THIS AGREEMENT is made BETWEEN:
(1) Trinity College London (company registration no 2683033), a registered charity in England and Wales (charity no. 1014792) and Scotland (charity no. SC049143) whose registered office is at the Blue Fin Building, 110 Southwark Street, London SE1 0TA, United Kingdom, and its successors and permitted assigns (‘Trinity’, ‘we’, ‘our’, ‘us’); and
(2) you, where you are a registered exam centre for Trinity Exams (‘you’, ‘your’, ‘your centre’), each, a ‘party’ and together, the ‘parties’.
Trinity is a leading international awarding organisation providing regulated qualifications in the English language and in a range of disciplines in the performing arts. You wish to become a Registered Exam Centre and host Trinity exams.
1.1 We appoint you as a Registered Exam Centre for the duration of this Agreement for the Trinity exam(s) specified in the Letter.
1.2 Your centre is only registered to offer the qualifications as set out in the Letter (the ‘Trinity Exams’) and to candidates registered with your centre located in the territories set out in the Letter. You can apply to register for additional subject areas in accordance with our application procedure. You may offer the Trinity Exams to candidates registered with your centre located in additional territories subject to us giving you our prior written consent in relation to each such additional territory, such consent not to be unreasonably withheld. Trinity may withdraw its consent in relation to any territory (including the territories set out in the Letter) for reasons including but not limited to legal or regulatory concerns. We will confirm in writing to you with reasonable notice where any territories are withdrawn from your registration. We will also work with you to take reasonable steps to protect the interests of candidates from such territories who have already enrolled for Trinity Exams and will comply with the applicable requirements of Trinity’s regulators.
1.3 Trinity may produce new or withdraw current qualifications during the period that this Agreement is in force. We will confirm in writing to you with reasonable notice where possible any qualifications that are to be added to or withdrawn from your registration.
1.4 Your centre registration is valid for the duration of this Agreement in respect of your venue(s). You warrant and will ensure that the venue(s) for your centre where Trinity Exams are conducted meet the venue requirements as specified by Trinity from time to time.
1.5 Each party will perform its responsibilities under this Agreement (including those applicable to you set out at Schedule 1) to high standards of customer care and academic practice and in accordance with:
1.6 Unless otherwise agreed with us in advance, you agree to use Trinity’s IT Systems for the administration of the exams.
1.7 You agree to inform us promptly of any material changes to information that you have supplied to us, including your details, exam venue locations and key contacts.
1.8 You warrant that the information provided by you in connection with your registration as a Registered Exam Centre is true and not misleading.
2.1 We will provide you with quality assessments based on our pedagogical practice and research.
2.2 On registration, you will receive from us your Registered Exam Centre Logo and information to enable you to access Trinity IT Systems, register and prepare learners and assist with the conduct of Trinity Exams in accordance with Trinity’s applicable specifications, syllabuses, regulations, operational procedures, information and guidance.
2.3 Subject to the booking conditions set out in clause 3, we will assess learners enrolled by you onto Trinity Exams, promptly notify you of their results and issue exam certificates for the successful candidates.
2.4 We may, where appropriate, arrange for Trinity examiners to carry out examiner visits at your centre in accordance with our standard procedures (the details of which are set out in the centre handbook).
2.5 We will publish your centre contact details on our website once you have loaded them onto Trinity IT Systems (except where you have expressly told us not to).
2.6 In selected countries (as determined by us), we will provide in-country support via a regional office or representative.
2.7 We will regularly update you on product and delivery developments.
3.1 To assist with planning examiner availability, centres are requested to provide candidature forecasts for the academic year if possible.
3.2 We publish our exam fees periodically. You will collect and pay exam fees to Trinity on behalf of candidates.
3.3 Your booking will be secured once we have confirmed that the exam may go ahead and you have paid in full all of the applicable fees due to us prior to the exam closing date and (unless agreed with us in advance or required under tax law) without any set-off, counter-claim, deduction or withholding save where Trinity offers you a discount.
3.4 Any booking requiring an examiner visit will be subject to a minimum booking fee and any booking requested after the exam closing date will incur a late exam booking fee.
3.5 You agree that Trinity may, in its sole discretion, cancel examiner visits for reasons of Force Majeure or a perceived threat to examiner or candidate safety.
4.1 The parties agree that each party is an independent Data Controller of Stakeholders’ Personal Data under Data Protection Law. Each of the parties will ensure that it complies with the applicable Data Protection Laws at all times during the term of this Agreement. Where required, each of the parties shall enter into any data transfer agreement required by the applicable Data Protection Laws.
4.2 Each party agrees to provide the other with such reasonable cooperation and assistance as is necessary to enable the other to comply with its obligations as a Data Controller in respect of Stakeholders’ Personal Data, including to enable the other to comply with Stakeholders’ subject access requests, complaints and appeals.
4.3 Each party will ensure that Stakeholders’ Personal Data is accurate and kept up-to-date.
4.4 Trinity will process Stakeholders’ Personal Data received from you in accordance with Trinity’s privacy statements available on Trinity’s website. Where applicable, you will inform Stakeholders that their Personal Data will be transferred to Trinity to be processed and bring Trinity’s privacy statements to their attention. You will process Stakeholders’ Personal Data received from Trinity in relation to the verification of candidates’ identity, administration of, booking, hosting, moderating and monitoring exams, disseminating exam results, distributing exam certificates, marketing, training, research and statistical purposes. Where applicable, Trinity will inform Stakeholders that their Personal Data will be transferred to you to be processed for these purposes.
4.5 Each party will not transfer any Stakeholders’ Personal Data unless the transfer complies with Data Protection Laws and will seek consent where necessary in order to transfer Stakeholders’ Personal Data in countries where data protection laws are deemed by the European Community or the United Kingdom to offer inadequate protection to individuals.
4.6 Each party will implement appropriate technical and organisational measures to protect Personal Data against a Data Security Breach. You will also comply with our security requirements applicable to the administration, hosting and delivery of Trinity Exams, including for the storage of Trinity Exam materials and the verification of candidates’ identity.
4.7 Each party will notify the other immediately and within 72 hours in the event of a notifiable Data Security Breach relating to the applicants or candidates of your centre or their parents, guardians or teachers and provide the other with such reasonable assistance as is necessary to facilitate the handling of such Data Security Breach in an expeditious and compliant manner.
4.8 To the extent that your centre is outside of the Protected Area (defined below), the parties acknowledge that in connection with this Agreement, Trinity may transfer Personal Data relating to the Stakeholders to you. As such, where this clause is applicable, each party agrees to comply with the obligations as set out in the UK Standard Contractual Clauses as though they were set out in full in this Agreement, with Trinity being the data exporter and you being the data importer, with the parties’ click through acceptance of this Agreement being deemed to also make the UK Standard Contractual Clauses binding on the parties and with the Annexes to the UK Standard Contractual Clauses being as set out in Schedule 3 to this Agreement. As permitted by clause 17 of the UK Standard Contractual Clauses, the parties agree to change the format of the information set out in Part 1 of the UK Standard Contractual Clauses so that:
4.8.1 the details of the parties in table 1 of the UK Standard Contractual Clauses shall be as set out in Schedule 3 to these T&Cs with no requirement for signature;
4.8.2 for the purposes of table 2 of the UK Standard Contractual Clauses, the UK addendum shall be appended to the EU Standard Contractual Clauses (including the selection of modules and disapplication of clauses as noted in the definition of EU Standard Contractual Clauses); and
4.8.3 the appendix information listed in table 3 of the UK Standard Contractual Clauses is set out in Schedule 3 to these T&Cs.
4.9 For the avoidance of doubt, the UK Standard Contractual Clauses are the data transfer agreement referenced in clause 4.1 of this Agreement.
4.10 Each party will keep the other party’s Confidential Information secret and secure, except when required to disclose such information to the court or other authority.
5.1 Trinity hereby grants to you, for so long as this Agreement remains in force, a royalty-free, non-exclusive, non-transferable, non-sublicensable right to use your Registered Exam Centre Logo and any such other Trinity marks that designate your Trinity Exams. You will ensure that all materials produced by you in connection with the Trinity Exams comply with Trinity’s brand guidelines and any limitations or restrictions issued by us from time to time.
5.2 Your Registered Exam Centre Logo and this Agreement are valid proofs of your centre registration by Trinity. You will not misrepresent the nature of your Registered Exam Centre status to others and, in particular, you will not suggest in any way that your centre is owned or controlled by Trinity or that it has been accredited, validated or franchised by Trinity.
5.3 You confirm that you hereby assign to Trinity any intellectual property created by you that incorporates or is derived from Trinity’s Intellectual Property.
5.4 You will not use or seek to register any mark, design, business name or domain name comprising or being confusingly similar to any Trinity Intellectual Property, or do or permit to be done any act that may weaken, damage or be otherwise detrimental to the reputation or goodwill associated with Trinity, or interfere with the registration or validity of Trinity’s Intellectual Property.
5.5 For the avoidance of doubt, a breach of any of the provisions of this clause 5 will be considered a material breach of this Agreement.
6.1 To protect the interests of candidates, you will only register candidates for a Trinity exam whom you reasonably expect to complete their chosen qualification.
6.2 Trinity is a regulated awarding organisation. To this end, you agree to take all necessary and reasonable steps to facilitate compliance by Trinity with the requirements of its regulators, including Ofqual’s General Conditions of Recognition, such as by complying with any reasonable written instruction issued by Trinity for such purpose and/or (at our cost) assisting a regulator with any investigations made for the purpose of performing its functions.
6.3 You agree and undertake that:
6.4 Upon receiving reasonable notice from Trinity, you will take all reasonable steps:
provided that Trinity is not permitted to inspect, nor are you required to disclose, commercially sensitive information and/or documents. You will keep such records for so long as this Agreement remains in force and for 24 months thereafter.
7.1 You will take reasonable steps to identify the risk of any incident in relation to your role as a Registered Exam Centre which could harm or prejudice candidates and seek to prevent and mitigate it as far as reasonably possible.
7.2 You will notify us as soon as possible of any incident or significant risk of any incident which might result in your non-compliance with Trinity’s rules and regulations, including our exam security requirements.
7.3 Trinity maintains full and comprehensive insurance to cover its own risks. Similarly, for the duration of this Agreement and for one year thereafter, you will maintain appropriate insurance under local law to cover the potential risks arising from your role as a Registered Exam Centre and will produce proof of valid insurance on request.
8.1 Subject to clause 8.2 and save in respect of any liability for death or personal injury, fraud or fraudulent misrepresentation or any liability that cannot be excluded or limited under English law:
8.2 You agree to indemnify Trinity in case of any damages or loss suffered by Trinity out of or in connection with any infringement or theft by your employees or other persons providing the Exam Services on your behalf of any Confidential Information, Intellectual Property or third party intellectual property rights.
9.1 This Agreement will come into force on the Commencement Date and will remain in effect unless terminated in accordance with the provisions of this clause 9.
9.2 Without prejudice to any of its rights or remedies, either party may terminate this contract:
9.3 Without prejudice to any of our rights or remedies, we may terminate this Agreement immediately without liability by written notice if:
9.4 We reserve the right to suspend or restrict your centre registration and access to our administrative systems in respect of any exam subject or any exam venue if you commit a suspected breach of this Agreement or during any necessary investigation.
9.5 Neither party will be in breach of this Agreement nor liable for a delay or failure in performance resulting from Force Majeure. In such circumstances, the affected party will be entitled to a reasonable extension of the time allocated for performing its obligations provided that, if the period of delay or non-performance continues for 30 days from the date of occurrence, the party not affected may terminate this Agreement by giving 14 days’ written notice.
10.1 If you decide to withdraw from the delivery of Trinity Exams after you have enrolled candidates, or upon termination or expiry of this Agreement, both Trinity and you will take reasonable steps to protect candidates’ interests and give them clear information as to how they may be affected.
10.2 Where your withdrawal will, or may, cause a prejudicial effect on candidates, you will consult with the affected candidates and use reasonable endeavours to minimise such prejudicial effect before ceasing to provide the Exam Services and will provide evidence of such consultation to Trinity upon request.
10.3 Immediately upon the suspension, expiry or termination of this Agreement:
10.4 On termination or expiry of your Agreement with Trinity for any reason, each party’s accrued rights and liabilities as at expiry or termination, as well as clause 4 (Confidentiality, Security and Data Management), clause 6 (Special Conditions), clause 8 (Limitation of Liability and Indemnity), clause 10 (Consequences of Withdrawal, Suspension or Termination), clause 11.11 (Governing Law and Jurisdiction), clause 11.12 (Language) and Schedule 2 will survive and continue in full force and effect.
11.1 Subject to clause 1.3 and the right of Trinity to amend its exam specifications, regulations and operational procedures as set out in its handbook and best practice guides for the relevant exams, no variation of this Agreement will be valid unless it is in writing and duly executed by the parties.
11.2 The invalidity, illegality or unenforceability of any term under this Agreement will not affect the validity, legality or enforceability of its remaining terms.
11.3 You may not assign or transfer to a third party, charge, or otherwise dispose of any of your rights, benefits or obligations arising out of this Agreement without Trinity’s prior written consent.
11.4 Without prejudice to any other rights or remedies that Trinity may have, you accept that damages alone may not be an adequate remedy for breach of the terms of this Agreement and that Trinity is entitled to the remedies of injunction, specific performance or other equitable relief for any threatened or actual breach by you of any of the terms of this Agreement.
11.5 Any notice given under this Agreement must be in writing, by post or by email and clearly identified as such in correspondence. A notice will be deemed received 5 days after posting or at 5pm on the day if sent by email, provided that any notice received on a weekend or public holiday or after 5 pm (local time at the place of receipt) will be deemed to be received on the next business day.
11.6 Only the parties to this Agreement have the right to enforce any of its terms.
11.7 Nothing in this Agreement is intended to make you an agent or partner of Trinity or to constitute a joint venture between you and Trinity.
11.8 Where either party fails to exercise any right or remedy under this Agreement, this will not be construed as a waiver of that right or remedy.
11.9 This Agreement constitutes the entire agreement between the parties and supersedes all previous agreements and understandings between them in relation to this Agreement’s subject matter.
11.10 Each party warrants to the other that it has full power and authority to enter into this Agreement.
11.11 This Agreement will be governed by and interpreted in accordance with English law and, where a dispute, controversy or claim cannot be amicably settled, the parties agree to submit to the exclusive jurisdiction of the English courts.
11.12 This Agreement is drafted in the English language. If this Agreement is translated into any other language, the English language text will prevail.
11.13 This Agreement may be signed in any number of counterparts each of which when executed shall constitute a duplicate original, but all the counterparts shall together constitute the one agreement. The parties may use a certified electronic signature provider for the purpose of electronically signing and giving legal effect to this Agreement. Each of the parties hereby agrees that this Agreement shall be legally binding, including when signed through a certified electronic signature provider.
Save where otherwise agreed in writing with Trinity, you will provide the following services (the ‘Exam Services’) in respect of the Trinity Exams at your centre:
INTERPRETATION AND DEFINITIONS
Commencement Date has the meaning given to it in the Letter.
Confidential Information means any and all information of a secret or confidential nature and not publicly known (whether or not marked proprietary and/or confidential, oral or written, and however stored) and which has been or will be provided by Trinity to you, or which you become aware of as a result of entering into and performing your obligations under this Agreement, including but not limited to Trinity’s technical, financial, academic or business information.
Data Controller means the person who, alone or jointly with others, determines the purposes for which and the manner in which any Personal Data are processed.
Data Protection Laws means all applicable laws and regulations in force from time to time governing the use or processing of Personal Data, including (where applicable) the Data Protection Act 2018, the General Data Protection Regulation (EU) 2016/679 and Regulation (EU) 2016/679 as it forms part of the law of England, Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments) etc (EU Exit) Regulations 2019 (as amended) (also known as the UK GDPR), the Privacy and Electronic Communications (EC Directive) 2003, the Investigatory Powers Act 2016 and the Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018 in each case, as amended, re-enacted, consolidated, revised or replaced from time to time, and any applicable equivalent laws in your territory.
Data Security Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the candidate Personal Data.
Digital Exam means an exam that is performed or assessed digitally.
EU Standard Contractual Clauses shall mean the Commission Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021, including the text from module one and not including any of the clauses marked optional
Exam Services has the meaning given to it in Schedule 1.
Force Majeure means events, circumstances or causes beyond a party’s control.
Intellectual Property means all intellectual property rights in Trinity’s business, products and services including without limitation: all patents, patent applications, goodwill, names, logos (including Registered Exam Centre Logos), Trinity marks (whether registered or unregistered, such as ‘Trinity College London’, ‘Trinity’, ‘GESE’, ‘ISE’, etc.), design rights, copyright and all related rights in any Trinity Exam, specifications, regulations, guidance and ancillary products (such as rights in typographical arrangements and in sound and video and/or sound recordings), know-how, data (including candidate data and information), databases (including candidate databases and whether registrable or not in any country), internet expertise, software, proprietary hardware, technical information, and graphic representations and likeness of Trinity services, products or premises.
Letter means the letter sent to you by Trinity confirming your appointment as a Registered Exam Centre.
Ofqual means the Office of Qualifications and Examinations Regulations in England.
Personal Data means any data which relates to an identified or identifiable natural person.
Protected Area means the United Kingdom and any country, territory, sector or international organisation in respect of which an adequacy decision under United Kingdom adequacy regulations is in force.
Registered Exam Centre means a centre that has been authorised and registered by Trinity to provide Trinity Exams.
Registered Exam Centre Logo means the logo issued to you on registration by Trinity and made up of a combination of a Trinity mark and your centre’s allocated registration number.
Stakeholders means applicants, candidates, their parents and guardians, teachers and any other stakeholders who have expressed an interest in Trinity, as well as Trinity or your staff and consultants and Trinity examiners.
Trinity IT Systems means Trinity’s information technology platform made available to you to support your delivery of the Trinity Exams.
UK Standard Contractual Clauses shall mean the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the Information Commissioner and laid before Parliament in accordance with section 119A of the Data Protection Act 2018 on 2 February 2022x.
ANNEXES TO THE STANDARD CONTRACTUAL CLAUSES
A: LIST OF PARTIES
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
Name: Trinity College London
Address: Blue Fin Building, 110 Southwark Street, London SE1 0TA, United Kingdom
Official registration number (if any): Company registration no 2683033, a registered charity in England and Wales (charity no. 1014792) and Scotland (charity no. SC049143)
Contact person’s name, position and contact details: Data Protection Officer, email@example.com
Activities relevant to the data transferred under these Clauses: For the delivery of Trinity examinations, the award of Trinity qualifications, the administration of the contractual relationship between Trinity and you and between Trinity and its service providers, and the provision of services to the Stakeholders, including candidates, their parents/legal guardians, their teachers and any other representative or agent.
Signature and date: As per the signature on the Letter and the Commencement Date
Role (controller/processor): controller
Data importer(s): [Identity and contact details of the Centre data importer(s), including any contact person with responsibility for data protection]
Name: your centre, as named in the Letter [Note: Include full legal name and trading name if different]
Address: The address for your centre as set out in the Letter
Official registration number (if any): The registration number for your centre as set out in the Letter
Contact person’s name, position and contact details: As provided in the application form that you submitted to Trinity online
Activities relevant to the data transferred under these Clauses: For the delivery of Trinity examinations, the award of Trinity qualifications, the administration of the contractual relationship between Trinity and you and between Trinity and its service providers, and the provision of the Exam Services and the services to the Stakeholders including candidates, their parents/legal guardians, their teachers and any other representative or agent.
Signature and date: As per the click-through acceptance of the Agreement online and the Commencement Date
Role (controller/processor): controller
B: DESCRIPTION OF TRANSFER
MODULE ONE: CONTROLLER TO CONTROLLER
Categories of data subjects whose Personal Data is transferred:
Candidates’/applicants’ parents or legal guardians
Categories of Personal Data transferred:
The personal data transferred concern the following categories of data:
Candidates: Personal data may include name, age, gender, candidate number, assessment marks, results and awards, written scripts, recordings of exam performances, postal address, email address and contact details, date of birth, first language spoken at home, level of education, sensitive personal data about the data subject’s health, disabilities and special educational needs, details about their personal circumstances, banking details, parent/guardian name and ID document details.
Parents/legal guardians, applicants, teachers, local or centre representatives, Trinity staff and business contacts: Personal data may include name, address and contact details.
Examiners, proctors: Personal data may include name, address, contact details and ID document details.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
The personal data transferred concern the following categories of sensitive data: sensitive personal data about the data subject’s health, disabilities and educational needs
Frequency of transfer (e.g. whether on a one-off or continuous basis): continuous basis
Nature of the processing/ processing operations: The nature of the processing means any operation such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means).
Purpose(s) of the data transfer and further processing: The purpose of the data transfer and processing is for the provision of the Exam Services.
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: In accordance with Trinity’s Data Retention Policy and Data Retention Schedule available here https://www.trinitycollege.com/page/data-protection.
For transfers to (sub-) processors, the subject matter, nature and duration of the processing:
As set out in this Schedule 2 in relation to the data importer.
Access to Personal Data and access to any place or system where Personal Data is held must be restricted to authorised users to use to perform the duties related to their job role. Users must be authorised to access, maintain, change, use or distribute information. Authorisation must be allocated based on the principles of need to know and need to use.
Security checks should be employed and regularly carried out to ensure that individuals in key employee positions are screened based on the risk related to the duties that they carry out. This includes background checks, criminal records checks and confidentiality agreements
Users accessing information systems should be provided with training to support acceptable use of the system and requirements to maintain security.
Information access privileges should be reviewed, modified or revoked as necessary when:
Where suppliers or consultants have access to systems, the relevant supplier/consultant must be required to provide notice of users that have left the organisation, no longer need access to the system or need adjustments to their permissions. You must ensure that, where your personnel have access to Trinity IT Systems, you inform us where such personnel have left your centre, no longer need access to Trinity IT Systems or need adjustments to their permissions (as applicable).
Upon termination of contracts:
Authentication access passwords or codes must be subject to a password policy. This will include ensuring that passwords are:
Records should be kept identifying all instances of access, use, modification, transformation, disclosure or disposal of Personal Data.
Records must be kept of all instances of unauthorized access, use, change, deletion/disposition or disclosure of Personal Data.
Procedures, policies and practices must be implemented to restore, replace or re-create Personal Data that has been damaged, lost or destroyed either accidentally or deliberately.
Physical locations used to store, process and transmit Personal Data should be subject to controls to limit unauthorised access and detect unauthorised activity e.g. door access controls, maintain secure areas, alarms, CCTV, visitor logs etc.
All methods of communication of Personal Data must be secure from unauthorized access, including eavesdropping, interception and diversion. Communication includes verbal communication, transmission of written documentation, telephone, cellular phone, VOIP, instant messaging, fax, e-mail, video and audio communication or any other form of electronic communication.
Identification and authentication safeguards to monitor security systems and procedures may be needed. These include virus scanners, firewalls, monitoring operating system logs, software logs, version control and document disposition certification.
Encryption is applied in storage and transmission relating to Personal Data. Encryption must keep pace with industry guidelines (e.g. National Cyber Security Centre, Common Vulnerability Scoring System (CVSS), Common Vulnerabilities and Exposure (CVE)) to ensure the use of strong encryption protocols is maintained.
All systems hardware and software must be secure from inappropriate access, accident, misappropriation, viruses and systems failure.
Disaster recovery plans must be in place and tested to ensure the recovery of Personal Data. This should also ensure that recovery points of the Personal Data and the time to restore the Personal Data are aligned with the parties’ requirements.
When agreed process are in place between parties the Personal Data should not be stored, processed or transmitted outside of the agreed process without authorisation from allocated business representative.
Implementation of new information systems or changes to existing systems must be assessed to ensure security of the system is assessed to ensure appropriate safeguards are maintained. This will include the requirements for secure storage, processing, transmission and disposal of the information.
Regular assessment of information systems must be carried out to ensure that security vulnerabilities of those systems are known and an appropriate response taken, eg patch management, vulnerability scanning, penetration testing.
It is recommended that suppliers/consultants work to principles of recognised security standards to ensure security safeguards provide adequate protection to the confidentiality, integrity and availability of Personal Data, eg ISO 27001, Cyber essentials, NIST framework.
Copyright © 2021 Trinity College London
Version dated 16 December 2022