We will never engage a new Vendor / Partner without involving our Privacy Champions.

We understand that our Privacy Champions need to keep an up to date record of all the Vendors/Partners with which we share personal information.

We commit to keeping the personal information we process safe throughout its life cycle. This means being able to track and control the personal information that leaves our organisation, but which remains our responsibility. Personal information must be protected using appropriate security measures at all times, whether at rest or in transit. We will ensure that all our Vendors and Partners with which we share personal information are responsible for maintaining our organisation's high privacy and security standards and are able to comply with the requirements of our Eight Privacy Promises and all applicable privacy laws.

In each case, we will assess whether the Vendor or Partner we want to work with is a processor, a controller or a joint controller.

We will only work with Vendors and Partners when/if:

Vendor / Partner has signed an acceptable non-disclosure agreement (NDA) prior to disclosure to it of any personal information;

we have carried out a suitable Data Protection Impact Assessment before sharing personal information with that potential new Vendor / Partner;

Vendor / Partner has completed and passed a Risk Assessment Due Diligence Questionnaire prior to disclosure to it of any personal information and we continue to audit that Vendor / Partner on a regular basis;

Vendor / Partner really needs the personal information to perform their services and/or provide their products and we need those services and/or products to provide our products and/or services;

we have verified that Vendor /Partner can process the personal information we share with them securely and that Vendor / Partner has provided acceptable guarantees in relation to the security of that personal information;

(Vendor/Partner is a processor) once we have signed an appropriate data processing agreement with that Vendor / Partner containing suitable data protection obligations to protect personal information and all the safeguards required by law including only acting upon our instructions and not further sharing personal information without our consent; and

(Vendor/Partner is a joint controller) once we have entered into an “arrangement” with them to adequately apportion data protection compliance responsibilities between us and the Vendor/Partner.

We will add each Vendor / Partner with which we share personal information to our Record of Vendors/Partners and cease working with them if they cannot comply with our Promise 4.

We will ensure that our use of Vendors / Partners does not hinder our compliance with the rights of individuals under privacy laws.