|A team of academic staff from the School of Social Work collaborate with another University on a research project concerning foster care. The UEA researchers gather personal data during interviews with foster parents and want to share it with the other university, who will use the outcome of the research when working with their local authority. Both UEA and the other university are data controllers in common, because they both have a degree of independence in how they use the shared personal data.|
What to consider
Data controllers do just that – they control the personal data they collect, hold and use. In the terminology of the Data Protection Act they determine ‘the purposes for which and the manner in which any personal data are, or are to be, processed’.
This means that if UEA is sharing personal data with another organisation on the basis that both organisations are data controllers ‘in common’ (whether sharing is reciprocal or one-way), then both parties will have legal responsibilities for the shared data.
It is recommended good practice to have a written data sharing agreement or protocol in place whenever large scale and/or regular sharing occurs between organisations, and otherwise keep a record of all data sharing activities. You are not required to use the UEA template agreement, but any agreement should make clear both parties’ responsibilities for the data involved, including how consent and data security will be managed.
For further details of what should be included in any 3rd party agreement, see the data sharing agreement checklist.