Sharing of Personal Data Policy
This schedule sets out the terms and conditions under which personal data held by one party to this Consortium Agreement, may be shared by and with another party, whether for processing or other legitimate reasons. Its purpose is to ensure compliance with the Data Protection Act (1998).
It is confirmed that the parties herein are registered as data controllers with the Information Commissioner’s Office (ICO), as listed below.
The University of East Anglia, Norwich Research Park, Norwich NR4 7TJ,
ICO Number Z8964916
Goldsmiths’ College, New Cross, London SE14 6NW (otherwise known as Goldsmiths, University of London),
ICO Number Z6080639
The Courtauld Institute of Art, Somerset House, Strand, London WC2R 0RN,
ICO Number Z6896909
The Open University, Milton Keynes MK7 6AA,
ICO Number Z5521375
The University of Essex, Wivenhoe Park, Colchester CO4 3SQ,
ICO Number Z699129X
The University of Kent, Kent CT2 7NZ,
ICO Number Z6847902
The University of Sussex, Falmer, Brighton BN1 9RH,
ICO Number Z6428144
All of the personal data processing covered by this Schedule relates to processing by these parties and by any others who may join the CHASE Consortium by entering into the terms of this Agreement. For the avoidance of doubt, the Consortium itself, not being a legal person, is not a data controller.
In this Schedule, the terms 'data controller', 'personal data', 'sensitive personal data', and any reference to Data Protection Principles, have meanings as defined in the Data Protection Act (1998).
The term 'fair processing notice' means the notice delivered by each institution to CHASE students concerning personal data processing by that institution (which will normally be the same, or similar to, the legal notice delivered to other research students).
'MPhil student' means a student registered on a course of study at MPhil level, which is usually the first year registration for a higher level PhD.
'PhD student' means a student registered on a course of study at PhD level or a student transferred to PhD level study following successful completion (upgrade) of their MPhil level of study.
1.1. The general purposes of the processing to which this Schedule relates are:
a. To facilitate the administration of joint programmes which relate to the CHASE parties;
b. To help MPhil/PhD students registered within the CHASE group to transfer between institutions during the period of their degree and to obtain the award of a MPhil/PhD, which includes the transfer of such personal data as may be necessary for external examination;
c. To ensure that students have a good student learning experience and appropriate support by the parties and their institutions.
d. To facilitate any joint activities of the consortium which support the charitable objectives of the institutions as defined by their respective Charters.
2. General principles of personal data sharing as data controllers in common
2.1. The parties will be data controllers in common of personal information they share with each other. This means that they will collaborate on the collection of personal data (so that data subjects will not need to provide data twice) but will each be separately responsible for its processing, and for informing data subjects directly of the processing purposes in respect of all personal data which they hold (whether received from the partner institution or from any other source).
2.2. The party which initially registers the student shall include that student on their HESA return unless full transfer to another party has occurred prior to the relevant cut-off date for HESA in any one year, and shall be responsible for delivering the HESA Student Data Collection Notice text for the relevant year to the student on behalf of HESA.
2.3. No personal data will be shared between CHASE partners unless data subjects have been informed in advance and the sharing can be justified under the Data Protection Act (1998), by consent or some other means.
2.4. Sharing of personal data under this Schedule, and the purposes of the sharing, should be limited to those set out in Annex A of this Schedule. Any other sharing will be by separate arrangement, in compliance with the requirements of the Data Protection Act (1998), and if likely to be a regular personal data transfer for CHASE business will be incorporated into Annex A at the earliest opportunity.
2.5. Each party will retain personal data for the periods specified in their own retention schedule, and be separately responsible for demonstrating to data subjects as required, that these retention periods are compliant with the Data Protection Principles.
3.1. The parties, as data controllers, agree to apply appropriate security measures, commensurate with the requirements of Data Protection Principle 7, which states that: “appropriate technical and organisation measures shall be taken against unauthorised or unlawful use of personal data and against accidental loss or destruction of, or damage to, personal data”.
3.2. The parties agree to hold and transmit personal data according to the Security standards in Schedule 7.
4. Relationship between the Parties
4.1. Each party shall give reasonable assistance as is necessary to the others in order to enable that party to meet its obligations under the Data Protection Act (1998).
4.2. Each party will be separately responsible for answering external requests for personal data which it receives in relation to Consortium activities. However, when receiving any such request a party will inform the Data Protection Officers of the other parties.
4.3. The CHASE Management Board may request periodic checks to be conducted by one or more of the party’s DPA Officers to confirm compliance with the Data Protection Act (1998).
Annex A to Schedule 5
Types of personal data to be shared
Student Personal Data
The following information will be shared, for the following purposes:
- Contact details of students (updated as new information received by the institution), for the purpose of running the DTP project.
- Students’ application forms and other application details (including research proposal and references), for the purpose of studentship selection, registering the students on a MPhil/PhD, other necessary administration tasks of the Consortium, and any other purposes specified by the institutions covered in this agreement directly to the student via the institutions' fair processing notices.
- Equal opportunities monitoring data, for statutory monitoring purposes, and any purposes necessary to meet the requirements of an institution's internal equality and diversity policies.
- Information about any disability, sufficient to enable reasonable adjustments to be made by each institution to support students with disabilities (in addition to equal opportunities monitoring as above).
- Assessment data (i.e. any information held by all parties concerning the performance of a student on their programme of study). This may include sensitive personal data in the form of records of mitigating circumstances for late submission of work or performance issues, and/or student work. Assessment data will be used primarily for the purposes of student progression but also (mainly in anonymised form) to support the joint and/or separate quality management processes of the institutions.
- Any other information needed to support the work of any jointly-constituted review panel for the quality assurance or re-validation of any programme covered by this agreement. This may include allowing access to the information by any external member of such a panel. Any personal data for this purpose will as far as possible be in anonymised form, but may include small datasets which could allow individuals to be identified.
In addition to the above purposes, shared information may be used for any other purposes specified by the institutions covered in this agreement directly to the student via their respective fair processing notices (which will normally be the same as, or similar to, their fair processing notices issued to research students generally).
Staff Personal Data
The parties may hold information about each other’s staff – e.g. contact details not in the public domain, or information to permit reasonable adjustments for disability relevant to the activities of the partnership. Such information may be shared by staff themselves with the partner institutions (or provided to their own institution explicitly for the purpose of being passed on to the partner organisations).
Staff personal data, when held within the context of the partnership other than by their employing institution, will be used solely for the activities of the partnership unless the consent of the individuals concerned has been obtained for its use for another purpose.