SOAS Protocol For Sharing Information About Individuals
This information sharing protocol is to be used when considering sharing information about individuals (personal data) with external organisations and persons. Its purpose is to ensure that personal data is only shared when necessary and in accordance with data protection law, together the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), and other relevant legislation.
SOAS has a statutory duty to share personal data on a regular basis with some third parties. For example, we share staff and student data with the Higher Education Statistics Agency (HESA) every year, and we share international staff and student data with UK Visas and Immigration (UKVI).
Where individuals have given their consent, SOAS will share personal data, e.g. providing references to future employers, or student performance data to sponsors.
Occasionally, SOAS might receive one-off requests for personal data for the purposes of investigating a crime, e.g. from local authorities, the police or other law enforcement agencies.
In exceptional circumstances, SOAS may consider it necessary to share personal data with external bodies without the consent of the individual if it considers that any individual is at risk of serious harm. This will only occur if the individual is physically or legally incapable of giving consent (e.g. they may be critically ill or injured), or obtaining consent is impossible or would prejudice the dispensation of medical treatment or provision of social protection to an individual.
Issues to consider before sharing information
1. IS THE SHARING JUSTIFIED?
- Is there a legal obligation to share personal data?
- Assess potential benefits and risks to individuals and/or society of sharing or not sharing.
- Are there concerns that an individual is at risk of serious harm
- If a crime has taken place, the police should be consulted before any information is shared so that evidence is protected and the risk to the vulnerable person minimised.
- The DPA allows an organisation that holds personal data to disclose it if disclosure is both necessary and proportionate in the interests of national security (Part 2, Chapter 3, the ‘applied GDPR’) or for the detection, investigation or prevention of crime (Schedule 2, Part 1, Section 2). SOAS must ensure that the risk of harm if the information is not disclosed justifies the breach of privacy that will be caused by disclosing it.
- Other legal considerations:
- Common law duty of confidence (where a person shares information with another in circumstances where it is reasonable to expect that the information will be kept confidential, for example in a counselling session with Student Advice and Wellbeing).
The duty is not absolute. Disclosure can be justified if there is an overriding public interest in disclosure.
- Human Rights Act (Article 8 right to respect for private life)
This is not an absolute right. Disclosure can be justified if necessary to prevent crime or protect health and welfare of an individual.
Otherwise, disclosure of the personal data is only permitted with the explicit consent of the individual.
2. SHARING THE INFORMATION
What information needs to be shared?
- Only share what is necessary and to those who need to know.
- Distinguish fact from opinion.
How should the information be shared?
- Information must be shared securely.
- Ensure information is given to the right person and they understand the confidentiality attached.
- For systematic (routine) data sharing, create an information sharing agreement with the third party. A template agreement is available from the Information Compliance Manager.
Informed and explicit consent?
- Where possible and appropriate, fully informed and explicit written consent should be obtained from the individual concerned. They should understand who will see their information, the purpose to which it will be put and any other implications of sharing.
3. SHARING INFORMATION OVERSEAS (outside the European Economic Area)
Sharing outside the EEA is called a ‘restricted transfer’ of personal data in the GDPR.
Some countries are exempt from the restriction, because they have an ‘Adequacy Decision’ from the European Commission. The countries listed below received an Adequacy Decision, which means they have data protection laws which offer a high level of protection to individuals:
Andorra, Argentina, Canada (commercial organizations only), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, and the USA (limited to the Privacy Shield framework).
If the country you are sharing information with is not in this list, and you want to share information regularly, you will need to identify a legal safeguard. The safeguards you might use are:
- A legally binding and enforceable instrument between public bodies, or, if one or both bodies cannot enter into a binding agreement, then an administrative arrangement such as a Memorandum of Understanding. The MoU or contract must include effective and enforceable rights and remedies for the individuals whose information is being shared. If the agreement is not legally binding on both parties, the Information Commissioner’s Office (ICO) must approve of it before it can be relied upon.
- Standard Contractual Clauses published by the European Commission can be added to an agreement with an overseas body with whom personal information is shared. There are different clauses for different relationships. The clauses can only be used completely, they cannot be reduced, amended or added to
If you still need to share information to a restricted territory, but the safeguards listed above are not appropriate, you might be able to share the information under one of the ‘exceptions’ listed in the GDPR. These are only to be used as true exceptions from the general rule, and should never be used for regular or routine data sharing.
- Explicit consent from the individual
- Sharing is necessary for performance of a contract with the individual, or to take steps to enter into a contract with them
- Where sharing is in the substantial public interest. This would typically involve sharing information in the spirit of reciprocity for international co-operation, including in accordance with an international agreement or convention
- Where SOAS needs to establish whether it has a legal claim, or to uphold or defend a legal claim
- The sharing is necessary to protect the vital interests of the individual or a third party, where they are not capable of giving consent
- Where SOAS has compelling legitimate interests to share the information. A legitimate interests assessment must be completed, and you must inform the individual(s) and the ICO of your intention to share the information.
4. RECORDING DECISIONS
Record your decisions and reasoning relating to the consideration of sharing personal data – whether or not the information is actually shared.
- What was shared and for what purpose
- Who it was shared with
- When it was shared
- Justification for sharing (the lawful basis, and the safeguard or exception for overseas transfers)
- Whether shared with or without consent
- Who authorised the sharing
If you need further advice, please consult with the Information Compliance Manager (email@example.com) before disclosing any personal data to an external party.
Page last updated: February 2020