 |
 |
|
Why does the Data Protection Act affect my arrangements for passing information to other organisations?The Data Protection Act 1998 is concerned with "personal data". The precise definition of "personal data" is complex, for day-to-day purposes it is best to assume that all information about a living, identifiable individual is personal data. The Act gives individuals rights regarding the “personal data” the University holds about them and gives the University responsibilities regarding its use of that data. These responsibilities are codified as eight data protection principles, which form the core of the Act. Any transfer of personal data from the University to another organisation must comply with these principles and a contract is the best way to ensure that they do.
Why does it matter where the other organisation will hold the information?Under the Data Protection Act, there are different legal requirements for contracts depending on which country the data will be held in. The most important distinction is whether information will be held within the EEA, by a country on the European Commission's approved list or in another country. The eighth data protection principle states that personal data must not be transferred to countries outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data, or unless an exemption applies. Exemptions will mostly likely occur when information is transferred to another data controller.
If you do need to transfer data outside the EEA and the transfer does not qualify for an exemption, it may still be possible to do so, provided you ensure a contract is in place that protects the University and the rights of the data subjects involved. Once you have followed the steps below to ascertain which of the scenarios best describes your transfer, you can access more detailed guidance on constructing contracts at the relevant link.
What steps should I take when setting up a relationship with an outside organisation that will involve the transfer of information about living, identifiable individuals?You should take the following steps:
What clauses should I use?The following flowchart will help you to decide this. There are four different scenarios that might arise.
What do I need to do next?Once you have decided which set of clauses are most appropriate for your circumstances, you can find the clauses and detailed guidance on what you need to do when using them at the following links. If possible, avoid establishing a relationship where the University is the data controller and the other organisation is the data processor. This is because the University is ultimately responsible for any breach of the data protection principles by the data processor. If you cannot do this you must build safeguards into the contract to limit the University’s exposure to risk.
What help is available?The University Records Management Section provides advice, guidance and training on data protection, records management and freedom of information issues. If you require assistance with this issue, contact us at recordsmanagement@ed.ac.uk.
What is “personal data”?The definition of personal data, and the extent to which the data protection principles apply to it, is very technical. When setting up a relationship with an outside organisation that involves the transfer of information about living, identifiable individuals, you should check this definition to assess whether or not the transfer will involve personal data.
What is a data controller?
What is a data processor?
Which countries are in the EEA and on the approved list?
| |||||||||||
