Information sharing protocol
SOAS Protocol For Sharing Information About Individuals
This information sharing protocol should be used if you are considering sharing information about individuals (personal data) with external organisations and persons. Its purpose is to ensure that personal data is only shared when necessary and in accordance with data protection law, together the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), and other relevant legislation.
SOAS has a statutory duty to share personal data on a regular basis with some third parties. For example, we share staff and student data with the Higher Education Statistics Agency (HESA) every year, and from time to time we need to share international staff and student data with UK Visas and Immigration (UKVI).
In most circumstances individuals give their consent for SOAS to share their personal data, e.g. to allow us to provide references to future employers, or student performance data to sponsors.
Occasionally, SOAS might need to share personal data without individuals' consent, such as when we receive one-off requests for personal data which is necessary for the purposes of investigating a crime and getting consent would prejudice the objective of the processing. Such requests might come from local authorities, the police or other bodies carrying out law enforcement functions.
Similarly, SOAS may consider it necessary to share personal data with external bodies without the consent of the individual if it considers that any individual is at risk of serious harm. This will only occur if the individual is physically or legally incapable of giving consent (e.g. they may be critically ill or injured), or obtaining consent is impossible or would prejudice the dispensation of medical treatment or provision of social protection to an individual.
Issues to consider before sharing information
1. IS THE SHARING JUSTIFIED?
- Is there a legal obligation to share personal data?
- Assess potential benefits and risks to individuals and/or society of sharing or not sharing.
- Are there concerns that by not sharing the data an individual may be at risk of serious harm?
- If a crime has taken place, the police should be consulted before any information is shared so that evidence is protected and the risk to the vulnerable person minimised.
- The DPA allows an organisation that holds personal data to disclose it if disclosure is both necessary and proportionate in the interests of national security (Part 2, Chapter 3, section 110) or for the detection, investigation or prevention of crime (Schedule 2, Part 1, Section 2). SOAS must ensure that the risk of harm if the information is not disclosed justifies the breach of privacy that will be caused by disclosing it.
- Other legal considerations:
- Common law duty of confidence (where a person shares information with another in circumstances where it is reasonable to expect that the information will be kept confidential, for example in a counselling session with Student Advice and Wellbeing).
The duty is not absolute. Disclosure can be justified if there is an overriding public interest in disclosure.
- Human Rights Act (Article 8 right to respect for private life)
This is not an absolute right. Disclosure can be justified if necessary to prevent crime or protect health and welfare of an individual.
Otherwise, disclosure of the personal data is only permitted with the explicit consent of the individual.
2. SHARING THE INFORMATION
What information needs to be shared?
- Only share what is necessary and to those who need to know.
- Distinguish fact from opinion.
How should the information be shared?
- Information must be shared securely. Seek advice from the Information Compliance Manager ( dataprotection@soas.ac.uk ) or the IT Helpdesk for advice on how to share information securely. The measures taken should be proportionate to the context of the sharing and the type of information shared (sharing information relating to a crime including special category data to an appropriate authority will need additional layers of security).
- Ensure information is given to the right person and they understand the confidentiality attached.
- For systematic (routine) data sharing, create an information sharing agreement with the third party. A template agreement is available from the Information Compliance Manager.
Informed and explicit consent?
- Where possible and appropriate, fully informed and explicit written consent should be obtained from the individual concerned. They should understand who will see their information, the purpose to which it will be put and any other implications of sharing.
3. SHARING INFORMATION OVERSEAS (outside the European Economic Area)
Sharing outside the EEA is called a ‘restricted transfer’ of personal data in the GDPR.
Some countries are exempt from the restriction, because they have an ‘Adequacy Decision’ from the European Commission. The countries listed below received an Adequacy Decision, which means they have data protection laws which offer a high level of protection to individuals:
Andorra, Argentina, Canada (commercial organizations only), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, and the USA (limited to the Privacy Shield framework).
If the country you are sharing information with is not in this list, and you want to share information regularly, you will need to identify a legal safeguard. Only one safeguard exists at present which is applicable to SOAS's situation:
- Standard Contractual Clauses published by the European Commission can be added to an agreement with an overseas body with whom personal information is shared. There are different clauses for different relationships. The clauses can only be used completely, they cannot be reduced, amended or added to. Before relying on the clauses, SOAS and the data importer must be fully satisfied that the legal framework of the importer's country allows the clauses to take full effect
Standard Contractual Clauses involve entering into a formal agreement with a third party, so are best used for routine or large scale data transfers. If you only want to transfer data occasionally, you might be able to share the information under one of the ‘exceptions’ listed in the GDPR. These are only to be used as true exceptions from the general rule, and should never be used for regular or routine data sharing.
- Explicit consent from the individual
- Sharing is necessary for performance of a contract with the individual, or to take steps to enter into a contract with them
- Where sharing is in the substantial public interest. This would typically involve sharing information in the spirit of reciprocity for international co-operation, including in accordance with an international agreement or convention
- Where SOAS needs to establish whether it has a legal claim, or to uphold or defend a legal claim
- The sharing is necessary to protect the vital interests of the individual or a third party, where they are not capable of giving consent
- Where SOAS has compelling legitimate interests to share the information. A legitimate interests assessment must be completed, and you must inform the individual(s) and the ICO of your intention to share the information.
4. RECORDING DECISIONS
When you are considering sharing personal information record your decisions and reasoning – whether or not the information is actually shared.
Record:
- What was shared and for what purpose
- Who it was shared with
- When it was shared
- Justification for sharing (the lawful basis, and the safeguard or exception for overseas transfers)
- Whether shared with or without consent
- Who authorised the sharing
If you need further advice, please consult with the Information Compliance Manager ( dataprotection@soas.ac.uk ) before disclosing any personal data to an external party.
Page last updated: February 2020