Sensitive data must be supported by risk-mitigating controls to avoid a breach of confidentiality.
The contract is what guarantees any promises made when dealing with third parties. Information asset owners have a role to play in delivering on any contracts that UCL enters into and in requiring other organisations to sign up to any relevant contracts.
When transferring data to a third party, information that is classified as 'restricted' or higher should be covered by a formal agreement to handle the data in line with, if not with explicit reference to, UCL's Information Security Policy. Information classified as 'highly restricted' or 'secret' would require a formal contract and a clear legal basis for transferring to the third party. In research, contracts for transferring personal data can be agreed at the outset when the protocol is agreed or during the study although direct consent is usually required for transferring personal data to any third parties.
The UCL Data Protection Office provides an authoritative service for contracts covering transfers of personal data whether you are planning to transfer data to a third party or receiving data from a third party who is imposing some terms. Where ownership of a project is shared between organisations, the UCL Data Protection Office is equipped to handle negotiations with other organisations who may be Data Controllers in common or Joint Data Controllers with UCL.
If a contract is required to transfer non-personal data outside of UCL or UCL is required to sign a contract to gain access to data that are non-personal, the UCL Research Contracts team will provide legal support for your study.