Contents

Summary

Data sharing usually means disclosing personal data to third parties outside the Department. It can also cover the sharing of personal data between different parts of DfE, such as arm’s length bodies and other ministerial departments.

Categories

The categories applicable to this standard are:

Information and Data Management
  • Data Governance
  • Data Lifecycle
  • Data Protection

Purpose

Internal data sharing across DfE will not usually require approval from the Data Sharing Team. External and cross department data sharing needs to follow DfE’s data sharing guidelines and will require formal approval.

How to meet this standard

Internal data sharing across DfE will not usually require approval from the Data Sharing Team.

What internal data sharing must do

  1. Have prior approval from the Data Owner.
  2. Follow the data handling and data access and control rules applicable to that data set.

External and cross-department data sharing needs to follow DfE's data sharing guidelines and will require formal approval.

What all DfE staff, including consultants, contractors, and third-party suppliers must do

  1. Determine how the data is going to be shared (direct transfer to the external organisation or making it available through the ONS SRS).
  2. Ensure a Data Protection Impact Assessment (DPIA) is completed and assessed by the Information Management and Data Protection Team if it is high-risk processing. See the DPIA portal for more information.
  3. Present a case to the Data Sharing Approval Panel (DSAP) for:
    1. Any data share from DfE or its executive agencies to any third party, non-ministerial Department or Non-Departmental Public Bodies.
    2. Any data share from Non-Ministerial Departments or Non-Departmental Public Bodies to any third party, where DfE is a joint controller.
    3. Digital services (including portals and APIs) providing access to pupil, learner, or workforce data to external organisations.
    4. Any requests for DfE data governed by Office for National Statistics Research Accreditation Service (ONS RAS) under the Digital Economy Act (DEA).
    5. Personal data that is being shared at an individual or record level.
    6. Unsuppressed data that is aggregated so it contains a significant risk of re-identification.
    7. Any data identified as UK GDPR special category of data (DfE Intranet).

Declaring conformance with this standard

Conformance with the standard must be recorded every 12 months.

Owner and contacts

Standard owner
Saheel Sankriwala
Chief Technology and Data Officer
Other point of contact
DDT Standards
Team