The University is the Data Controller for the personal information we collect and use (this is known as data processing). We process personal data for a variety of reasons in order to fulfil or academic, research, employer, administrative and charitable functions.

We process personal data in compliance with the data protection principles established under the General Data Protection Regulation (GDPR), that is

Personal data should be:

• processed lawfully, fairly and in a transparent manner
• collected for specified, explicit and legitimate purposes
• adequate, relevant and limited to what is necessary
• accurate and where necessary kept up to date
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed
• processed in a manner that ensures appropriate security of the personal data

Accountability is central to data protection and as a Data Controller the University is responsible for compliance with these principles and must be able to demonstrate this to both you and the regulator, the Information Commissioner's Office (ICO).  We are registered with the ICO as a Data Controller and our registration number is: Z6833827

You can find out more about how we use personal information and how you can exercise your rights below.

Data Sharing

Data protection legislation allows for the sharing of personal data where it is fair and proportionate to do so.

You may be asked to share personal data both internally and external of the University.  Data protection legislation and University policies and procedures provide a framework to faciliate this.

When sharing data we must be able to demonstrate that the sharing complies with the data protection principles.  Some questions to consider before sharing any personal information are:

• Why do we need to share this information?
• Is the sharing necessary or is there another way we could meet our objectives?
• Would the individual(s) expect their information to be shared in such a way?
• Have we told data subjects that we might share their information?
• Is the sharing compatible with the original use of the information?
• How can the information be shared in such a way that maintains the integrity of the data?

Completing a data protection impact assessment will demonstrate how these questions have been considered and document your reasoning.

Internal data sharing

In most circumstances internal data sharing can be facilitated however you must still demonstrate and document how the sharing complies with data protection requirements.

If you require data from the student information system, QSIS, you will be asked to complete a QSIS governance DPIA to set out your rationale for sharing.

If the sharing isn't covered in a privacy notice please contact Information Compliance Unit - info.compliance@qub.ac.uk for advise as to how best to communicate the data sharing. 

External data sharing

If an other organisation requests that you share personal data, in addition to the questions detailed above you will need to consider the following:

• Will the data be transferred outside of the UK/EEA?
• Is the third party acting on behalf of the University i.e. are they a data processor?
• Is the third party acting on their own behalf i.e. are they a data controller?

Where you are sharing personal data with a third party acting on behalf of the University it is essential that you put in place a written agreement and it is good practice in all other cases.  These agreements will help the University ensure that adequate protection is given to meet our data protection obligations and individuals' rights.  

The specific contract requirements necessary depend on the circumstances and further advice can be sought by contacting the Information Compliance Unit, info.compliance@qub.ac.uk