This page explains what you need to take into account when planning to share or transfer UEA personal data to other bodies. The sharing might be for organisational or research purposes, to outsource a particular task or service to another organisation, or to fulfil a legal obligation. It will usually involve sharing, transferring or allowing access to UEA data over a period of time in a systematic way, rather than a one-off event.
If you're looking for help on sharing personal information in response to ad hoc enquiries - e.g. answering a request from family or an employer - see Handling requests for staff and student data.
To find out more about the issues to consider before sharing personal data, read the ICO's Data Sharing Code of Practice.
There must be a justifiable purpose behind every instance of personal data sharing. Knowing what you want to achieve will help you understand whether the proposed sharing is necessary, fair and proportionate.
Before any personal information is shared you need to consider the privacy impact on the people involved, and decide how and what you will tell them about sharing their data.
To help you identify the factors you should consider whenever you’re deciding whether or not to share data, complete the data sharing checklist.
The University’s Information Compliance team provide guidance on all data protection matters and must be notified of all proposed data sharing involving other organisations, in particular where the other organisation will be acting solely on our instruction.
You must identify whether the organisation(s) with whom you wish to share data will be acting solely on behalf of the University - in which case they are likely to be a data processor - or whether they want to use the data for their own purposes that are not fully specified by the University - in which case the organisation will be a data controller, either by itself or with the University (a 'joint controller').
It is essential to understand and agree the position of each party, not least because UEA (as a data controller) has specific legal responsibilities when working with a data processor. Generally speaking, a Data Processor will be an organisation who are doing something for us, according to our instruction. A Data Controller may be working for us, but will also be able to independently decide how they use any information we share with them.
It's not always easy to determine who is a controller, a processor, or a joint controller, so the ICO have published helpful checklists, as well as guidance to help organisations establish the difference between a data controller and a data processor.
If, having completed the checklist, you decide the data sharing is necessary, fair and justified the next step is to make sure you document the decision and complete any necessary documentation (i.e. data sharing or data processor agreements, privacy notices). All data sharing agreements must be reviewed and approved by the Information Compliance team prior to commencement of data sharing.
N.B. It can take some time to conclude data sharing or processing arrangements with other organisations, so to avoid delaying your new project or service please involve the team as early as possible. Email email@example.com or telephone +44 (0)1603 59 2431.
- Only share data which is necessary for the purpose.
- Ensure the data you are sharing is accurate and, unless otherwise required, up to date.
- Make sure you have a named contact with whom to share the data.
- Make sure you know how and when data will be destroyed.
- Think security. Make sure the information is secure in transit, in use and in storage. If you’re unsure how to go about this, have a look at the information security web pages or contact firstname.lastname@example.org.