When is it OK to share information about other people? Max Todd, Council Secretariat Geoff Hemmings, Legal Services Wednesday 1 October 2014
What is personal data? Data that relates to a living person, who can be identified from that data, on its own or in combination with other data e.g. email address student or staff number photos Sensitive personal data : Data relating to health, race/ethnicity, religious/political beliefs, trade union membership, sexual life, criminal record
What is sharing? Disclosure of personal data to a third party (individual or organisation) or sharing of data between different parts of the same organisation Disclosure of student data by University to a college (or vice-versa) Disclosure of data to the Police or council Disclosure of data to a service provider e.g. mailing house, IT contractor
Data Protection Act: Key Requirements Sharing must satisfy all 8 data protection principles. But certain principles are particularly relevant to question of whether data can be shared. Principle 1 Fair and lawful processing Principle 2 Limited purpose
Principle 1 Fair and lawful processing Provide a Privacy notice, indicating: Who is processing the data? What will be done with the data? Any other information needed for processing to be fair e.g. disclosures to 3 rd parties Consider impact of processing on individual: Will any adverse effect be justified?
Principle 2 Purpose limitation Personal data shall not be used for a purpose incompatible with the purposes for which it was originally collected i.e. beyond the reasonable expectations of the individual
University privacy notices Generic Staff www.admin.ox.ac.uk/councilsec/compliance/dataprotection/staffinfo Student www.ox.ac.uk/students/life/it/studentrecord/data Alumni: www.alumni.ox.ac.uk/data_protection Ad-hoc purposes e.g. research, libraries, online shop
Can I share? Checklist (1) What is the objective? What is the sharing meant to achieve? Does that objective require personal data or could it be achieved with anonymised data?
Can I share? Checklist (2) Does the privacy notice give me authority to share? For internal sharing, consider purpose only For external sharing, consider disclosure provisions, as well as purpose
Can I share? Checklist (3) If not authorised by a privacy notice, is the sharing something the individual would expect me to do? Would it have an adverse effect on individual? If outside reasonable expectations, seek the individual s consent Disclosure to a 3 rd party will usually require consent, unless specifically authorised in privacy notice
Exemptions Exemptions allow sharing when not authorised in a privacy notice or no consent is sought To prevent or detect crime To assess or collect tax To meet a legal requirement For the purpose of legal proceedings
How can I share? Once you have established that data can be shared, certain principles are relevant to how data is shared. Principles 3 & 4 quality of data Principle 7 security & integrity Principle 8 transfers outside the EEA
Principles 3 & 4 quality of data Shared data must be: adequate, relevant and not excessive accurate and (where necessary) up-to-date
Principles 7 security & integrity (1) Appropriate measures against: Misuse Loss Destruction Damage In transit and at destination.
Principles 7 security & integrity (2) Ensure reliability of employees who have access to data Where subcontracting: Sufficient guarantees Written agreement specific provisions Ensure compliance
Principles 8 transfers outside EEA Prohibited unless to a country providing adequate protections Approved countries list very short does not include USA Exemptions consent & appropriate contracts Don t rely on US-EU Safe Harbor
How can I share? - Checklist Specific agreement required? Due diligence on the recipient Quality of data shared Transfer outside the EEA?
Further information Email Data.protection@admin.ox.ac.uk
QUESTIONS?