Data Sharing Agreements

Data Sharing Agreements

The University is the data controller for all personal data processed by the organisation. As the data controller, the University is responsible for the care and maintenance of the personal data of its staff and students, and is legally obligated to adhere to the eight data protection principles of the DPA.

When the University shares personal data with other organisations, liability for adherence to the principles, in relation to our data, still lies with us. If the organisation that we shared our data with breached one of the DP principles, the University could be held responsible.

If your department must share personal data with other organisations in order to conduct business, you may require a data sharing agreement. According to the ICO’s Data sharing code of practice, your data sharing agreement should, at minimum, address the following:

  • The purpose or purposes of the sharing
  • The potential recipients or types of recipient
  • The circumstances in which the recipient(s) will have access to the data
  • The data to be shared
  • Data quality, including accuracy, relevance, and usability of the data
  • Data security
  • Retention of the shared data
  • Individual’s rights, including procedures for dealing with access requests, queries, and complaints
  • Review of the effectiveness or termination of the data sharing agreement
  • Sanctions for failure to comply with the agreement, or breaches by individual staff

When sharing the personal data of staff and students, it is imperative that we have a legitimate and lawful reason to share and also that individuals are aware that their data will be shared, and that it may be used for reasons other than that for which it was originally collected.

For guidance on drafting data sharing agreements, please contact the Data Protection Office.

For further guidance on the requirements and regulations around transferring and sharing data with other organisations, please see the A to Z entries on Transfer of Personal Data – outwith the University and Transfer of Personal Data – outwith the EEA. The ICO has published a comprehensive “Data sharing code of practice” which also offers advice and guidance.