Data sharing: 10 point checklist
Many companies need to share personal data with other organisations, be this reciprocal, one-way, a regular activity or ad hoc.
Data protection law doesn’t stop us doing this, but we need to be sure our sharing of data is lawful and transparent. We need to keep in mind other key data protection principles, such as minimisation and security.
The ICO’s Data Sharing Code of Practice provides detailed steps companies would be expected to have covered off. This code is aimed at sharing data with other controllers; organisations who’ll use the data for their own purposes. (There are other considers for sharing data with processors; our suppliers acting on our behalf).
10-point data sharing checklist
- Necessity: Do you really need to share personal data? Could the same objective could be achieved in a different way? Can data be anonymised? We need to be able to demonstrate the sharing of personal data is actually necessary.
- Transparency: Do people know their data is being shared? Have we told them, how did we tell them and is this sufficient? There shouldn’t be any surprises!
- Lawful basis: Have we clearly identified a lawful basis for sharing and met the relevant conditions for this basis? Quick guide to lawful bases
- Data minimisation: Can we reduce the amount of personal data we’re sharing? Does the other organisation only need a specific sub-set?
- Security: Have we agreed appropriate measures to protect the personal data, both in transit and at rest? This includes the secure transfer of, and/or access to, the data. Also be sure to have procedures in place for dealing with a potential data breach. It’s worth noting the ICO’s code says; Organisations that you share data with take on their own legal responsibilities for the data, including its security. However you should still take reasonable steps to ensure that the data you share will continue to be protected with adequate security by the recipient organisation.
- Individual rights: Are appropriate policies and procedures in place so people can easily exercise their privacy rights? Such as erasure requests or DSARs.
- Retention and destruction: Have we decided how long the personal data needs to be kept for? Do we have arrangements in place for data destruction when this period ends? Retention Guidance
- International transfers: Is the personal data being shared with an organisation based outside the UK, or if we’re in Europe outside EEA? Have we considered the compliance of any international data transfers? International Data Transfers Guide
- Data Sharing Agreements: Should we have an agreement in place to cover the data we’re sharing? This could be a separate agreement, or could be covered by the inclusion of specific data protection elements within other contractual terms. The ICO’s code includes details of what such an agreement should include.
- Data Protection Impact Assessments: Do we need to conduct a DPIA. Even if the sharing doesn’t fall under the mandatory requirement to carry out an assessment, depending on the nature and sensitivity of the data, it may be a good idea to conduct one anyway.
Some other data sharing points to consider
Sharing children’s data
If we’re planning to share children’s data, we should proceed with care. We need to assess how to protect children from the outset and we’ll need a compelling reason to share data relating to any under 18s. Likely to be a case where a DPIA is a very sound idea.
Is the organisation we’re sharing data with going to use the data for a purpose which is compatible with the original purpose it was collected for? The UK Department of Education came a cropper for sharing data for incompatible purposes.
Mergers & acquisitions
If we’re engaged in a merger or acquisition, or another change in your company’s structure, this is likely to mean data is shared. Do people know this is happening? Will the data be used for a similar purpose? Robust due diligence is a must, and perhaps a DPIA to assess the risks.
Sharing data lists
Data lists are often shared by data brokers, credit reference agencies, political parties, marketing agencies and so on. The ICO’s code makes it clear; you are responsible for compliance with the law for the data you receive, and for data that is shared on your behalf. You must make appropriate enquiries and checks in respect of the data, including its source and any consent given.
Sharing in an emergency
We’ve all heard the tales about people being scared they’ll be breaching data protection rules if they share personal data with paramedics, doctors or others in emergency situations. The message from the ICO is clear; in an emergency you should go ahead and share data as is necessary and proportionate.