Whenever an organisation (this could be a business, charity, school etc.) shares personal data externally it is deemed to be ‘processing’ it. This means (let’s stick to ordinary personal data for the purpose of this blog] that there has to be a legal ground to do so.
How do we do that?
There are 6 ways that personal data (information that relates to an identified or identifiable living individual) can be potentially processed.
- The individual has given their consent. The UK GDPR has a particular definition for what constitutes consent – it has to be a freely given- a take it or leave it choice. A typical example might be marketing. Someone knows what they will be sent by an organisation and they tick a box to say they agree….
- Sharing is necessary for the performance of a contract to which an individual is party to or in order to take steps at their request prior to entering into a contract. Think buying something online. The retailer may pass your name and address on to a delivery company so that it can be transported to you.
- Sharing is a legal requirement– such as the duty of organisations working in the regulated sector to make ‘Suspicious [money laundering or terrorist financing] Activity Reports’.
- There is a need to share to protect an individual’s vital interests -or those of another. This is life and death situations. Think of someone who says they are going to jump from a bridge. A concerned organisation may pass on that information to the Police.
- Sharing is necessary as part of a public task or as part of an organisation’s official authority. Many public sector organisations routinely share information, for instance, under the National Fraud Initiative.
- Sharing is necessary to meet the legitimate interests of an organisation or of a third party. An example would be where the Police, engaged in a criminal investigation, contact an organisation to ask for information about an individual who has relevance to the inquiry. This ground requires the sharing party to consider the impact on the privacy of the individual if the information were to be shared. Documenting this exercise by completing a Legitimate Interests Assessments form is good practice.
Organisations that process personal data should, by now, have a Record of Processing Activities which sets out what personal data they share, of who, to who and what the legal base(s) for doing so is. This is what the UK GDPR refers to as ‘accountability’.
Is that all there is to it?
As well as having a legal ground to share information an organisation should do so fairly and transparently. An individual shouldn’t be surprised that their information has been shared with a third party [although there are circumstances when personal data can be shared without the knowledge of an individual] indeed any recipients of an individual’s personal data should be listed on the Privacy Notice given to the individual.
There are other principles that relate to the sharing (‘processing’) of personal data. The key ones being that you should only share the minimum amount of personal data you need to share in order to achieve the purpose of sharing and that what is shared is accurate and up to date. Also, the organisation sharing has to take appropriate measures to keep the personal data confidential when sharing and ensure it is not lost or damaged whilst doing so.
The Information Commissioner’s Office has recently [December 2020] issued a Code of Practice in relation to data sharing. That Office will look at what the code says when deciding if the person sharing has complied with their obligations under the law. It focuses on Independent Controller (those who individually determine what is done with data and how it is processed) to Independent Controller sharing and Joint (where two or more determine what is to be done and how) Controller situations.
Some sharing is routine. In these situations, it is wise (and in Joint Controller situations a legal requirement) to have a Data Sharing Agreement. This is, at it sounds, an agreement setting out the purposes of the sharing and the respective obligations of the parties in respect of the personal data. It also sets out who will be responsible for dealing with any requests by individuals seeking to exercise their data protection rights such as to secure access to their data or to have it erased. The code provides more information as to what should be in a Data Sharing Agreement.
In one – off situations it is wise to document the process by requiring organisations who want the personal data to set out what they want and why they want it. The other party can then consider the request and, whatever the decision, record it and the reasoning behind it. This will be useful if the ICO ever investigate a complaint made by an individual about data sharing.
The ICO recommends that if you plan to share information that you undertake a Data Protection Impact Assessment [‘DPIA’]. This should be done before any final decision to share. The law sets out when one is legally required – when there is a high risk of harm to an individual(s) from the proposed processing (sharing).
The ICO recommend that a DPIA be carried out even if not legally required. A DPIA is a way of identifying what might go wrong personal privacy wise when data is shared, the likelihood of occurrence, the harm that might result and, if it did, how severe it would be. Knowing of the risks then the parties involved in the sharing can work to put in measures to do away with risk or to reduce it to an acceptable level.
The code provides a handy checklist to go through when considering sharing personal data.
Think carefully before you share personal data. Get it wrong and you could face ICO Investigation, claims by harmed individuals for compensation and damage to reputation.