Sharing personal data
This section deals with:
It also provides a checklist for dealing with requests for personal data from third parties and guidance on releasing information to parents, other relatives and third parties.
Please use this link for information on the .
The University is the data controller of all the data held by the different schools/offices within the University and in many circumstances it is permissible to pass personal data between schools/offices if the information sharing is reasonable and expected, and provided the Data Protection Principles are adhered to.
The Data Protection Principles state that personal data must be processed fairly and for limited purposes, which means that it should not be shared without good reason. So, for example, the University may process personal data of students applying for places and it is perfectly permissible for this information to be shared by student services and relevant schools.
Abroad rule of thumb is if the internal recipient has a legitimate purpose for access, in order to fulfil their role and tasks, providing this is shared securely and wherever possible, limited to only that is necessary for those tasks, the principles will be met.
Special Category (sensitive) personal data imposes additional obligations and we would advise you to seek advice from IMPS if you are considering a new activity that involves the sharing of this category of data with other departments.
The shared personal data must also be relevant and not excessive. So, for example, if a student's data is being passed to the Accommodation Office from an office that holds the student's full record it is not necessary for the student's academic achievement details to be shared; only those details that are necessary for the Accommodation Office to do their job properly.
The shared data must also be accurate and up to date, not kept for longer than necessary. So, before sharing personal data with other offices/schools within the University you should satisfy yourself that the data you are sharing is the most up to date available and that some procedures are put in place to ensure that the other office/school's record will be updated if and when necessary.
When dealing with personal data you can consult the checklist for dealing with third party requests to help establish that you are processing according to the DPA. This checklist may also be useful when you are considering whether to share personal data with another office/school. If you have doubts whether to share or you are unclear, please contact us in order to confirm whether sharing is permissible within the terms of the DPA.
Some of the advice given in the applies equally well to dealing with requests from other schools/offices within the University. For example, whenever you are passing on personal data, you should ensure the identity of the enquirer before disclosing the information, especially when the request is made by telephone. Also, in the case of an enquiry, good practice would be to take the contact details of the enquirer and pass them on to the subject concerned.
Students enquiring about other students should be treated as external enquirers, not internal enquirers.
Data protection law does allow for sharing outside the organisation providing the principles are met, which include identifying a lawful basis for that transfer within the GDPR and DPA 18.
A list of the third parties to whom the University may disclose personal data of students ans staff, including sensitive personal data, is given in the section Students' Fair Processing Notice (FPN) and Staff Privacy Notices.
Further guidance is given on releasing information to parents, other relatives and third parties.
If you have doubts whether to share or you are unclear, please contact us in order to confirm whether sharing is permissible within the terms of the DPA
Both student and staff data is shared with the Higher Education Statistics Agency (HESA), as described below.
Details of the data shared with HESA can be found in the
on the HESA website.
If you know that you will need to pass on personal data to a third party , for example when a student has a sponsor, it is advisable to state this clearly when collecting the information and identify the purpose for which the personal data will be used. Advice on how you do this is given in .
The third party is not allowed to use the personal data for any other purpose than that stated when the data is collected.
Disclosing information to a third party for a legitimate interest is permitted only if disclosure would not prejudice the rights and freedoms or legitimate interests of the data subject. For example, if the police require information about a particular person, they must produce the appropriate data protection release form. The third party requesting the information should be happy to explain the legal basis for their enquiry but, if you are in doubt, take a message and contact us for assistance. If the request cites a lawful basis of the DPA you should contact us.
Except in exceptional circumstances personal data should not be disclosed to third parties.
Exceptional circumstances could include:
- protecting the vital interests of the data subject (ie release of medical data where failure to release the data would result in harm to, or the death of, the data subject)
- preventing serious harm to a third party that would occur if the data were not disclosed
- safeguarding national security
- prevention or detection of crime
- apprehension or prosecution of offenders
- assessment or collection of any tax or duty or of any imposition of a similar nature
- discharge of regulatory functions, including securing the health, safety and welfare of persons at work
Requests for personal data from Police and Local Authorities
Please refer the requestor to firstname.lastname@example.org
There are some recommended ways of dealing with requests for personal data of another person or persons by a third party:
- When dealing with enquiries by telephone it is good practice to offer to telephone back with the information to ensure some measure of authentication or perhaps send them the information by an alternative (recordable) means
- it may be best if the third party could arrange for the data subject to request the information on their behalf
- as an alternative to divulging a student's personal data, you could accept a sealed envelope to forward to the student's last-recorded address or you could forward an incoming email message to a student. However, you must take care not to confirm the student's status in the process of arranging this
- where the matter is urgent, you should attempt to contact the data subject by telephone or other means in order to put him or her in touch with the enquirer
- if you refuse a request for information about a data subject, but the subject-matter of the enquiry is clearly of importance to the data subject, you should inform them of the enquiry unless this is against the interests of the enquirer. This will allow the data subject to contact the enquirer should they so wish
You should always take care to prevent the inadvertent disclosure of personal data (for example a student's attendance at the University) to unauthorised third parties. If you receive enquiries as to whether a named person is a student of the University, the enquirer should be asked why the information is required. If the reason is not one that would justify disclosure, you should decline to comment one way or the other. Similarly, even if the data subject is not known to the University, a similar response should be given to ensure a consistent approach. (A firm "No" when the individual is not known makes any other response a tacit "Yes").
Enquiries from Embassies and High Commissions should be treated with extreme caution. Data subjects may choose to have little or no contact with representatives of their home states, the extent of the relationship is a matter for the data subject, not the University, to determine.
If you are not sure, you should contact us to discuss the issues before disclosing any personal data.
Further guidance is available on releasing information to parents, other relatives and third parties.
Read further guidance
- Telephone: +44 (0) 118 378 8981
Find out if you need to do a DPIA here: