Sharing personal data
What is data sharing?
Data sharing in this context refers to the disclosure of personal data by the College to anyone outside the College i.e. sharing with third parties (e.g. to a third party organisation, an individual consultant, an academic collaborator, a commercial partner or a service provider) whether as a separate data controller or as a data processor.
Note that one department using personal data collated by another department within College is not data sharing under this guidance. Considerations in such cases would be about whether the data is being used within College for the purpose for which it was collected and as per the information given to the individuals whose data that is.
Can we share personal data with third parties?
The College may be able to share personal data with third parties, but only under certain conditions. These are where:
- Sharing is necessary for a legitimate purpose
- It is not illegal otherwise e.g. because of confidentiality provisions
- We have told people, or are going to tell them before the sharing, that we will be sharing their data
- We are going to share the minimum that is necessary for the purpose of the sharing
- We enter into data sharing/processing documentation with the third party, see below.
When is a data processing agreement mandatory?
A data processing agreement is mandatory where a controller wishes to appoint a processor to process personal data on behalf of the controller. In such circumstances, both the controller and the processor are responsible to ensure that such an agreement is put into place.
This scenario will be relevant in numerous cases in the College – for example, where the College gives access to College systems holding personal data to an IT services provider, where the College uses a third party platform to do newsletter mailings, where the College commissions a third party (e.g. a consultant) to analyse some personal data on the College’s behalf, where the College outsources invoicing functions to a third party platform provider.
As a controller the College must only use processors that guarantee compliance with the GDPR and the College is obliged to appoint such processors in the form of a binding agreement in writing – typically, this takes the form of a data processing agreement, but it can also take the form of data processing clauses or a data processing addendum inserted into the agreement for services with the processor.
Are data processing agreements and data sharing agreements the same thing?
Many people use the titles ‘data processing agreement’ and ‘data sharing agreement’ interchangeably. However, data protection specialists refer to ‘data sharing agreements’ where personal data is being shared between two or more data controllers i.e. no party is processing the data on the instructions of the other, each party is using the data as determined by it.
Data sharing agreements are not mandatory but are a good practice to put into place so that it is beyond doubt what each party’s responsibilities and obligations are, what security measures will be in place when the data is shared and who the relevant contacts are at each organisations.
There may be instances where the parties sharing personal data are each a controller for most of the data and a processor for some of the data of the other party. In this scenario, a data processing agreement is necessary.
What provisions are mandatory for data processing agreements?
Data Processing Agreements must say that the processor must:
- Only act on the controller’s documented instructions;
- Impose confidentiality obligations on all personnel who process the relevant data;
- Abide by the rules regarding appointment of sub-processors and the rules about transfers of personal data outside the EEA;
- Implement measures to assist the controller in complying with the rights of data subjects;
- Assist the controller in obtaining approval from data protection authorities (the ICO in the UK) where required;
- At the controller’s election, either return or destroy the personal data at the end of the relationship (except as required by EU or member state law);
- Ensure the security of the personal data it processes;
- Provide the controller with all information necessary to demonstrate compliance with the GDPR and allow for and contribute to audits (including inspections) conducted by the controller or another auditor mandated by the controller;
- Assist the controller in ensuring compliance with the controller’s security, notification of data breaches, communication of data breaches to individuals, data protection impact assessments and, when necessary, consultation with the data protection authorities, taking into account the nature of processing and the information available to the processor;
- Inform the controller if an instruction from the controller infringes EU data protection law
Data Processing Agreements must also contain the following details (which will be specific to each individual case):
- The name and contact details of the processor and the controller and, where applicable, of their data protection officers;
- The subject matter, nature and purpose, or purposes, of the data processing;
- The duration of the processing;
- The types of personal data to be processed and categories of data subjects;
- Where possible, a general description of the technical and organisational security measures protecting the personal data
Indemnities, caps of liability in the event of breach of data processing obligations and mandatory insurance may also be found in some Data Processing Agreements but they are optional.
The Data Processing Agreement [Word]is available for use where the College (Data Controller) is sharing personal data with a supplier (Data Processor) within the EEA.
The Data sharing agreement [Word] is available for use where the College (Data Controller) is sharing personal data with another party (also Data Controller) within the EEA.
International data transfers
- Data can be transferred to countries outside of the EEA when the following occurs:
- If data is transferred to a country with an Adequacy Decision from the EU Commission
- When standard EU model clauses are signed by the recipient
- If, to the US, the recipient has self-certified under the EU-US Privacy Shield (or the recipient signs the standard EU model clauses)
- When binding corporate rules are in place (rarely encountered in practice by the College)
- Explicit consent is given from the data subject – but this is not an option where the College is exercising public functions
- It is necessary for the performance of a contract – but this is not an option where the College is exercising its public functions or has simply chosen to structure its activities in that manner
If data will only be in transit through a non-EEA country and therefore not accessible outside the EEA, this doesn’t count as a transfer outside the EEA.
You should always consider whether the transfer is necessary. If you conclude that it is, please contact the Data Protection Officer or legal team for advice on how to arrange and document the transfer.