Qsis Data Sharing
Queen’s University routinely shares Qsis data about applicants, students, staff, alumni, and others for various legitimate purposes. Data may be shared internally across departments or with external third-party organisations. The rules for sharing depend on whether the recipient is acting as a Data Controller or Data Processor.
Internal Data Sharing (within Queen’s)
The University is the Data Controller for all data held in Qsis. Qsis Governance safeguards this data in line with the UK GDPR and the Data Protection Act 2018.
Internal sharing is generally permissible if:
- It is reasonable and expected for operational purposes
- It adheres to data protection principles: lawfulness, fairness, transparency, accuracy, data minimisation, and storage limitation
Inappropriate sharing may breach data protection laws. Qsis Governance record routine internal sharing in a Data Sharing Record. If there is a change in how Qsis data is collected, processed, or used, a Qsis Data Protection Impact Assessment (DPIA) must be completed.
External Data Sharing (Third Parties)
Sharing personal Qsis data with third-party organisations is governed by specific rules under UK GDPR. These rules do not apply to fully anonymised data. Before sharing, consider:
- Is the sharing necessary and proportionate?
- Do you have legal authority to share?
- Can anonymised data be used instead?
- What, how, and with whom will the data be shared?
- How are individuals informed?
- What risks are involved?
Types of External Data sharing:
External Data sharing falls into three broad categories
- Controller to Processor data sharing
- Controller to Controller data sharing for joint purposes
- Controller to Controller data sharing for the third-party's purposes
For more information and links to the relevant templates to use when sharing data, please see the Qsis Governance Intranet site.
Back to Homepage
Qsis Governance