• Home
  • Login
  • Welcome to the Staff Intranet
YOU ARE HERE: Skip Navigation LinksEdinburgh Napier Staff Intranet > Service Depts > Governance & Compliance > Governance Services > Data Protection > Data Sharing
 

Data Sharing 

Further information on data sharing is available in Section 8 of the Data Protection Code of Practice

 

Man with oversized envelope

Required Disclosures to Third Parties

The University may be required by legislation, by any rule of law or by the order of a court to disclose an individual's personal data. This document gives a list of examples of third parties who may require disclosure, and the circumstances under which they may do so.  Please note that this list is non-exhaustive.  A checklist for data sharing is available below, and further guidance is given in Section 8 of the University's Data Protection Code of Practice.  If you have any queries, please contact the Information Governance Manager

 

  Download the Table of Third Parties who can require disclosure of personal data

 

Environmental Health Officers have powers to obtain information for the purpose of reporting notifiable diseases.  A list of notifiable diseases can be downloaded  here.

 

Permitted Disclosures to Third Parties

The University may receive requests to disclose an individual's personal data, which while not required, may be permitted under Data Protection Legislation. This document gives a list of examples of third parties who may request disclosure of personal data, and the circumstances under which such data may be disclosed.  Please note that this list is non-exhaustive.  A checklist for data sharing is available below, and further guidance is given in Section 8 of the University's Data Protection Code of Practice.  If you have any queries, please contact the Information Governance Manager.

 

 Download the Table of Third parties who may request personal data

 

Internal Data Sharing

 

Current Processes:

If you have a current mechanism in place for sharing personal data internally (between teams/departments/schools) you must review this regularly and have a written procedure in place which details how the data is shared, what the data is, and what the purpose is.
If you have not carried out a Privacy Impact Assessment for this process already please contact the Information Governance Manager
The data must not be shared by email, you must use SharePoint or another approved secure system wherever possible. For guidance on how to set up sharing on SharePoint contact Information Services.

New Processes:

If you are setting up a new process which involves sharing personal data internally you must complete a Privacy Impact Assessment and create a procedure. Contact Governance Services for documentation and guidance.

Ad-hoc internal requests for personal data sharing:

If you wish to make a request to another area for a one-off personal data sharing, please complete the Protocol below and send to Governance Services for approval.
Read the Information Security Classification Scheme for more information on data sharing. 

 

External Data Sharing

Sharing personal data externally will require either a contract, data sharing agreement, data processing agreement or a collaboration agreement depending on who the data is being shared with and the purpose. If you do not have any of these in place or it is a new process contact Governance Services for template documents and guidance.
Sharing data without any of the above agreements in place could be, or could lead to, a data breach.
A Privacy Impact Assessment will also be required.
 

All Processors contracting with the University to process data on behalf of the University (Controller) whether that is by actual transfer of personal data to them or by the provision of systems or services are subject to the University's Data Processing Terms and Conditions. There are various versions dependent on the situation:

           Yellow highlighted sections to be included in Principal Contract/procurement documentation                          (responsibility of colleague outsourcing processing, not Procurement or Governance Services)                                see pages 1 (points A & B), 4 (point 5.7) and 7 (point 14)

 

How to Share Data

SharePoint should be used for sharing personal data, as this is the most secure method, speak to Information Services for guidance on how to do this.
If you are unable to use SharePoint read the Information Security Classification Scheme for other methods and contact Governance Services for guidance before sharing any data.
 

Guidance on the Contractual Requirements for Transferring Personal Data to External Organisations

This guidance note provides general advice on the issues you need to consider when setting up or managing contracts where you intend to transfer personal information from the University to another organisation. This is to ensure that you do so in a way that complies with the Data Protection legislation.


Download the Guidance on the Contractual Requirements for Transferring Personal Data to External Organisations


Download the larger format flowchart from the Guidance Note 

                                                                                                                  Page last updated 26 August 2019

Edinburgh Napier University is a registered Scottish charity.
Registration number SC018373