Page: 1 2 3
8. Data Sharing
Download this section as a print-friendly PDF document.
The University collects a wide range of personal data relating to staff and students for the University's purposes and to meet its external obligations. Both these types of data collection may result in the eventual transfer of personal data to third parties, which the University must ensure is permitted under the Data Protection legislation.
8.1 Conditions for Processing of Personal Data
In order for the University as a data controller to lawfully process personal data one of the following conditions must be met:
- The individual has consented to the processing
- Processing is necessary for the performance of a contract with the individual
- Processing is required under a legal obligation (other than a contractual one)
- Processing is necessary to protect the vital interests of the individual
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Processing is necessary in order to pursue the legitimate interests of the data controller or third parties except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
8.2 Conditions for Processing of Special Category Personal Data
Where special category personal data is concerned one of the ordinary processing conditions at 8.1 above and one of the conditions for processing special category personal data below must be met before processing can be carried out. The conditions for processing special category data are: the data subject has given his or her explicit consent to the processing of the personal data; or that the processing is necessary for a further set of specified reasons, including:
- It is required by law for employment purposes
- It is needed in order to protect the vital interests of the individual or another person
- It is needed in connection with the administration of justice or legal proceedings
8.3 Key Elements
The following requirements must be adhered to when considering the sharing of personal data:
- Purpose - there should be a clear and lawful purpose for the data sharing.
- Fairness - the nature and extent of the data sharing should be a proportionate means of achieving that purpose when weighed against the interests of the individuals concerned e.g. consider whether the data could be anonymised.
- Transparency - the data subjects should be given appropriate notice in advance about the possible sharing of their personal data. Failure to do so may mean that it is considered to have been carried out unfairly and without due respect for the data subjects' rights
The data subjects must be able to effectively exercise their rights under Data Protection legislation including the rights to access data which is held about them and to object to, or opt out of, certain types of processing. While transfers will be permitted where data subjects have given their consent to the transfer, a positive response must be received and consent cannot be inferred from silence.
8.4 Data Sharing within the University
There are two common misconceptions about sharing personal data within the University. The first is the assumption that because personal data is held by one department it can be shared automatically with other departments or University employees because “we all work for Edinburgh Napier University”. The second is the converse i.e. that personal data cannot be shared with other departments or colleagues. Where there are no restrictions on the sharing of personal data under either Data Protection or other legislation, e.g. the Equality Act 2010, personal data may be shared on a strictly “need to know” basis having first considered the purpose, fairness and transparency of such a sharing. So the questions to ask are:
1) Is the personal data being processed for the purposes it was collected for e.g. to provide education, research, etc. to students, etc.
2) Is the personal data being processed on the request of the data subject e.g. reference request, rights request under data protection legislation, etc.
3) Is there a legal basis for the processing e.g. consent, contract, legal requirement, vital interests (emergency/crisis situation only), the University's "public task" or legitimate interests. (Additional bases need to be considered for sensitive or special category personal data)
4) Has the data subject been told that the processing is taking place in a Privacy Notice e.g. would they expect the processing to take place
If you have a current mechanism in place for sharing personal data internally (between teams/departments/schools) you must review this regularly and have a written procedure in place which details how the data is shared, what the data is, and what the purpose is.
If you have not carried out a Privacy Impact Assessment for this process already please contact your areas' Information Governance Champion or the Information Governance Manager
The data must not be shared by email, you must use SharePoint or another approved secure system wherever possible. For guidance on how to set up sharing on SharePoint contact Information Services.
If you are setting up a new process which involves sharing personal data internally you must complete a Privacy Impact Assessment and create a procedure. Contact Governance Services for documentation and guidance.
Ad-hoc internal requests for personal data sharing:
If you wish to make a request to another area for a one-off personal data sharing, please complete the Protocol below and send to your Manager or Governance Services for approval.
Download the Data Sharing Protocol for One-off Requests
Read the for more information on data sharing. Information Security Classification Scheme
The Information Commissioner's guidance can be found online using the following link: https://ico.org.uk/media/2615361/data-sharing-code-for-public-consultation.pdf
8.4.1 Special Category personal data
The University has stringent requirements in place for the transfers of sensitive personal data, which are dealt with in Section 12 of this Code of Practice. The advice of the Information Governance Manager, the Head of Disability and Inclusion or the University's Diversity Partner should be sought if in any doubt.
Page: 1 2 3