DATA protection, How third level companies process Sensitive Personal Data

Hi People!

This week I was assigned to a new project, involving Data Protection. My job is to find out how third level companies that we work with handle sensitive personal data. Usually these companies extract from our database sensitive information to process it or use it with the purpose of training, even though they need to have very strict policies on how to handle such data. By Privacy Law, the only people allowed to handle these information are divided two categories:

-Data Controller

{DPA 1988} - "means a person who, either alone or with others, controls the contents and use of personal data."

-Data Processor

{DPA 1988} - "means a person who processes personal data on behalf of a Data Controller but does not include an employee of a Data Controller who processes such data in the course of his employment."

Said this, some of these third level parties that handle data, have a very low level security protocols on how to handle everything, my job comes here I need to write some guidelines on how our company wants that this data is managed from the top to the bottom in every single direction. So far I tried to create boundaries on how the data is used for training.

1) Any personal data should be stored on portable devices, the data should remain on a group of offline Computers used only for the purpose of training, again Computers  must have a block to deny any kind of extrapolation of data from it and be protected by password.

2) Hard disks must be destroyed with all relative information stored on it when obsolete, the third level company must release a signed contract stating the permanent elimination of such data and equipment.

...so you can see the pattern here, I need to create rules that deny for any reason that these companies provide such data even at fourth parties like sellers to do aimed publicity or to in any way expose this data on websites or such.

As you understand is a big and very complicated project, I am looking for good advice on creating these kind of rules to add to the contract. Please start suggesting!