Data Sharing

Note: if you have received a one-off request for personal data from a third party, for example a local council (regarding council tax eligibility); the Police; from a solicitor, then please see here

Where we systematically intend to share Personal Data with any third party (i.e. outside the University), we need to consider what the relationship is with respect to that transfer and ensure that we have the appropriate safeguards in place. The GDPR requires us to have certain contractual arrangements in place for certain type of transfer.

  1. You should consider doing a Data Protection Impact Assessment at the earliest opportunity to cover any scenario where you are transferring any significant amount of personal data, and/or sensitive personal data to a third party (supplier, consultant, collaborator, partner etc). The DPIA will assist in designing the arrangement such that it ensures GDPR compliance and minimises risk.
  2. Determine what role both Keele and the third party is undertaking with regard to the transfer. All the parties involved will either be a Data Controller or a Data Processor
  3. Once you have determined the respective roles above this will then determine whether the relationship between the parties is a Controller to Controller; a Controller to Processor; or (more rarely) Joint Controllers. This is important as it is legal requirement for 'Controller to Processor' arrangements to be covered by a specific set of contractual terms. It may also be advisable to put in place certain contractual terms for Controller-to-controller relationships.
  4. If the data sharing is related to research activity then you should liaise with the RaISE support team to put in place the necessary contractual arrangements.
  5. If the data sharing is not related to research but will go through a procurement route (i.e. will require a Purchase Order and/or a new supplier to be set-up), then in the first instance, please contact Procurement or the Data Protection Officer for assistance.


Note - where the sharing of data also includes transfers of data outside the EEA - then additonal safeguards need to be in place for all arrangements - please contact the DPO for advice.


Contracts Background

When is a contract needed?

Whenever a controller uses a processor (a third party who processes personal data on behalf of the controller) it needs to have a written contract in place. Similarly, if a processor employs another processor it needs to have a written contract in place.

Why are contracts between controllers and processors important?

Contracts between controllers and processors ensure that they both understand their obligations, responsibilities and liabilities. They help them to comply with the GDPR, and help controllers to demonstrate their compliance with the GDPR. The use of contracts by controllers and processors may also increase data subjects’ confidence in the handling of their personal data.

What needs to be included in the contract?

Contracts must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject, and the obligations and rights of the controller.

Contracts must also include as a minimum the following terms, requiring the processor to:

  • only act on the written instructions of the controller;
  • ensure that people processing the data are subject to a duty of confidence;
  • take appropriate measures to ensure the security of processing;
  • only engage sub-processors with the prior consent of the controller and under a written contract;
  • assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
  • assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
  • delete or return all personal data to the controller as requested at the end of the contract; and
  • submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.