GDPR: The difference between first and third-party data

With the upcoming GDPR you may have heard lots of terminology recently with regards to the matter of ‘consent’. The terms first party and third party seem to be popping up everywhere. Let’s take a look at what both terms mean and the difference between the two. At its core, the concept of first and third party is around the relationship of the organisation using the data to the person who is the subject of the data - not the system on which the data is processed.

What is first party?

First party refers to the person or organisation to whom the data was given. In the case of a school, this would be the school itself as the data is almost always collected from the children, parents/guardians and staff directly.

When this data is used by the first party (the school) the use is considered first party, regardless of the system used.

This data is often collected via data capture sheets, permission forms or any type of data collection your school may use (online, paper, etc.).

What is third party?

If a school (first party) provides data to another software provider and that provider uses the data as part of their business, that second software provider is considered to be third party. For example, if the software provider were to market to the contacts it had collected.

It is the purpose of the use of the data, rather than the system on which the data is being used, that denotes the software provider as third party.

What does this mean in terms of ScholarPack?

Within ScholarPack’s API management area you have the ability to mark each software provider your school links with as either a first or third party provider. If the company’s software is used directly by your school and the people within, this is almost always classed as first party.

Please bear in mind that any data collected by your school and used in a software package for the normal operation of your school will be classed as first party.

For example:

In my school I use an online payments and communications system called Example Parent Comms*. I use data from ScholarPack to update information held in Example Parent Comms. In this instance I will contact my parents/guardians via their platform. As I collected this data and will be contacting my parents/guardians directly - Example Parent Comms is a first party provider. The school is contacting the parents, not Example Parent Comms.

Example Parent Comms would be classed as a third party if they contacted parents/guardians directly to sell Example Parent Comms products and services directly. In this instance Example Parent Comms has become a Controller of the Data and is acting outside of the school's relationship.

*Please note Example Parent Comms is not a provider.

Was this article helpful?
0 out of 0 found this helpful