Page: 1 2 3
8. Data Sharing
8.5 Data Sharing with Third Parties
8.5.1 The two main types of data sharing are:
a) a systematic, routine data sharing where the same data sets are shared with the same third party agency or organisation for an established purpose or;
b) an exceptional, one-off decision to share data for any of a range of purposes.
There are two contexts in which the University will share personal data with third party agencies and organisations:
i) where we are required to do so by law; and
ii) where it is necessary for us to do so within the context of general operations and primarily for the provision or administration of educational services.
In the case of i) above a list of the third parties to whom such disclosures are required can be consulted.
In all situations where ii) above applies the three requirements of purpose, fairness and transparency must be met before any data sharing with third parties takes place.
8.5.2 The University must ensure that personal data under its control is not disclosed or transferred to unauthorised third parties. These will include a person or organisation:
- not covered by the data processing conditions relied upon by the University, referred to at 8.1 and 8.2 above, unless Data Protection legislation expressly permits such disclosure or transfer.
- covered by the data processing conditions relied upon by the University under 8.1 and 8.2 above, but where the request is for reasons outside the scope of those conditions, unless Data Protection legislation expressly permits such transfers without such consent.
- not disclosed in the University's fair processing statements for students and staff as a likely recipient or class of recipient of their data, unless Data Protection legislation expressly permits such disclosure or transfer.
"Unauthorised third parties" may include family members, friends, local authorities and government bodies unless disclosure is permitted under Data Protection legislation or required by other legislation.
8.5.3 Any member of University staff who is considering a data sharing arrangement should consult and then complete the checklist of the relevant issues before any data sharing takes place.
8.5.4 Where it is decided that a data sharing arrangement is to be made, an appropriate agreement must be put in place before any data is transferred. The type of agreement used will depend on which of two forms of data sharing is proposed i.e. either i) by the University as a data controller with a third party who is also a data controller i.e. both parties determine the purposes for which and the manner in which the personal data is to be processed; or ii) by the University as a data controller with a third party who will then process that data on the University’s behalf i.e. as a data processor.
8.5.5 If ii) above applies the University must ensure that in all such cases, the agreement must expressly require that the data processor:
- will act only on instructions from the data controller; and
- has security in place that is equivalent to that imposed on the University by the seventh data protection principle
A data processor does not therefore have any direct data protection responsibilities of its own. As these are all imposed on the data processor through its agreement with the University, the University has a duty to ensure that the data processor carries out the terms of the agreement by monitoring its compliance.
Guidance on the forms of data sharing and the template agreements or clauses to be used for 8.5.4 i) and ii) above should be sought from the Information Governance Manager before any data sharing takes place.
8.6 Handling Requests for Person Data: Disclosures without Consent
8.6.1 The University will handle requests for disclosure of personal data as follows:
i) Requests made by the police or authorities with prosecuting powers will be dealt with under Data Protection legislation;
ii) All other third parties requests, including e.g. those referred to in 8.10 and 8.11 below, will be treated as requests under the Freedom of Information (Scotland) Act 2002 (FOISA).
University staff who receive a request from a third party should seek advice as necessary from the Information Governance Manager.
8.6.2 Under Data Protection legislation, data may be disclosed to third parties without consent only where the legislation expressly permits such transfers e.g. where it is required for the purposes of:
i. Protecting the vital interests of the data subject (i.e. release of medical data where failure to release the data would result in harm to, or the death of, the data subject)
ii. Preventing serious harm to a third party that would occur if the data were not disclosed
iii. Safeguarding national security
iv. Prevention or detection of crime
v. Apprehension or prosecution of offenders
vi. Assessment or collection of any tax or duty or of any imposition of a similar nature
vii. Discharge of regulatory functions, including securing the health, safety and welfare of persons at work
With regard to iv. to vii. above it should be noted that disclosure is allowed in those cases only to the extent to which failure to disclose would be likely to prejudice the attainment of those aims. This means that if the information was not disclosed this would noticeably damage those purposes.
8.6.3 Where the police or authorities with prosecuting powers are seeking the disclosure of personal data for the purposes referred to in 8.6.2 iii. – vii. above, the University will normally require that they submit their respective organisational form to the Information Governance Manager or other authorised officer in Governance Services. The UK Information Commissioner’s guidance on Releasing Information to Prevent or Detect Crime will be applied in determining whether a disclosure is permitted.
8.6.4 All external third parties requesting personal data under FOISA will normally be required to submit their request in a letter on headed notepaper, addressed to an authorised member of University staff. The request will then be considered as set out in 8.10 i) and ii) below.
8.6.5 All third parties should give:
the authority under which the request is made
reasonable proof of the requester's personal identity and organisational affiliation e.g. police officers will be expected to quote their identification numbers and/or produce their warrant cards
details of the nature of the personal data and the purpose for which it is being requested and confirmation that the scope of the request is necessary and proportionate
where applicable, the relevant exemption under Data protection legislation or other legislation which authorises the University to release the information
where applicable, a warranty that it will be held and processed in conformity with the Data Protection Principles
The absence of such documentation or a warrant may be justification for refusal to disclose the requested personal data.
Once the request has been received, relevant staff should consult and then complete the checklist at 8.5.3 above for such one-off requests for personal data.
8.6.6 Alternatives may be for staff to accept a sealed envelope which they will attempt to forward to a student's last-recorded address or to forward an incoming email message to a student without confirming the student’s attendance at the University.
8.6.7 In appropriate circumstances and where the matter is urgent, an attempt should be made to contact the subject by phone, or other means, in order to provide them with information about the enquirer and the nature of the enquiry, so that they can choose whether to respond
8.6.8 Disclosures without consent may be made normally only by the University’s Information Governance Manager or other authorised member of University staff, in consultation with Governance Services. Records of disclosures made by Governance Services under 8.6.3 will be maintained centrally and those under 8.6.4 will be kept by the relevant authorised University staff.
Please refer to the checklists below for guidance on how to process third party requests for personal data.
Requests from Parents
Requests from the Police
Requests from all other organisations (SAAS etc.)
Third Party Personal Data Request Form
8.7 Emergency Requests
An emergency situation is one where there is reason to believe that there is a danger of death or injury to the data subject or any other person. In such situations, University staff receiving a request are required:
- To seek the authorisation of their Head of School or Service area or nominated deputy before disclosure
- Not to disclose data where they have doubts as to the validity of the request
- Where the request is received by telephone, to ask the caller to provide a switchboard number and call them back through the organisation's switchboard before providing the data
- To make a record of the enquiry as soon as possible, detailing the circumstances, what information was shared and explaining why the disclosure took place and pass this to the Information Governance Manager.
- To ask the enquirer to follow up their request with a formal written and signed request, so that this may also be passed to the Information Governance Manager to retain centrally
Provided only that there is time to do so and no delay would be caused to a data sharing which is deemed necessary in an emergency, the relevant member of staff should consider consulting the checklist at 8.5.1 above for such a “one-off” request.
8.8 Mandatory Disclosures
The University may be required by legislation, by any rule of law or by the order of a court to disclose an individual's personal data. A non-exhaustive list is available of Third Parties Who May Require Disclosure.
With the exception of a court order, the request should be made on headed notepaper, ideally cite the relevant exemption and be signed by an authorised officer. The data disclosed should be the minimum required to accede to the request, it must be sent by or provided in the most appropriate secure method and a record of both the request and the data disclosed must be kept.
8.8.1 Court orders
The University has a legal obligation to respond to valid Court orders promptly and with the information requested, regardless of whether this is sought for the pursuer or the defendant. Court Orders should be marked “confidential and urgent” and passed immediately to the following University staff who will be responsible for ensuring that the information is collected and sent timeously by the most appropriately secure method:
For students/former students: Director of Student & Academic Services or nominated Assistant Director
For Staff/former staff: Director, Human Resources or his/her nominee
Guidance may be sought from the Information Governance Manager or other authorised staff in Governance Services.
Page: 1 2 3