence, investigation meeting recordings and transcripts, witness statements. |
| Special Category Data | Health information, criminal convictions, safeguarding concerns. |
| Data subjects | Reporting parties and respondents (whether students, staff, or witnesses). |
3. Controller Instructions
The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required by UK law to process otherwise.
4. Confidentiality
The Processor shall ensure that all persons authorised to process the data are bound by confidentiality obligations (written or statutory).
5. Security measures
The Processor shall implement appropriate technical and organisational measures, including:
- Encrypted storage and transmission of data
- Secure physical file storage (if applicable)
- Access controls and authentication
- Regular security reviews
6. Sub-processors
The Processor shall not engage another processor (Sub-processor) without prior written authorisation from the Controller. Any approved Sub-processor shall be bound by equivalent data protection obligations.
7. Data Subject Rights
The Processor shall assist the Controller in fulfilling requests from data subjects exercising their rights (access, rectification, erasure, etc.) within 7 days of notification.
8. Data Breach Notification
The Processor shall notify the Controller without undue delay (within 24 hours) upon becoming aware of a personal data breach, including details of the breach, affected data, and remedial actions taken.
9. Deletion or Return of Data
At the end of the Services, the Processor shall, at the Controller’s choice, delete or return all personal data and delete existing copies, unless UK law requires retention.
10. Audit and Inspection
The Controller may audit or inspect the Processor’s compliance with this DPA upon reasonable notice, no more than once per year unless a breach is suspected.
11. International Transfers
No personal data shall be transferred outside the UK unless the Controller provides written authorisation and appropriate safeguards (e.g., UK International Data Transfer Agreement) are in place.
12. Liability
This DPA forms part of the main Services Agreement. Any breach of this DPA shall be treated as a breach of the main Agreement.
The Schedule of Processing Activities is available at this link.
If a signed DPA is required please let me know and I will send a tailored copy as a Word document.