Page: 1 2 3
8. Data Sharing
Download this section as a print-friendly PDF document.
The University collects a wide range of personal data relating to staff and students for the University's purposes and to meet its external obligations. Both these types of data collection may result in the eventual transfer of personal data to third parties, which the University must ensure is permitted under the Data Protection legislation.
8.1 Conditions for Processing of Personal Data
In order for the University as a data controller to lawfully process personal data one of the following conditions must be met:
- The individual has consented to the processing
- Processing is necessary for the performance of a contract with the individual
- Processing is required under a legal obligation (other than a contractual one)
- Processing is necessary to protect the vital interests of the individual
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Processing is necessary in order to pursue the legitimate interests of the data controller or third parties except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
8.2 Conditions for Processing of Special Category Personal Data
Where special category personal data is concerned one of the ordinary processing conditions at 8.1 above and one of the conditions for processing special category personal data below must be met before processing can be carried out. The conditions for processing special category data are: the data subject has given his or her explicit consent to the processing of the personal data; or that the processing is necessary for a further set of specified reasons, including:
- It is required by law for employment purposes
- It is needed in order to protect the vital interests of the individual or another person
- It is needed in connection with the administration of justice or legal proceedings
8.3 Key Elements
The following requirements must be adhered to when considering the sharing of personal data:
- Purpose - there should be a clear and lawful purpose for the data sharing.
- Fairness - the nature and extent of the data sharing should be a proportionate means of achieving that purpose when weighed against the interests of the individuals concerned e.g. consider whether the data could be anonymised.
- Transparency - the data subjects should be given appropriate notice in advance about the possible sharing of their personal data. Failure to do so may mean that it is considered to have been carried out unfairly and without due respect for the data subjects' rights
The data subjects must be able to effectively exercise their rights under Data Protection legislation including the rights to access data which is held about them and to object to, or opt out of, certain types of processing. While transfers will be permitted where data subjects have given their consent to the transfer, a positive response must be received and consent cannot be inferred from silence.
8.4 Data Sharing within the University
There are two common misconceptions about sharing personal data within the University. The first is the assumption that because personal data is held by one department it can be shared automatically with other departments or University employees because “we all work for Edinburgh Napier University”. The second is the converse i.e. that personal data cannot be shared with other departments or colleagues. Where there are no restrictions on the sharing of personal data under either Data Protection or other legislation, e.g. the Equality Act 2010, personal data may be shared on a strictly “need to know” basis having first considered the purpose, fairness and transparency of such a sharing.
8.4.1 Special Category personal data
The University has stringent requirements in place for the transfers of sensitive personal data, which are dealt with in Section 12 of this Code of Practice. The advice of the Information Governance Manager, the Head of Disability and Inclusion or the University's Diversity Partner should be sought if in any doubt.
Page: 1 2 3