Sharing Personal Data
The University uses personal information about staff, students, research participants and others in almost all its activities, and there is a legal requirement to ensure this is complete, accurate and their rights and privacy are protected.
The University may need to share this information with a third party, either through legal obligation or choice, but will still be responsible for safeguarding the rights and privacy of the individuals that have trusted us with their personal information. We need to have some form of legal agreement in place with the third party to discharge this duty.
This document seeks to provide guidance on how to determine the most appropriate form of agreement, and the issues to consider when preparing the agreement.
The General Data Protection Regulations (GDPR) does not introduce any new requirements of the Data Protection Act (DPA). However, the financial and reputational consequences of failing to comply have increased substantially and GDPR puts the responsibility for any misuse / loss of data firmly on the University (as Data Controller). The University also needs a clear record of all data sharing arrangements in case an individual chooses to use some of their new rights under GDPR, such as the 'right to be forgotten'.
The ICO has published updated guidance for organisations relating to contracts/ data processing agreements under GDPR.
There are two parties involved in a data sharing relationship, as follows:
- Data controller- determines the purposes and means of processing personal data
- Data processor- is responsible for processing personal data on behalf of a controller
The University will normally be regarded as the Data Controller for most of its routine activities. However, it is not unusual for us to be the Data Processor when delivering some services to other organisations or as part of a collaborative research arrangement.
Contracts and data sharing agreements are not required for sharing data with colleagues or other departments within the University, but you should still consider the risks associated with sharing data with others within the organisation and the privacy rights of the individuals concerned.
Mechanisms for Sharing Data
There are two legal mechanisms for clarifying roles, responsibilities and expectations when sharing data with a third party:
- A legal contract (AKA a Data Processing Agreement)
- A Data Sharing Agreement
Choosing a Mechanism
The guidance on when a contract/ data processing agreement or data sharing agreement should be used is not explicit.
The University's preference is to have a clear legal contract, usually supported by a schedule of data processing, as this allows us to be very clear about respective obligations and liabilities. The ICO has issued guidance for organisations using Contracts under GDPR:
This outlines when a written contract is required and includes a checklist of compulsory details which must be included within contracts.
Examples of when a contract would be most appropriate include:
- Engaging a company to print and distribute material to prospective students
- Using a third party to provide specialist occupational health support to staff
Data Sharing Agreements may be more appropriate where the relationship with the third party is already established by some other means, or the information is to be used for a one-off exercise for the benefit of the University and/or the individuals concerned. These circumstances are often supported by a Memorandum of Understanding.
The ICO has also issued a checklist for organisations using data sharing covering both systematic sharing and one off requests:
This guidance has not been updated for GDPR but no significant changes have been noted between the DPA and GDPR.
Examples of when a data sharing agreement would be most appropriate include:
- Providing information to Durham Students' Union to allow them to represent our students
- Providing information about certain students to one of the recognised colleges
The following links provide guidance on the information that should be included in either a contract or a data sharing agreement.
Contract/ Data Processing Agreement- https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts-1-0.pdf
Data Sharing Agreement- https://ico.org.uk/media/for-organisations/documents/1067/data_sharing_checklists.pdf
Within Durham University, both contracts and data sharing agreements are prepared by the Legal Services Team on receipt of instruction from the budget holder / Information Asset Owner and signed by one of our authorised contract signatories.
You should be prepared to provide Legal Services with a clear instruction identifying the information you need to share, and any specific requirements you would like them to capture within the document you are asking them to prepare.
The Individual's Right to be Informed
A key element of GDPR is the ‘Right to be informed’ which encompasses an organisations obligation to provide ‘fair processing information’ typically through a privacy notice. It also emphasises transparency over how personal data is used, and you should tell people if their information will be shared with other organisations.
It is important to note that if circumstances change and you choose to share information you already hold with a third party, but this was not declared in your privacy notices in place when the information was first obtained, you will still need to consider whether the individual has a right to be informed (and also the right to opt-out).
The ICO has also compiled good and bad examples of privacy notices:
Document Storage and Retention
Under GDPR there are specific requirements for the storage and retention of personal data which must be complied with.
Contracts/ Data Processing Agreements- compulsory requirement that the processor must delete or return all personal data to the controller as requested at the end of the contract. The security of processing has to be ensured in line with Article 32 of GDPR.
Data Sharing Agreements- there should be consistent retention policies for all records and appropriate security in place. Physical and technical security measures need to be considered for the storage of all data.
Any information which is subject to a statutory retention period will have to be destroyed in adherence to the statute. All other organisations which has a copy will also have to delete it in accordance with statute. These requirements must be included in the contract / sharing agreement.