Many companies need to share personal data with other organisations. This might be reciprocal or one-way, it could be providing another company’s staff with access to your data for a specific purpose or several organisations pooling information and so on. This data sharing could be a regular activity or ad hoc.
Data protection law has never stopped you doing this, and GDPR is no different. You do however need to make sure your data sharing is lawful, fair and transparent and that you keep top of mind other core data protection principles.
- Do people know their data is being shared?
- Is it reasonable and ethical to share the personal data?
- Have you identified a lawful basis for the sharing?
- Are you limiting the data being shared to that which is necessary only?
- Is the data you are sharing accurate and up to date?
- Are you ensuring the personal data is shared by secure means?
In July the ICO published an updated draft Data Sharing Code of Practice (the original code dates back to 2011). This is open to consultation until 9th September.
It’s worth noting the scope of the code does not cover processors. The contractual requirements for Controller-Processor relationships are set out in Article 28 of the GDPR. Also see Getting your supplier contracts right
In the meantime, here are 10 tips:
- Necessity: Do you need to share personal data? Could the same objective be achieved in a different way? Could the data be anonymised?
- Data Minimisation: Carefully consider the types of personal data you are sharing. Is it strictly necessary to share all of these types, or does the other organisation only need a sub-set?
- DPIA: Consider whether your data sharing may fall under the mandatory requirement to conduct a Data Protection Impact Assessment. Even if it doesn’t, consider whether conducting a assessment might be a good thing to do anyway. The ICO’s draft code includes a list of questions you should consider when assessing the privacy impacts. What is a DPIA? When do you need to conduct one?
- Children: If you are considering sharing children’s personal data, you should proceed with extreme care. You need to assess how to protect children from the outset. If the data sharing might result in a high risk to their rights and freedoms, a DPIA will be required.
- Data Sharing Agreement: It’s good practice to ensure you have a data sharing agreement in place. This might be a separate agreement, or you may choose to include specific requirements, agreed between both parties surrounding data sharing practices, within other contractual terms. The draft code includes details of what such an agreement should look to cover.
- Lawful Basis: Clearly identify and document your lawful basis for sharing and make sure it meets the relevant conditions. For example, if you are relying on Legitimate Interests, have you conducted an assessment? See the DPN’s Guide to Legitimate Interests
- Transparency: Individuals should be provided with information about how their data is used. This is particularly important when you are sharing it with other parties.
- International Transfers: Is the personal data being shared with an organisation based outside the European Economic Area (EEA)? If so, for this to be compliant you need to ensure you have relevant safeguards in place to protect individuals and for the sharing to be lawful. See the ICO’s Guidance on International Transfers. There are implications if the UK leaves the European Union, as transfers of personal data from countries within the EEA to the UK will be subject to restrictions. See Brexit and implications for data protection
- Information Security: You need to ensure you agree appropriate technical and organisational measures to ensure personal data is protected, both in transit and at rest. This includes secure transfer of /access to personal data and having procedures in place for dealing with a potential breach. The ICO’s draft code also states, ‘Organisations that you share data with take on their own legal responsibilities for the data, including its security. However, you should still take reasonable steps to ensure that the data you share will continue to be protected with adequate security by the recipient organisation.’
- In an Emergency: There have been post-GDPR enforcement stories about people scared they will be breaching data protection rules if they share personal data with paramedics and doctors. The message from the ICO is clear, “In an emergency you should go ahead and share data as is necessary and proportionate.”
A couple of other points to consider..
Mergers & Acquisitions
If you are engaged in a merger or acquisition or another change in your company’s structure, which means you will have to transfer data to a different organisation, it’s crucial to ensure you consider data sharing as part of your due diligence. It may be necessary to conduct a DPIA to assess the risks this transfer represents.
Data lists are frequently shared by data brokers, credit reference agencies, political parties and even marketing agencies. The ICO’s draft code makes clear the resonsiblitites, ‘You are responsible for compliance with the law for the data you receive, and for data that is shared on your behalf. You must make appropriate enquiries and checks in respect of the data, including its source and any consent given.’
The draft code is a lengthy document, and the above just represents an overview of some key considerations. At the DPN, we will keep abreast of the progress of the code from draft to final publication.
Philippa Donn, August 2019
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.