Personal data sharing within the University

The first principle of the General Data Protection Regulation (GDPR) states that data must be processed lawfully, fairly and in a transparent manner.

Staff should ensure at all times that data is not shared inappropriately within the University. Disclosure of personal data should only occur when necessary and with good reason. If this is not the case or it is unclear, contact the Information Governance Office who will help to confirm whether disclosure is necessary.

Often when requests for personal data about an individual are made internally from one part of the University to another, staff are told that the information cannot be disclosed because of data protection. This is not true.

If you need the information to do your job, generally you will have a right to see it. We tell staff and students that their personal data is only disclosed within the University to members of staff who need to view it in order to carry out their duties or to others connected with the University for University related activities or events.

The University is a single data controller so we are not technically disclosing data unless it goes outside the University. This is not always the case with special category data such as medical information, where it is important that the data is only available to a limited and predetermined group of staff.

While it is not good practice to pass data around in ways which could lead to inadvertent disclosure, targeted disclosure made on a need to know basis is usually perfectly legal under the GDPR.