Page: 1 2 3
8. Data Sharing
Download this section as a print-friendly PDF document.
The University collects a wide range of personal data relating to staff and students for the University's purposes and to meet its external obligations. Both these types of data collection may result in the eventual transfer of personal data to third parties, which the University must ensure is permitted under the DPA 1998.
In order for the University as a data controller to lawfully process personal data one of the following conditions must be met:
- The individual has consented to the processing
- Processing is necessary for the performance of a contract with the individual
- Processing is required under a legal obligation (other than a contractual one)
- Processing is necessary to protect the vital interests of the individual
- Processing is necessary to carry out public functions, e.g. administration of justice, or for exercising statutory, governmental, or other public functions
- Processing is necessary in order to pursue the legitimate interests of the data controller or third parties and is not unfair to the individual
Where sensitive personal data is concerned one of the ordinary processing conditions at 8.1 above and one of the conditions for processing sensitive data below must be met before processing can be carried out. The conditions for processing sensitive data are: the data subject has given his or her explicit consent to the processing of the personal data; or that the processing is necessary for a further set of specified reasons, including:
- It is required by law for employment purposes
- It is needed in order to protect the vital interests of the individual or another person
- It is needed in connection with the administration of justice or legal proceedings
The following requirements must be adhered to when considering the sharing of personal data:
- Purpose - there should be a clear and lawful purpose for the data sharing.
- Fairness - the nature and extent of the data sharing should be a proportionate means of achieving that purpose when weighed against the interests of the individuals concerned e.g. consider whether the data could be anonymised.
- Transparency - the data subjects should be given appropriate notice in advance about the possible sharing of their personal data. Failure to do so may mean that it is considered to have been carried out unfairly and without due respect for the data subjects' rights
The data subjects must be able to effectively exercise their rights under the DPA 1998 including the rights to access data which is held about them and to object to, or opt out of, certain types of processing. While transfers will be permitted where data subjects have given their consent to the transfer, a positive response must be received and consent cannot be inferred from silence.
There are two common misconceptions about sharing personal data within the University. The first is the assumption that because personal data is held by one department it can be shared automatically with other departments or University employees because “we all work for Edinburgh Napier University”. The second is the converse i.e. that personal data cannot be shared with other departments or colleagues. Where there are no restrictions on the sharing of personal data under either the DPA 1998 or other legislation, e.g. the Equality Act 2010, personal data may be shared on a strictly “need to know” basis having first considered the purpose, fairness and transparency of such a sharing.
8.4.1 Sensitive personal data
The University has stringent requirements in place for the transfers of sensitive personal data, which are dealt with in Section 12 of this Code of Practice. The advice of the Governance Officer (Data Protection and Legal), the Head of Disability and Inclusion or the University's Diversity Partner should be sought if in any doubt.
Page: 1 2 3