Planned data sharing with external bodies Planned data sharing with external bodies

This page explains what you need to take into account when planning to share UEA personal data with other bodies. The sharing might be for organisational or research purposes, to outsource a particular task or service to another organisation, or to fulfil a legal obligation. It will usually involve multiple datasets relating to many individuals.

If you're looking for help on sharing personal information in response to ad hoc enquiries - e.g. answering a request from family or an employer - see Handling requests for staff and student data.

Before you share Before you share

There must be a justifiable purpose behind every instance of personal data sharing. Knowing what you want to achieve will help you understand whether the proposed sharing is necessary, fair and proportionate.

Before any personal information is shared you need to consider the privacy impact on the people involved, and decide how and what you will tell them about sharing their data.

To help you identify the factors you should consider whenever you’re deciding whether or not to share data, complete the data sharing checklist.

The University’s Strategy, Policy & Compliance team provide guidance on all data protection matters and must be notified of all proposed data sharing involving other organisations, in particular where the other organisation will be acting solely on our instruction. 

data controller or data processor? data controller or data processor?

You must identify whether the organisation(s) with whom you wish to share data will be acting solely on behalf of the University (in which case they are likely to be a data processor) or whether they want to use the data for their own purposes that are not fully specified by the University (the organisation will be a data controller). 

This is an essential distinction, not least because UEA (as a data controller) has specific legal responsibilities when working with a data processor. Generally speaking, a Data Processor will be an organisation who are doing something for us, according to our instruction. A Data Controller may be working for us, but will also be able to independently decide how they use any information we share with them.

Click on the headings below to find out more.

Sharing data with a Data Controller

Example scenario

A team of academic staff from the School of Social Work collaborate with another University on a research project concerning foster care. The UEA researchers gather personal data during interviews with foster parents and want to share it with the other university, who will use the outcome of the research when working with their local authority. Both UEA and the other university are data controllers in common, because they both have a degree of independence in how they use the shared personal data.

What to consider

Data controllers do just that – they control the personal data they collect, hold and use. In the terminology of the Data Protection Act they determine ‘the purposes for which and the manner in which any personal data are, or are to be, processed’

This means that if UEA is sharing personal data with another organisation on the basis that both organisations are data controllers ‘in common’ (whether sharing is reciprocal or one-way), then both parties will have legal responsibilities for the shared data.

It is recommended good practice to have a written data sharing agreement or protocol in place whenever large scale and/or regular sharing occurs between organisations, and otherwise keep a record of all data sharing activities. You are not required to use the UEA template agreement, but any agreement should make clear both parties’ responsibilities for the data involved, including how consent and data security will be managed.

For further details of what should be included in any 3rd party agreement, see the data sharing agreement checklist.

Sharing data with a Data Processor

Example scenario

ITCS want to update their call management software. They choose a company who can both host the software and provide technical support. This means the company will need to access the personal data of staff and students using the system, but will only do so for limited purposes, as instructed by ITCS. In this instance, the company is acting as UEA’s data processor.

What to consider

A data processor is any organisation or person - other than an employee of the data controller - who processes (i.e. does something with) personal data on behalf of the data controller.

The data processor may determine some details of the data sharing, for example the IT systems used to store the data it receives, however a data processor cannot make fundamental decisions about the data in question: why and how it is collected and used. This is the role of a data controller.

Under the Data Protection Act, UEA is obliged to ‘(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and (b) take reasonable steps to ensure compliance with those measures.’ 
The University will be in breach of Principle 7 of the DPA unless ‘(a) the processing is carried out under a contract - (i) which is made or evidenced in writing, and (ii) under which the data processor is to act only on instructions from the data controller, and (b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.

UEA staff wishing to engage a data processor therefore need to ensure that the organisation is not just reputable and its services fit for purpose, but can demonstrate secure data handling practices and will agree in writing to secure all UEA personal data shared with them. 

The data processing agreement can form part of the wider contract and/or terms of service provided by the data processor, however it is important to make sure that any third party documents adequately protect the University’s data. Use the Data Processor Agreement checklist to determine the suitability of any agreement provided by the data processor.
If the third party agreement is not suitable, the UEA template Data Processor Agreement (and associated guidance) must be used.

The Strategy, Policy & Compliance team must be notified in advance of all data processing agreements and can provide data protection advice and guidance throughout negotiations with the data processor. 

deciding to share: next steps deciding to share: next steps

If, having completed the checklist, you decide the data sharing is necessary, fair and justified the next step is to make sure you document the decision and complete any necessary documentation (i.e. data sharing or data processor agreements, privacy notices). All agreements must be reviewed and approved by the Strategy, Policy and Compliance team prior to commencement of data sharing. Email dataprotection@uea.ac.uk or telephone 01603 59 2431 / 3523.

Remember:

  • Only share data which is necessary for the purpose.
  • Ensure the data you are sharing is accurate and, unless otherwise required, up to date.
  • Make sure you have a named contact with whom to share the data.
  • Make sure you know how and when data will be destroyed.
  • Think security. Make sure the information is secure in transit, in use and in storage. If you’re unsure how to go about this, have a look at the information security web pages or contact infosec@uea.ac.uk.