skip to content
 

Summary

  • The restrictions only apply to sharing personal data, that is information about living identifiable individuals (and not, for example, anonymised data).

  • Sharing may be with:

    • a joint data controller (for joint purposes).

    • another data controller (a third party for their own use).

    • a data processor engaged to store or use data for the University.

  • Sharing personal data must comply with the data protection principles. Ensure:

    • there is a good reason for the sharing to take place (e.g. to meet a contractual obligation or pursue a research project).

    • the individuals have been made aware their data is being shared.

    • the minimum amount of personal data is shared.

    • the sharing is for the minimum time and it is clear what then happens to the data.

    • the sharing is done as securely as appropriate for the data involved.

    • the sharing is documented.

  • Sharing outside the EEA: if the country has not been declared 'adequate' by the EU Commission, then the EU model clauses should be used; an alternative for US recipients is their registration under the EU-US Privacy Shield.

 

What is data sharing?

The GDPR sets certain restrictions and conditions when the University shares personal data with third party organisations.  This is to ensure that the personal data are protected adequately and handled properly by others.

Remember that these restrictions and conditions only apply where the sharing involves personal data – i.e. information about living identifiable individuals.  So the sharing of thoroughly anonymised data is not subject to any restrictions.

The University quite rightly shares personal data about applicants, students, staff, alumni, research participants and others for multiple reasons with numerous third parties.

 

What categories of data sharing are there?

Data sharing falls into three broad categories (examples are given below):

  • Category 1: The sharing of personal data with a third party to be used for joint purposes.

  • Category 2: The passing of personal data to a third party for it to use for its own purposes.

  • Catgeory 3: Engaging a third party to handle, store or otherwise use certain personal data on behalf of the University.

On occasion, the sharing of personal data is obligatory under law (usually under category 2 above), but usually it is at the University's discretion whether or not to share personal data.

 

What different layers of restrictions and conditions are there?

The restrictions and conditions differ depending on the type of sharing in question, and whether it involves the personal data leaving the EEA.

The below guidance sets out:

  • The key general points to bear in mind in advance of sharing personal data.

  • The core restrictions and conditions for each type of sharing under Categories (1) to (3) above.

  • The additional restrictions and conditions for any type of sharing under Categories (1) to (3) above where it involves the personal data leaving the EEA.

 

General points to bear in mind in advance of sharing personal data

Before sharing personal data, make sure that:

  • There is a good reason for the sharing to take place (e.g. to meet a contractual obligation or pursue a research project).

  • The individuals whose personal data is involved have been told about the sharing, whether in the overarching privacy notices supplied to University applicants, students, staff and alumni, or in a more specific communication/notice.

  • Consideration has been given as to how to share the minimum amount of personal data necessary to achieve the purpose.

  • Consideration has been given as to the length of the sharing arrangement and what will happen at the end of it.

  • Consideration has been given as to how to share the personal data securely (e.g. by tracked/signed-for post or courier delivery, encrypted file transfer or password-controlled access rights).

  • The sharing has been documented in some way.

 

Category 1: Sharing personal data with a third party for joint purposes – core restrictions and conditions

Where the University shares personal data with a third party for joint purposes, the organisations are known as 'joint data controllers' (Article 26 of the GDPR). The sharing is usually long-term/ongoing.

In these circumstances, it is mandatory to:

  • Have a documented arrangement (not necessarily a contract) setting out respective roles and responsibilities with regard to data protection matters, including who individuals can contact if they want to complain or exercise any of their rights under the GDPR.

  • Be transparent, by making the essence of this arrangement available to the individuals whose data is shared, if not included in the privacy notice.

Examples of such data sharing at the University are:

  • The sharing of personal data between the University, Colleges and Cambridge in America, for example on CamSIS or alumni/development databases.

  • Research collaborations where both parties are equally responsible for the personal data.

Tools to assist with such sharing:

  • Sharing with the Colleges and Cambridge in America is covered by an all-encompassing data sharing protocol.

  • The Research Operations Office will help to ensure that any relevant research agreements and contracts contain the necessary clauses.

 

Category 2: Sharing personal data with a third party for its own purposes – core restrictions and conditions

Where the University shares personal data with a third party for it to use for its own purposes, each organisation is a separate 'data controller'.  The sharing might be one-off, long-term or ongoing.  The third party might be closely 'related to' the University (such as a Trust, a Student Union or a student society) or wholly unrelated to the University (such as HMRC).

In the circumstances, there are no mandatory restrictions and conditions but it is advisable to do the following unless the sharing is required by law:

  • Use the template data sharing agreement so that all parties are clear about the nature of the arrangement.

  • Conduct and document due diligence checks to ensure that the arrangement has been carefully considered in line with the general points listed  above.

Examples of such data sharing at the University are:

  • Sharing lists of students with local authorities to assist with students' exemption from Council Tax.

  • Sharing lists of staff or students with student/trade unions for union membership purposes.

  • Sharing information about those staff jointly employed by the University and an NHS Trust for employment administration.

  • Sharing information about applicants, students or staff with actual or potential funders/sponsors.

  • Sharing information about alumni with relevant alumni clubs, societies and volunteer groups.

  • Sharing an existing research dataset with a third party organisation (e.g. another university) for them to carry out new research using the personal data.  (This also works the other way round, whereby a University researcher might be the recipient of a dataset created by a third party organisation.)

  • Sharing information about an alumnus with the police in connection with a specific investigation (no data sharing agreement required).

  • Sharing information about staff with pension providers or regulatory bodies or HMRC (no data sharing agreement required).

  • Sharing information about students with UKVI (no data sharing agreement required).

Tools to assist with such sharing:

  • A template data sharing agreement is available on request from the Information Compliance Office.

  • CUDAR has a template agreement for sharing the personal data of alumni with individuals (e.g. volunteers).

 

Category 3: Using a data processor: sharing personal data with a third party for it to store or use on behalf of the University – core restrictions and conditions

Where the University shares personal data it controls with a third party for it to carry out operations in relation to that data on behalf of the University, the third party is known as a 'data processor' (Article 28 of GDPR).  The sharing might be one-off or long-term or ongoing, and it applies primarily to situations where the University is outsourcing or offering a function involving personal data (whether storage or more active management) that it could have chosen to do for itself.

In these circumstances, it is mandatory to:

  • Have a binding contact that commits the data processor to certain standards, including with regard to security, the engagement of further 'sub-processors', helping the University to meet its GDPR obligations with regard to individual rights and accountability requirements, and cooperating with University audits and inspections.  The ICO website provides guidance on the full list of topics that must be included in the contract - the 'tools' listed below incorporate these.

Examples of such data sharing at the University are:

  • Sharing lists of alumni with a mailing house to enable the despatch of an alumni magazine.

  • Using a cloud storage or other third party provider to store the personal data of staff, students or others.

  • Using a form hosted on a third party website to run a survey or collect information from staff, student or others.

Tools to assist with such sharing:

  • Standard University data processing clauses and data processing agreements should be used where possible (see Financial Regulation 18.8) - these are published on the Procurement Services Office webpages.

  • If that is not possible, it may be that the contract terms (or terms of business) of the third party contain adequate clauses - advice should be sought from the Information Compliance Office or the Legal Services Office on a case-by-case basis (note too that the Procurement Services Office or UIS might have central arrangements in place with preferred suppliers).  The standard terms and conditions of many major cloud-based IT suppliers (e.g. those offering services in the areas of data storage, online surveys/forms, mass communications or event management) already contain adequate clauses, but a formal list of University-approved/vetted services does not yet exist.

 

Sharing that involves a transfer of personal data outside the EEA – additional restrictions and conditions

Because the GDPR applies across the EEA, there are additional restrictions and conditions (Articles 44-50 of the GDPR) when data sharing involves a transfer outside the EEA so as to ensure that the personal data are still covered by an 'adequate' level of protection after they have been transferred.  Remember that these requirements are in addition to the requirements listed above.

Such 'adequacy' can be achieved in the following ways:

  • If the third party organisation is based in a country that has been deemed adequate by the European Commission in terms of its data protection laws.

  • If the third party organisation is based in the USA and has signed up to the Privacy Shield initiative run by the US Government - before contracting with the organisation, check their certification on the official list of participating organisations.  This approach to adequacy is incorporated as optional drafting within the standard University data processing agreement published on the Procurement Services Office webpages.  Many major cloud-based IT suppliers operating from the US (e.g. those offering services in the areas of data storage, online surveys/forms, mass communications or event management) are signed up to the Privacy Shield, but a formal list of University-approved/vetted services does not yet exist.

  • If the third party organisation has signed up to, or will sign as part of contractual documentation, the European Commission's standard contractual clauses for transfers (without any amendment) - different clauses are required depending on whether the sharing is with another data controller (Category 2 above) or with a data processor (Category 3 above).  A pre-completed model, to use with the standard University data processing agreement, is published on the Procurement Services Office webpages.

In certain circumstances the adequacy requirement can be circumvented (Article 49 of the GDPR).  Examples include:

  • Where the individuals have explicitly consented to the transfer in advance.

  • Where the transfer is necessary to fulfil a contract with the individuals.

  • Where the transfer is necessary for important reasons of public interest (e.g. exchange between competition authorities, tax or customs administrations, between financial supervisory authorities, between services competent for social security matters, or for public health, for example in the case of contact tracing for contagious diseases) or to protect an individual’s own vital interests.

The restrictions and conditions surrounding data sharing which involves a transfer of personal data outside the EEA are complicated.  Advice may be sought from the Information Compliance Office or the Legal Services Office on a case-by-case basis.