Data Sharing Checklist

June 2024

Controller to Controller Data Sharing

Data protection law doesn’t stop us sharing personal data with other organisations, but does place on us a requirement to do so lawfully, transparently and in line with other key data protection principles.

Organisations often need to share personal data with other parties. This could be reciprocal, one-way, a regular activity, ad-hoc or a one off.

Quick Data Sharing Checklist

Here’s a quick list of questions to get you started on how to share personal data compliantly.

(The focus here is on sharing data with other controllers. There are separate considerations when sharing data with processors, such as suppliers and service providers).

1. Is it necessary?

It may be possible to achieve your objective without sharing personal data at all, or perhaps the data could be anonymised.

2. Do we need to conduct a risk assessment?

Check if what you’re planning to do falls under the mandatory requirement to complete a Data Protection Impact Assessment. Depending on the nature and sensitivity of the data it might be a good idea to conduct one anyway. Quick DPIA Guide.

3. Do people know their data is being shared?

Transparency is key, so it’s important to make sure sure people know their personal details are being shared. Would they reasonably expect their personal data to be shared in this way?

4. Is it lawful?

To be lawful we need a lawful basis and we need to meet the relevant conditions of the basis we’ve chosen. For example, if we’re relying on consent is this specific, informed and an unambiguous indication of the person’s wishes. If we’re relying on legitimate interests, have we balanced our interests with those of the people whose data we’re sharing? Quick guide to lawful bases.

5. Can we reduce the amount of data being shared?

Check what data the other organisation actually needs, you may not need to share a whole dataset, a sub-set may suffice.

6. Is it secure?

Agree appropriate security measures to protect the personal data, both when it’s share and at rest. This includes security measures where the other organisation is being given access to your systems. Are controls in place to make sure only those who need access, have access?

7. Can people still exercise their privacy rights?

Both parties should be clear about their responsibilities to fulfil privacy rights, and it should be easy for people to exercise them.

8. How long with the personal data be kept for?

Consider if it’s appropriate to have specific arrangements in place for the shared data to be destroyed after a certain period of time.

9. Is the data being shared with an organisation overseas?

If the personal data is being shared with a business located outside the UK, it will be necessary to consider the international data transfer rules.

10. Do we need a data sharing agreement?

UK GDPR does not specify a legal requirement to have a agreement in place when data is shared between organisations acting as controllers. However, the UK ICO considers it ‘good practice’ as and agreement can set out what happens to the data at each stage, and agreed standards, roles and responsibilities. ICO Data Sharing Agreement guidance.

Other data sharing considerations 

Are we planning to share children’s data?

Proceed with care if you are sharing children’s data. You need to carefully assess how to protect children from the outset, and will need a compelling reason to share data relating to under 18s. This is likely to be a clear case of conduct a DPIA!

Is the other organisation using data for a ‘compatible purpose’?

Consider the original purpose the data was collected for, and whether the organisation you’re sharing it with will use it for a similar purpose. It’s worth noting the UK Department of Education came a cropper for sharing data for incompatible purposes.

Is data being shared as part of a merger or acquisition?

If data is being shared as part of a merger or acquisition, the people the data relates to should be made aware this is happening. You’d want to be clear the data should be used for a similar purpose. Robust due diligence is a must, and perhaps a DPIA to assess and mitigate any risks.

Is it an emergency situation?

We’ve all heard the tales about people being scared they’ll be breaching data protection rules if they share personal data with paramedics, doctors or others in emergency situations. The ICO is clear on this point: in an emergency you should go ahead and share data as is necessary and proportionate.

The ICO has a Data Sharing Code of Practice, full useful information about how the Regulator would expect organisations to approach this.