Data sharing and using data processors
What categories of data sharing are there?
What different layers of restrictions and conditions are there?
General points to bear in mind in advance of sharing personal data
Summary
- The restrictions only apply to sharing personal data, that is information about living identifiable individuals (and not, for example, anonymised data).
- Sharing may be with:
- a joint data controller (for joint purposes).
- another data controller (a third party for their own use).
- a data processor engaged to store or use data for the University.
- Sharing personal data must comply with the data protection principles. Ensure:
- there is a good reason for the sharing to take place (e.g. to meet a contractual obligation or pursue a research project).
- the individuals have been made aware their data is being shared.
- the minimum amount of personal data is shared.
- the sharing is for the minimum time and it is clear what then happens to the data.
- the sharing is done as securely as appropriate for the data involved.
- the sharing is documented.
- For some sorts of sharing, contracts or other agreements are required. Templates are published and/or available on request as described below.
- Sharing outside the UK: if the country has not been declared 'adequate' by the UK Government, then a transfer risk assessment should be carried out and standard contractual clauses should normally be used. Templates are published and/or available on request as described below.
What is data sharing?
The UK GDPR sets certain restrictions and conditions when the University shares personal data with third party organisations. This is to ensure that the personal data are protected adequately and handled properly by others.
Remember that these restrictions and conditions only apply where the sharing involves personal data – i.e. information about living identifiable individuals. So the sharing of thoroughly anonymised data is not subject to any restrictions.
The University quite rightly shares personal data about applicants, students, staff, alumni, research participants and others for multiple reasons with numerous third parties.
What categories of data sharing are there?
Data sharing falls into three broad categories (examples are given below):
- Category 1: The sharing of personal data with a third party to be used for joint purposes.
- Category 2: The passing of personal data to a third party for it to use for its own purposes.
- Category 3: Engaging a third party to handle, store or otherwise use certain personal data on behalf of the University.
On occasion, the sharing of personal data is obligatory under law (usually under category 2 above), but usually it is at the University's discretion whether or not to share personal data.
What different layers of restrictions and conditions are there?
The restrictions and conditions differ depending on the type of sharing in question, and where the personal data is going.
The below guidance sets out:
- The key general points to bear in mind in advance of sharing personal data.
- The core restrictions and conditions for each type of sharing under Categories (1) to (3) above.
- The additional restrictions and conditions for any type of sharing under Categories (1) to (3) above where it involves the personal data leaving the UK.
General points to bear in mind in advance of sharing personal data
Before sharing personal data, make sure that:
- There is a good reason for the sharing to take place (e.g. to meet a contractual obligation or pursue a research project).
- The individuals whose personal data is involved have been told about the sharing, whether in the overarching privacy notices supplied to University applicants, students, staff and alumni, or in a more specific communication/notice.
- Consideration has been given as to how to share the minimum amount of personal data necessary to achieve the purpose.
- Consideration has been given as to the length of the sharing arrangement and what will happen at the end of it.
- Consideration has been given as to how to share the personal data securely (e.g. by tracked/signed-for post or courier delivery, encrypted file transfer or password-controlled access rights).
- The sharing has been documented in some way.
Category 1: Sharing personal data with a third party for joint purposes – core restrictions and conditions
Where the University shares personal data with a third party for joint purposes, the organisations are known as 'joint data controllers' (Article 26 of the UK GDPR). The sharing is usually long-term/ongoing.
In these circumstances, it is mandatory to:
- Have a documented arrangement (not necessarily a contract) setting out respective roles and responsibilities with regard to data protection matters, including who individuals can contact if they want to complain or exercise any of their rights under the UK GDPR.
- Be transparent, by making the essence of this arrangement available to the individuals whose data is shared, if not included in the privacy notice.
Examples of such data sharing at the University are:
- The sharing of personal data between the University, Colleges and Cambridge in America, for example on CamSIS or alumni/development databases.
- An outreach, student or staff initiative run jointly by the University and another legal entity (e.g. another University or an industry partner) where both (or all) parties are jointly responsible for determining what personal data is collected and the purposes for which it is used.
- Research collaborations where both/multiple parties are equally responsible for the personal data.
Tools to assist with such sharing:
- Sharing with the Colleges and Cambridge in America is covered by an all-encompassing data sharing protocol.
- For research collaborations involving the joint control of personal data: the Research Operations Office will help to ensure that any relevant research agreements and contracts contain the necessary clauses.
Category 2: Sharing personal data with a third party for its own purposes – core restrictions and conditions
Where the University shares personal data with a third party for it to use for its own purposes, each organisation is a separate 'data controller'. The sharing might be one-off, long-term or ongoing. The third party might be closely 'related to' the University (such as a Trust, a Student Union or a student society) or wholly unrelated to the University (such as HMRC).
In the circumstances, there are no mandatory restrictions and conditions but the following are advisable (and expected under the ICO's Data Sharing Code of Practice issued under section 121 of the Data Protection Act 2018), unless the sharing is required by law:
- Use the template data sharing agreement so that all parties are clear about the nature of the arrangement.
- Conduct and document due diligence checks to ensure that the arrangement has been carefully considered in line with the general points listed above.
Examples of such data sharing at the University are:
- Sharing lists of students with local authorities to assist with students' exemption from Council Tax.
- Sharing lists of staff or students with trade/student unions for union membership purposes.
- Sharing information about those staff jointly employed by the University and an NHS Trust for employment administration.
- Sharing information about applicants, students or staff with actual or potential funders/sponsors.
- Sharing information about alumni with relevant alumni clubs, societies and volunteer groups.
- Sharing information about an alumnus with the police in connection with a specific investigation (no data sharing agreement advisable - but see the guidance on disclosure requests).
- Sharing information about staff with regulatory bodies or HMRC (no data sharing agreement advisable).
- Sharing information about students with UKVI (no data sharing agreement advisable).
- Sharing an existing research dataset with a third party organisation (e.g. another university) for them to carry out new research using the personal data. (This also works the other way round, whereby a University researcher might be the recipient of a dataset created by a third party organisation.)
Tools to assist with such sharing:
- A basic template data sharing agreement is available on request from the Information Compliance Office. This is designed for simple data sharing with other organisations (usually based within the UK). More detailed data sharing agreements may be required for more complex types of sharing, and these often need to be developed, reviewed and/or negotiated individually.
- CUDAR has a template agreement for sharing the personal data of alumni with individuals (e.g. volunteers).
- When sharing personal data in a research context with a third party (which is not a collaborator): the Research Operations Office will help to ensure that any relevant research agreements and contracts contain the necessary clauses. (Note that, although outside the scope of this guidance page, such agreements and contracts usually are required in a research context even where the sharing consists solely of anonymised data).
Category 3: Using a data processor: sharing personal data with a third party for it to store or use on behalf of the University – core restrictions and conditions
Where the University shares personal data it controls with a third party for it to carry out operations in relation to that data on behalf of the University, the third party is known as a 'data processor' (Article 28 of the UK GDPR). The sharing might be one-off or long-term or ongoing, and it applies primarily to situations where the University is outsourcing or offering a function involving personal data (whether storage or more active management) that it could have chosen to do for itself.
In these circumstances, it is mandatory to:
- Have a binding contract that commits the data processor to certain standards, including with regard to security, confidentiality, the engagement of further 'sub-processors', helping the University to meet its obligations with regard to individual rights and accountability requirements, and cooperating with University audits and inspections. The ICO website outlines the full list of topics that must be included in the contract - the 'tools' listed below incorporate these. Prior to entering into the contract, appropriate due diligence may be required to ensure that the data processor will be able to meet the necessary standards (e.g. with regard to having adequate security arrangements).
Examples of such data sharing at the University are:
- Sharing lists of alumni with a mailing house to enable the despatch of an alumni magazine.
- Using a cloud storage or other third party provider to store the personal data of staff, students or others.
- Using a form hosted on a third party website to run a survey or collect information from staff, student or others.
- Using a supplier to provide the University with a service in relation to staff, students or others that involves the supplier handling the contact or other details of those individual staff or students.
- Using a third party company to perform specialist analysis on a University research dataset containing personal data in order to return the results of the analysis to the Principal Investigator.
Tools to assist with such sharing:
- Standard University data processing clauses and data processing agreements should be used where possible. The University has a set of Model UK GDPR Data Processing Clauses for use when engaging a data processor; these can be used to supplement a wider contract. As well as being published here, these are publicly available to suppliers on the Procurement Services Supplier Portal. They are incorporated as necessary within standard University contractual templates for purchasing and procurement.
- If that is not possible, it may be that the contract terms (or terms of business) of the third party contain adequate clauses - advice should be sought from the Information Compliance Office or the Legal Services Division on a case-by-case basis (note too that Procurement Services or UIS might have central arrangements in place with preferred suppliers). The standard terms and conditions of many major cloud-based IT suppliers (e.g. those offering services in the areas of data storage, online surveys/forms, mass communications or event management) already contain adequate clauses, but a 'master' list of University-approved/vetted services is not maintained (though staff can search for the various tools available to them, including University-managed cloud services, on the UIS website).
- When using a third party data processor to handle personal data in a research context: the Research Operations Office will help to ensure that any relevant research agreements and contracts contain the necessary clauses.
Sharing that involves a transfer of personal data outside the UK – additional restrictions and conditions
There are additional restrictions and conditions when personal data sharing involves a transfer outside the UK so as to ensure that the personal data are still covered by appropriate safeguards after they have been transferred (Articles 44-50 of the UK GDPR). Remember that these requirements are in addition to the requirements listed above. They apply equally to personal data sharing with joint data controllers, separate data controllers, or data processors.
Step 1 - is the recipient based in a country covered by adequacy regulations?
No additional safeguards are required if the third party organisation is based in a country that is covered by 'UK adequacy regulations' (i.e. it has been deemed to have suitable data protection laws). This includes all EU/EEA countries but otherwise comprises a relatively limited list. The UK Government has announced that it is prioritising the legal steps to grant adequacy status to certain countries, including Australia, Brazil, India and Singapore.
The US is now covered by adequacy regulations. These regulations only apply if the specific US-based organisation you are transferring the personal data to:
- Is an 'active' member of the Data Privacy Framework (DPF) Program run by the US Department of Commerce ('active' means that it is up-to-date with its annual self-certification to the US authorities).
- Is listed as being covered under the 'UK Extension to the EU-U.S. Data Privacy Framework'.
- Is listed as being covered for the data you propose to transfer:
- 'HR data' (if the transfer involves personal data about University employees) and/or
- 'Non-HR data' (if the transfer involves any other types of personal data).
If all three conditions above are met, you can rely on these adequacy regulations for the transfer to the US-based organisation. You should check (or contractually require) that the recipient organisation will remain an 'active' member of the DPF for as long as they will hold any personal data that you have transferred to them. If in doubt about any particular recipient organisation, seek advice (see the end of this section). For clarity, if the recipient organisation does not meet the above conditions, you should move to Step 2.
Step 2 (in most cases) - if the recipient is not based in a country covered by adequacy regulations, assess the risks and implement standard contractual clauses
For a transfer to any country not covered by UK adequacy regulations, the appropriate safeguards can be implemented as follows:
- Firstly, consider the risks of making the transfer; this is known as a transfer risk assessment (TRA). The University has developed a standard TRA template which is available on request by emailing data.protection@admin.cam.ac.uk. Note that University staff are expected to use the University's TRA template, not the TRA tool issued by the ICO or any other template/tool. Carrying out a TRA is a legal requirement.
- Secondly, ask the third party organisation to sign 'standard contractual clauses'. There are two options:
- Either use the International Data Transfer Agreement (IDTA). This was issued by the ICO in March 2022.
- Or use the IDTA Addendum (issued by the ICO in March 2022), which adopts and adapts the 'new' European Commission Standard Contractual Clauses for transfers (issued by the EC in June 2021) so that they make sense in a UK context. (The Addendum, unlike the IDTA, covers transfers of personal data about data subjects based both in the UK and EU/EEA.)
- Note that:
- The standard contractual clauses referenced above are incorporated as necessary in University contract templates for procurement and research. By default the University's contract templates use the IDTA Addendum.
- Many major cloud-based IT suppliers, including those operating from the US (e.g. those offering services in the areas of data storage, online surveys/forms, mass communications or event management), already incorporate the standard contractual clauses within their own standard terms and conditions.
- The standard contractual clauses to be used for new contracts from 22 September 2022 onwards differ to those that could be used prior to this date, which were based on old models issued by the European Commission. (Any contracts using the old models had to be updated to use the new IDTA or IDTA Addendum by 31 March 2024 if the personal data transfer was ongoing.)
Step 2 (in occasional cases) - if the recipient is not based in a country covered by adequacy regulations, identify and rely on a derogation (exception)
In certain circumstances there may be alternatives to the safeguards for occasional/limited personal data transfers. There are a number of such 'derogations' (exceptions). Examples include:
- Where the individuals have explicitly consented to the transfer in advance.*
- Where the transfer is necessary to fulfil a contract (or to take pre-contractual steps) with the individuals.*
- Where the transfer is necessary to fulfil a contract between the data controller (the University) and a third party organisation that supports the interests of the individuals.*
- Where the transfer is necessary for important reasons of public interest (e.g. exchange between competition authorities, tax or customs administrations, between financial supervisory authorities, between services competent for social security matters, or for major public health initiatives) or to protect an individual’s own vital interests where they cannot give consent.
* The derogations in the first three (asterisked) bullet points above are not available to 'public authorities in the exercise of their public powers'. Although the University is defined as a public authority for UK GDPR purposes, it is a 'hybrid' authority; it does not act in all aspects as a public authority in the exercise of public powers. In particular, it is not considered that student or staff recruitment and administration themselves constitute the exercise of a public power. Therefore these derogations can apply to occasional/limited personal data transfers necessitated, for example, by overseas trips/travel, fieldwork, recruitment, and so on, involving student or staff personal data.
Seek advice if necessary
The restrictions and conditions surrounding data sharing which involves a transfer of personal data outside the UK can be complicated, but the TRA and the contractual templates are designed to be used by colleagues without the need for specific support. If help is needed, advice may be sought from the Information Compliance Office or the Legal Services Division or, if the transfer relates to a research project, the Research Operations Office.