SUPPLIER DATA PROTECTION QUESTIONNAIRE

1 Name of business
2 Registered Address and Company Registration Numer (include place of
business if different from registered address)
3 Primary Contact (Name, job title, telephone number and email)
4 Who is responsible for the data protection aspects of the service you shall
provide (please specify full name and job title)
5 Description of data to be processed e.g. application forms, references, health
checks, employee details, CCTV images
6 Type of data to be processed - please answer yes or no for each of the
following categories
i) personally identifiable information e.g. names, addresses, bank details, NI
numbers
ii) sensitive personal information/special categories of date e.g. gender,
disability, genetic, biometric (samples, fingerprints)
iii) Non personal information e.g. business information, financial information,
aggregated statistics
7
Where is the Data received from?
e.g. individuals themselves, local authority , other organisation

And in what format?

Email (encrypted or not?), paper, download/upload from internet portal
8

Where is the data stored and how? e.g. Physical location, data room servers

9 Where is the data accessed from? i.e. within EEA or outside of EEA
10 Is the data transferred to a third party? If so, please explain to whom and in
what format
11 Do you use sub-contractors to process or store the data?
if yes, please identify the sub-contractors/processors
if yes, how does your business gain assurance that sub-contractors/processors
are complaint with information security measures?
12 Does the business use anonymised and/or psudonymised data? If it does,
please explain why, If it doesn't, should it?
13 Access to Information - (Internal) Who has access, why and how? In all formats
e.g. paper, electronic, email, shared drives
14 Access to Information - (External) Who has access, why and how? In all
formats, e.g. paper, electronic, email, shared drives, via website
15 Can your processes respond to the following rights of individuals? Please
answer yes or no for each category
i) right to be informed - 'What info do you hold about me, and why?'
ii) right of access - 'I want a copy of everything you hold about me, in a
calendar month'
 iii) right of rectification - 'This isn't right; I want this corrected'

iv )right to object - 'I'm not happy that you're processing my data this way….'
v) right to restrict processing '…so please pause processing while you
investigate.'

vi) right to erasure - ' I want all the info about me erased because:
- I no longer consent to you processing it
- You don't need to hold it any longer
- My objection was upheld

vii) right to data portability - 'I want my info moved to another provider'

viii) rights relating to automated decision making and profiling- 'I want a
human to make this decision'
(Doesn't apply if processing is based on:
- consent
- contract
- legal obligation with appropriate safeguards)
16 Are your processes fair, lawful and transparent - i.e.
a) do you have a Privacy Notice that includes the purpose and legal basis of the
processing, an explanation of individuals' rights and how they may exercise
them?
b) does the processing have a Data Protection Impact Assessment? (previously
known as a Privacy Impact Assessment)
17

Where processing is based on the data subjects' consent, can your systems
and processes evidence affirmative consent (i.e. a positive 'opt-in'), and
respond to the withdrawal of consent?
18 How will you ensure that the data is adequate, relevant and not excessive?
19 How will you ensure that the data is accurate and kept up to date?
a. how do you validate data received from others?
b. do you undertake system audits or other measure to maintain the integrity
of the data?
c. how do you check and maintain accuracy of the data?
20 Do you retain data only for as long as is necessary?
a. do you have a retention policy and if so, how is this triggered?
b. do you have a destruction process and records of destruction?
21 Do you process data in an appropriate manner to maintain security?
a. do you have an information security policy?
b. do you conduct regular security tests?
c. what is your process for backing-up data?
22 Would you be able to recognise and respond to a subject access request within
one month from receipt?
23 Would you know if your data had been breached and what to do if it has,
including when and how to let the Council and data subjects know?
24
In relation to your ICT system(s) please respond yes or no for the following;-
a. we permit the use of removeable media
b. we permit remote working for staff
c. we allow staff to connect their own devices to our ICT systems
25 Does your business hold any accreditation or certification relating to the ICT
systems used in the delivery of the service?
26
Are access controls in place to ensure that information is only available to
system users who require access?

e.g. all office staff have network log-ins and passwords to secure network;
paper records kept in lockable cabinets in staff-only offices
27 Are back up copies of information and software taken regularly?
28 Do you encrypt data both in transit and at rest to the latest industry standard
specification (AES-256) or an appropriate equivalent?
if yes, please provide an overview of the encryption framework you have in
place, for both at rest and in transit
29 Are you satisfied that access to data used as part of this service shall be
restricted to only those that need it?
30 Please provide evidence of the following to demonstrate compliance with
GDPR

a. Business Continuity Plan - the plan should cover as a minimum - key

processes, maximum tolerable periods of disruption, dependencies/inter
relationships, key contacts, role and responsibilities, testing arrangements, IT
reliance, local risks/threats and recovery options
b. security policy
c. Certifications or accreditations i.e. ISO 27001, PSN Code of Connect, Level 2
NHS toolkit
d. Privacy Impact Assessments
e. Policies and procedures addressing GDPR requirements e.g. Do you have
policies in place which details how data should be handled, copied, stored,
transmitted, destroyed and returned?
f. Confirmation of data protection training for staff
31 Are organisational and individual responsibilities for information security
clearly defined in the terms and conditions of your employment contracts?
32 Upon termination of employment is there a leavers process in place to ensure
that assets are returned and rights of access revoked?
33 Are or would non-disclosure agreements be in place with all staff who have
access to Local Authority information?
34 Is your business registered with the Information Commissioner's Office?
35
In the past 12 months has your organisation assessed its compliance with
relevant legislation and regulations (for example the Data Protection Act or
GDPR)?
© The Council of the City of Sunderland 2018 - Reproduction of this
questionnaire requires the permission of The Council of the City of Sunderland,
contact Data.Protection@sunderland.gov.uk - ALL RIGHTS RESERVED

Supplier's Response
© The Council of the City of Sunderland 2018 - Reproduction of this
questionnaire requires the permission of The Council of the City of Sunderland,
contact Data.Protection@sunderland.gov.uk - ALL RIGHTS RESERVED