SOAS Protocol For Sharing Information About Individuals
This information sharing protocol is to be used when considering sharing information about individuals (personal data) with external organisations. Its purpose is to ensure that personal data is only shared when absolutely necessary and in accordance with the Data Protection Act (DPA) and other relevant legislation.
SOAS may be legally required to share personal data on a regular basis, eg staff and student data shared with the Higher Education Statistics Agency (HESA), or international staff and student data shared with UK Visas and Immigration (UKVI).
Where individuals have given their consent, SOAS will share personal data, eg providing references to future employers, or student performance data to sponsors.
Occasionally, SOAS might receive one-off requests for personal data for the purposes of investigating a crime, eg from local authorities, the police or other law enforcement agencies.
In exceptional circumstances, SOAS may consider it necessary to share personal data with external bodies if it considers that any individual is at risk of serious harm.
Issues To Consider Before Sharing Information:
Is The Sharing Justified?
- Is there a legal obligation to share personal data?
- Assess potential benefits and risks to individuals and/or society of sharing or not sharing.
- Are there concerns that an individual is at risk of serious harm?
- If a crime has taken place, the police should be consulted before any information is shared so that evidence is protected and the risk to the vulnerable person minimised.
- Sections 28 and 29 of the DPA allow an organisation that holds personal data to disclose it if disclosure is both necessary and proportionate in the interests of national security (s.28) or of the detection, investigation or prevention of crime (s.29). SOAS must ensure that the risk of harm if the information is not disclosed justifies the breach of privacy that will be caused by disclosing it.
Other legal considerations:
- Common law duty of confidence (where a person shares information with another in circumstances where it is reasonable to expect that the information will be kept confidential, for example in a counselling session with Student Advice and Wellbeing).
The duty is not absolute. Disclosure can be justified if there is an overriding public interest in disclosure.
- Human Rights Act (Article 8 right to respect for private life)
This is not an absolute right. Disclosure can be justified if necessary to prevent crime or protect health and welfare of an individual).
Sharing The Information
What information needs to be shared?
- Only share what is necessary and to those who need to know.
- Distinguish fact from opinion.
How should the information be shared?
- Information must be shared securely.
- Ensure information is given to the right person and they understand the confidentiality attached.
- For systematic (routine) data sharing, create an information sharing agreement with the third party. A template agreement is available from the Information Compliance Manager.
Informed and explicit consent?
- Where possible and appropriate, fully informed and explicit written consent should be obtained from the individual concerned. They should understand who will see their information, the purpose to which it will be put and any other implications of sharing.
Record decisions and reasoning relating to the consideration of sharing personal data – whether or not the information is actually shared.
- What was shared and for what purpose
- Who it was shared with
- When it was shared
- Justification for sharing
- Whether shared with or without consent
- Who authorised the sharing
If you need further advice, please consult with the Information Compliance Manager (firstname.lastname@example.org) before disclosing any personal data to an external party.