Data sharing agreement
between Kent Police and the University of Kent
This agreement is to help ensure the sharing of personal data between Kent Police and the University is fair and lawful. Personal data means data which relates to a living individual who can be identified directly or indirectly from the information. The majority of data sharing is likely to be under purpose 1 below, however, there are other legitimate purposes that may be applicable.
Personal data can be non-sensitive (such as name and address) or sensitive. The Data Protection Act (DPA) states what is considered to be sensitive data, this includes:
- the racial or ethnic origin of the data subject or
- their physical or mental health or condition or
- the commission or alleged commission by him of any offence
- other categories less likely to be shared with Kent Police
ICO advice: The presumption is that, because information about these matters could be used in a discriminatory way, and is likely to be of a private nature, it needs to be treated with greater care than other personal data. The nature of the data is also a factor in deciding what security is appropriate.
Written consent from the individual should be obtained whenever and wherever possible. Consent is one of the conditions in the DPA that enables the sharing of personal data. The consent should be in writing and the use of the information should still comply with the Data Protection principles, such as keeping the information secure. If consent is not obtainable or appropriate then the following purposes provide legitimate grounds for sharing personal data without consent or further consent.
Purpose1: Prevention and detection of crime
Sharing information for the purpose of preventing or detecting crime (section 29 of the Data Protection Act).
Kent Police use a section 28/29 form to request information; it includes the following details:
- The information required
- The offence being investigated
- The reason the information is necessary
- Sign off by the authorising officer to be at least Inspector rank
Purpose 2: Safety and well-being
When considering safety and well-being, purposes 3, 4 or 5 are likely to apply. This may also be in conjuction with section 35(1) of the Data Protection Act that states: Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court.
Relevant enactments include:
- The Children Act 2004 section 11(2): Each person and body to whom this section applies (the University) must make arrangements for ensuring that— (a)their functions are discharged having regard to the need to safeguard and promote the welfare of children.
- The Counter-Terrorism and Security Act 2015 section 26(I): A specified authority (the University) must, in the exercise of its functions, have due regard to the need to prevent people from being drawn into terrorism.
In the case of serious threats to national security, Kent Police may use a section 28/29 form to request information.
Purpose 3: Protecting vital interests
Sharing information to protect the individual’s “vital interests” (schedule 3 section 3 of the Data Protection Act).
ICO advice: This condition only applies in cases of life or death, such as where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident.
This purpose could include missing persons or serious concerns regarding the safety of an individual due to their mental health.
Purpose 4: Meeting a legitimate public interest
This only applies to non-sensitive personal data such as name and address.
The Data Protection Act recognises that there may be legitimate reasons for processing (in this case, sharing) personal data that the other conditions for processing do not specifically deal with. The “legitimate interests” condition is intended to permit such processing, provided you meet certain requirements.
- There must be a legitimate public interest in disclosure.
- The disclosure must be necessary to meet the public interest; and
- The disclosure must not cause unwarranted harm to the interests of the individual.
Purpose 5: Meeting a substantial public interest
Sharing sensitive personal data under the sole grounds of public interest requires one of the following conditions to exist and the reason for sharing must significantly be overwhelming when compared to the breach of an individual's privacy and the harm that it may cause.
- processing that is in the substantial public interest and is necessary for the prevention or detection of any unlawful act and must necessarily be carried out without the explicit consent of the data subject being sought so as not to prejudice those purposes
- processing that is in the substantial public interest and is necessary for the discharge of any function which is designed for protecting members of the public against; dishonesty, malpractice, or other seriously improper conduct and must necessarily be carried out without the explicit consent of the data subject being sought so as not to prejudice the discharge of that function
- processing is necessary for the exercise of any functions conferred on a constable by any rule of law.
Good practice for data sharing
- The right authority: The request should be in writing, signed by someone of sufficient authority. For Kent Police the authorising officer to be at least Inspector rank. For the University this would be a senior manager in Campus Security.
- Meets the purpose: Ensure the information provided meets one of the purposes stated in this guidance.
- Not excessive: Do not share more than what is required.
- Write it down: Record each decision to disclose or withhold information.
- Share and keep securely: Every effort should be made to disclose the information solely to the correct individual in a manner that is as secure as possible.
Complying with non-academic misconduct regulations
Students consent to the following as part of their enrolment: I have also read and accept my responsibilities in Getting Started at Kent, and I promise to observe the statutes, ordinances and regulations of the University, and to pay due respect and obedience to the Chancellor and other officers of the University.
The University Regulations entitled 'student discipline in relation to non-academic matters' state: Following completion of Police enquiries and action any disciplinary action under these Regulations will take into account the penalty, if any, imposed by the Courts or by the Police.
To comply with this regulation, Campus Security may need to ask Kent Police for updates on the status of investigations that involve Kent students.
In addition, Kent Police may disclose information relating to arrest, bail conditions or charge if it is necessary and proportionate to do so for the purpose of safeguarding or crime prevention depending on the individual circumstances of each case.
Human Rights Act (HRA)
Article 8 of the Convention, which gives everyone the right to respect for his private and family life, his home and his correspondence, is especially relevant to sharing personal data. Article 8 is not an absolute right – public authorities are permitted to interfere with it if it is lawful and proportionate to do so. If you disclose or share personal data only in ways that comply with the DPA, the sharing or disclosure of that information is also likely to comply with the HRA.
If you have any questions please contact the University's Information Compliance Officer via the Data Protection contact form.
- Information Commissioner - Conditions for processing
- Information Commissioner - Data sharing
- College of Policing - Information management - Sharing police information
- University of Kent - Data Protection Code of Practice
Alan Martin, Information Compliance Officer
04 Jan 2016
Signed by Denise Everitt, Deputy Vice-Chancellor
03 May 2016
Signed by Simon Thompson, Superintendent
23 May 2016