Data Sharing in Collaborative Doctoral
Training Programmes
Author: Laura Ottery
Date issued: 23/07/2015
Instructions

This document is intended to be of use to all RCUK funded doctoral training entities involving two
or more GW4 universities as partners.

It is recommended that you seek advice from the appropriate members of professional services at
the lead HEI, [Bristol/Exeter Doctoral College (BDC/EDC), University Graduate College (UGC) or
equivalent], when using this document

This document should be amended to incorporate the relevant structures and terminology of the
lead HEI where appropriate.

Delete cover page before use
Data Sharing in Collaborative Doctoral Training Programmes
Introduction:
In order to facilitate the delivery of collaborative Doctoral Training programmes, it will be necessary for
some student personal data, including sensitive data, to be shared with partner universities and/or external
organisations, such as funding bodies or non-HEI organisations. This data may need to be shared in order
to:
 Reach decisions on applications as a collaboration
 Facilitate joint teaching or supervision by allowing access to resources at a particular university
 Reach progression and awarding decisions as a collaboration
 Provide information to external bodies, such as the Research Councils or the Higher Education
Statistics Agency (HESA)
 Updating partner universities on academic matters or personal information relating to the student
 More broadly, and reflecting the Research Council’s desire to improve access to facilities for PGR
students, to enable students to benefit from access to wider resources that from just their Home
University, e.g. advanced training, library resources, etc.
Each partner university is responsible for ensuring that they comply with the Data Protection Act 1998
including ensuring that the data which is shared is relevant to the registration requirements and shared and
stored securely.
This document outlines the agreed principles behind the sharing of student data between the four GW4
universities. Each partnership will need to have in place a Data Sharing Agreement (See EXAMPLE 1)
regarding the transfer and processing of student data. This agreement should be in place prior to the
transfer of any data. The agreement should cover:
 Why it is necessary to share the data
 What data is going to be shared
 Who the data is going to be shared with
 How the data will be stored (including required security measures – Physical/IT security and
security incident procedures) and for how long
 Procedures for dealing with access requests, queries and complaints
 Review/termination of the sharing agreement
 Sanctions for failing to comply with the agreement or breaches by individual staff
 Role and responsibilities (i.e. who is Data Controller/Data Processor/Joint Data Controllers etc)
This agreement should be made available for applicants and students to be able to view, preferably online.
Data sharing at the application stage
Applicants must be made aware that their data may be shared with a partner University, through the use of
a Privacy Notice (See EXAMPLE 2). This must take place before the data is shared, and it is the responsibility
of the University who hosts the application system to ensure that this has occurred. At this stage all
relevant data that has been collected as part of the application process can be shared with a partner
university. All data must be shared in a secure manner, this could be through:
 Access to a secure website where applications can be downloaded by a member of staff at a
partner university (e.g. SWWDTP application portal)
 Emailed using a file encryption service, such as 7-zip
Data sharing post registration:
Each student will have primary registration with one of the partners, with which (s)he will enrol as a
student (and will be included in the HESA return of that institution only). This is referred to as the “Home
University”. The student may then have a subsidiary enrolment or registration at the partner institution,
whereby they are referred to as a “visiting student”. It is preferable that students are not required to
undertake an additional registration process at the partner institution, and that the Home University
1
instead shares the data that has already been collected. Only data collected through the official
registration process should be shared at this point, as data from the application process is likely to be out of
date by this time.
Enrolling students must be made aware that their data will be shared with a partner University, through the
use of a Privacy Notice (See EXAMPLE 3). This must take place before the data is shared, and it is the
responsibility of the Home University to ensure that this has occurred.
Only the following data fields are to be shared following registration at the Home University:
 Name of the Home University
 Student ID at the Home University (e.g. Exeter example 650000000)
 Title, first name and surname
 Date of birth
 Gender
 Contact address (preferably their term time address), email address (preferably their Home
University email address) and telephone number
 Next of kin details
 Students start date
 Fee status (i.e. Home/EU, international)
 Funding duration (i.e. 1+3 programme or a +3 programme
 Name of the programme of study
 Details of the supervisory team, including supervisor names, the REF UOA they are allocated to and
the supervisory split of all members of the team
 Other data reasonably required by a partner University for purposes of facilitating the delivery of
the <<insert name of the DTP>>
No data other than the above will be permitted to be shared. Should the student choose to disclose further
information to a partner University during their studies, then the partner is permitted to continue to hold
this data.
All data must only be shared using a file encryption service (such as 7-zip). The Home University should
send this data to the Hub Administration team, who would then collate the data for all students within the
DTP, and then send the necessary data to the partner University, again using a file encryption service. If a
student is required to undertake any taught modules/programmes at a partner University, then the
information must be shared to ensure that the student has access to facilities before their teaching
commences. If the data sharing is for the purpose of joint supervision, then the data should ideally be
shared by the end of week two of the beginning of the academic year.
Students should then be informed by the partner University that they have been registered as a visiting
student, including information about what data has been shared, what facilities they will have access to and
what next steps they need to take (if any) to finalise the process (See EXAMPLE 4).
e.g. for the NERC GW4+DTP where students can be co-supervised by more than one university:
2
One Bath student
is co-supervised
by a Cardiff
academic. Bath
send the data for
this student to
the DTP Hub
Administration
team.
The Hub
Administration
team collates this
data with that
also sent by
Bristol, Cardiff
and Exeter.
The Hub
Administration
team sends the
student data for
the Bath student
(as well as any
other Cardiff cosupervised
student) to
Cardiff.
Cardiff register
the student as a
visiting student
and email the
student to notify
them of their
registration.
Data sharing during the period of study
During the programme of study it may be necessary for further data to be shared with partner universities,
non-HEI partner organisations, funding bodies or as part of statutory returns. This could be information
regarding:
 The work of students submitted for assessment
 Progress and assessment data (i.e. any information held by either party concerning the
performance of a student on their programme of study). This may include limited information only
(i.e. not normally including sensitive personal data) about whether reasons given for late
submission of work, or other types of mitigating circumstance related to assessment, were
accepted by the institution managing an assessment. Assessment data (as well as any student work
shared between the parties) will be primarily for the purposes of student progression but also
(mainly in anonymised form) to support the joint and /or separate quality management processes
of the institutions.
 Information concerning student attendance, where needed for decisions taken by the consortium
 Any other information needed to support the work of any jointly-constituted review panel for the
quality assurance or re-validation of any programme, or the completion of any returned to
government, regulatory or validating bodies.
 Information pertaining to disciplinary matters and grievances, or complaints raised by the student,
however only if it is strictly relevant to the partnership nature of the programme
 Fitness to study issues, or other procedures invoked in respect of a student, however only if it is
strictly relevant to the partnership nature of the programme
 Other data reasonably required by a partner University for purposes of facilitating the delivery of the
<<insert name of the DTP>>
Facilities access:
Students will be registered as a visiting student at partner universities and this should enable them to have
access to:
 A student registration card
 A student IT account (including email address and file space)
 Borrowing rights at the Library and access to the electronic Library
 Ability to print from on-campus printers
 Associate membership at the Guild of Students
 Researcher Development courses
 Student membership at the Sports Park
 Access to any online systems required to partake in taught elements (e.g. coursework submission,
timetables, virtual learning platforms
External data returns:
Only the home University will return the student in any external data returns, including the HESA Student
data return. Partner universities are responsible for ensuring that they do not return the details of any
3
visiting students in any external data returns. Should the teaching or award be provided by another
partner to the home University, then the home University must ensure that this is recognised within the
HESA Student return (e.g. COLLORG, PCOLAB, PARTNERUKPRN).
From the 2014/5 HESA Student data return is will be optional for universities to return data in the
COLPROV, UOA2014 and UOAPCNT for all instances where a student has a funded (or partially funded)
place as part of a Doctoral Training Partnership or Centre for Doctoral Training. HESA is currently
undertaking a review of these data fields and intends to roll out compulsory completion of this field from
the 2015/6 return onwards.
4
EXAMPLE 1 – Draft Data Sharing Agreement
Example provided where Exeter is the lead party. This document should be made available online for all
students to be able to view.
************************************
General interaction between the Parties
The University of Exeter and <<insert partner names here>> (henceforth referred to as “the Parties”) are
separate organisations and provide separate notifications to the Information Commission under the terms
of the Data Protection Act 1998. This statement sets out the conditions under which students’ personal
data may be shared between the Parties.
Upon application and entry to the <<insert programme name>> programme, personal details relating to
each student are shared by the University with the Parties to facilitate the delivery of the <<insert name of
the DTP>>. Students are informed of this transfer at the time of application and registration.
Sensitive personal data (e.g. racial or ethnic origin, religious beliefs, physical or mental health etc.) shall
only be shared with the explicit consent of students or where strictly necessary.
During the academic year, there may be additional circumstances which require the University to share
personal data with the Parties. This will only be done where the sharing is necessary to pursue the
legitimate interests of any of the Parties. Disclosure of personal data will always be in accordance with the
Data Protection Act 1998 and all Parties are fully aware of their obligations with respect to the Act.
For further information about this please contact dataprotection@exeter.ac.uk
Data Sharing Agreement
1. Introduction
The following agreement governs the provision of students’ personal information by the University of
Exeter to <<insert partner names here>> relating to the <<insert name of the DTP>>, and the purposes for
which that information may be used.
2. Classes of Information
The University of Exeter will provide the Parties with personal information about students studying on the
<<insert name of the DTP>>. This will include: Registration Number, Full Name, Date of Birth, Gender,
Contact Address, Next of Kin Details, Start and End Date, Fee Status, Funding Duration, Programme Name,
Details of Supervisory Team, taught programme details, and other data reasonably required by a partner
University for purposes of facilitating the delivery of the <<insert name of the DTP>>.
Additional sensitive information including ethnicity and disability data will only ever be shared with the
explicit consent of students and only for the purpose of ensuring and monitoring equal opportunities.
3. Information Provision
The transfer of Student information will be provided via a secure electronic transfer. Any additional transfer
made throughout the year will be carried out with full consideration to the security of the data transfer and
the Data Protection Act 1998.
4. Purposes for Which the Information May be Used
5
The information is transferred to the Parties to enable the administration of the <<insert programme
name>> programme for the <<insert DTP name>> to ensure that students have access to the necessary
facilities and resources for their programme of study.
5. Overriding Conditions for the Use of Personal Data
The Parties are subject to the Data Protection Act 1998 and shall ensure that they have a current
Notification with the Information Commissioner’s Office. The Parties will comply with the Data Protection
Act 1998 and ensure that adequate security is in place at all times to protect personal data and to prevent
unauthorised access.
6. Restrictions on the Use of Information
Where a third party is contracted to process personal data on behalf of a Party (e.g. data storage, provision
of web services) the Party is responsible for the processing and shall ensure that there is adequate
protection in place to protect against the unauthorised access and use of the data. These measures include
ensuring the third party is contractually obliged to comply with the Data Protection Act 1998 and
prohibited from using the data for any other purpose(s).
Personal data provided to the Party by the University shall not be transferred to any third parties, other
than those formally contracted with as data processers, without the explicit consent of the students, or
otherwise in accordance with the law.
7. Transfer of personal data from the Party to the University
In some circumstances personal data may be passed from the Party back to the University. In these cases
the Party is responsible for ensuring the fair processing of the data transfer, including informing students of
the transfer. The University will treat any data received in line with the Data Protection Act 1998.
8. Staff training and awareness
The Parties will ensure the reliability of its staff that may have access to the personal data and ensure that
they are adequately trained in the good handling of personal data. The Parties will also ensure their staff
are aware of the detail of this agreement.
For and on behalf of the University of Exeter
Signed by ………………………………………………………………
Print name…………………………………………………………….
Date………………………………………………………………………
For and on behalf of XYZ
Signed by ………………………………………………………………
Print name…………………………………………………………….
Date………………………………………………………………………
6
EXAMPLE 2 – Data Protection Notice for Applicants
If you are applying for a place on a collaborative programme of doctoral training provided by the University
of xxx and other universities, research organisations and/or partners please be aware that your personal
data will be used and disclosed for the purposes set out below.
Your personal data will always be processed in accordance with the Data Protection Act 1998. The
University of xxx (“University”) will remain a data controller for the personal data it holds, and other
universities, research organisations and/or partners (“HEIs”) may also become data controllers for the
relevant personal data they receive as a result of their participation in the collaborative programme of
doctoral training (“Programme”).
Application process
During the application process, the University may need to share some of your personal data with third
parties to be able to administer your application, carry out interviews and select candidates. These are not
limited to, but may include disclosures to:
 the selection panel and/or management board or equivalent of the relevant Programme, which is
likely to include staff from one or more other HEIs;
 administrative staff at one or more other HEIs participating in the relevant Programme.
Such disclosures will always be kept to the minimum amount of personal data required for the specific
purpose. Your sensitive personal data may need to be shared in certain circumstances, but only where
strictly necessary. By applying for a place you hereby consent to your data being processed and shared in
this way.
If you become a student on one of the Programmes
If your application is successful and you register on a Programme, the University may need to make further
disclosures of your personal data throughout your time on the programme to ensure the effective
management of your studies and comply with its obligations to funders. These disclosures may include, but
are not limited to disclosures:
 within the group of HEIs to the Programme;
 to other collaborative parties to the relevant Programme, e.g. industrial sponsors and/or
collaborators, supervisors from other HEIs, Research Councils (as funders of the Programme);
 to external examiners.
Other disclosures may be made where it is necessary for the administration of your studies.
Accessing your personal data
If you wish to have access to any of your personal data as held by the University, please contact: [email
address]. There may be a fee of £10 associated with such requests.
Contact
If you have any queries or concerns about the use of your personal data during the application process or
your time as a student, please contact: [email address]
7
EXAMPLE 3 – Data Protection Notice at Registration Stage
How we use your information (DATA PROTECTION NOTICE)1
The University of Exeter is a data controller and is registered with the Information Commissioner’s Office as
required under the Data Protection Act 1998. The University will only process your personal data in
accordance with the University’s notification and current Data protection legislation. Here are some of the
ways we will use your personal data, this is not exhaustive, but is intended to provide you with an idea of
the things that we may need to do throughout your programme of study.
Non-Obvious Disclosures
 Where students are studying abroad, involved in exchange programme, joint/double degrees or
Doctoral Training Partnerships, we will release personal data to these institutions or related
organisations as required to facilitate your studies.
(continues to list other non-obvious disclosures, use of text messaging and sensitive personal data)
Further information may be obtained from the Records Manager (data protection@exeter.ac.uk) or at
http://www.exeter.ac.uk/dataprotection
In order to proceed with the online registration process the student must click “I agree” to the full
statement.
1
Please note: this screen is shown to all registering students at the University of Exeter as part of the online
registration process
8
EXAMPLE 4 – Data Protection Notice following Visiting Student Registration
Subject: Visiting Student Registration Information
Student ID Number:
Dear
IMPORTANT REGISTRATION INFORMATION
The University of Exeter would like to welcome you as a visiting student as part of the BBSRC South West
Doctoral Training Programme (SWDTP). You have been registered at Exeter in order to facilitate the joint
supervision of your programme, and so have been provided with access to facilities here for the duration of
your studies in the SWDTP.
There are some important key tasks you need to now complete in order to finalise your registration.
Your home institution has provided us with the following details, which you provided upon registration, in
order for you to be registered as a visiting student at the University of Exeter:
 Institutional ID number
 Title, forename and surname
 Date of birth
 Gender
 Contact address, email address and telephone number
 Next of kin details
Registration as a visiting student means that you will be provided with a University of Exeter IT account,
which will enable you to access systems which will support your studies, such as coursework submission
(BART), virtual learning environment (ELE) and the online student portal (ExeHub). You will also have
access to the University of Exeter Library catalogue as a visiting student.
ACTIVATING YOUR IT ACCOUNT
In order for you to have access to above facilities at the University of Exeter you must first activate your IT
account. Please note that you may not be able to access I.T. activation until up to 48 hours after receipt of
this email.
To activate your account for IT access please visit our activation site where you will be asked to enter your
Exeter Student ID Number (which is xxxxxxxxx) and your date of birth. This will allow you to collect your
username, password and Exeter email address. Please make sure that you make a note of this information.
Information on how to arrange for your University of Exeter emails to be forwarded to your home
institutions email account can be found on the Email Forwarding webpage (should you so wish to set up
this arrangement).
APPLYING FOR YOUR UNICARD
You will need a Unicard for identification purposes, access to some buildings out of hours and also to
activate your access to the Library. Please apply for your UniCard as soon as possible through the Student
Information Desk Online and make sure you attach a photograph to your enquiry. Your UniCard will be
posted by the SID team to your contact address.
STUDENTS’ GUILD
9
The Students’ Guild is the students’ union at the University of Exeter. The Students’ Guild exists to
represent the voice of the student body to the University as well as providing societies, volunteering
opportunities, events and support to ensure that every student gets the most out of their time at Exeter.
Your registration details have not been passed to the Students’ Guild by the University of Exeter, however if
you would like to access Students’ Guild services and receive updates on their activities then you can sign
up for associate membership.
UNIVERSITY REGULATIONS
Please ensure you are familiar with the University's procedures and regulations. For the most part, you will
adhere to the regulations and procedures of your home institution, however you should make yourself
aware of any which may impact upon your visiting student status.
DATA PROTECTION
The University of Exeter operates in accordance with the Data Protection Act. For more information please
see our Data Protection web pages.
10