Data Sharing – when and how to share
Data sharing is central to the continuation of commerce in both the public and private sectors. However, what you can share is governed by the DPA 2018. The DPA 2018 doesn’t stop you sharing data, but it does mean that you must ensure that your data sharing is both lawful and transparent.
In December 2020 the ICO published its Data Sharing Code of Practice. An 88-page document that covers topics that will help you.
Data sharing does have benefits, it encourages collaboration, offers joined up customer care, has potential benefits for the patient when in the healthcare sector. The code of practice aims to guide organisations through the practical steps they need to take to share data while protecting people’s privacy. Data protection law should be an enabler for fair and proportionate data sharing, rather than a blocker.
Organisations need to understand that sometimes it can be more harmful not to share data. You must be sure that you process personal data securely, with appropriate organisational and technical measures in place.
There are several points when sharing data that needs to be given consideration, these include:
- What data are you sharing and why?
- What are the risks and benefits of sharing and not sharing?
- When do you need to carry out a DPIA (Data Protection Impact Assessment)?
- When should you use a Data Sharing Agreement?
- What is your lawful basis for sharing the data?
- What are the policies and procedures that need to be put in place?
- If you are sharing data belonging to children, you must take into account the best interests of the child
- When should you share data with law enforcement agencies?
What is a Data Sharing Agreement?
A data sharing agreement covers what is to happen to the data at each stage, sets standards and helps all the parties to be clear about their respective roles. It helps you to demonstrate your accountability under the GDPR. Within your data sharing arrangement, you should have policies and procedures that allow data subjects to exercise their individual rights easily.
When might you share data?
- Controller to another controller
- Controller to processor – this is covered under Article 28 GDPR
- Within your own organisation
- Under emergency conditions
- Sharing data in an emergency
You can share data in an emergency, as is necessary and proportionate. An emergency situation is where there is risk of serious harm to human life, or the immediate need to protect national security.
Sharing personal data of children
You may only share children’s data if you can demonstrate a compelling reason to do so, taking account of the best interests of the child.
Sharing personal data in emergency situations
If you need to share with data with doctors paramedics, hospitals then you should share. The ICO is quite clear, ‘in an emergency you should go ahead and share data as is necessary and proportionate.’
Sharing personal data with law enforcement agencies
When sharing data with law enforcement agencies the same considerations must be given to the personal data that is being shared.
In summary
When sharing data, you must think about:
- Necessity
Do you really need to share the data or can you achieve your objective without sharing the data?
- Transparency
Have you told the individuals that you will be sharing their data – is it in your privacy notice?
- Lawful basis
Have you documented the lawful basis for sharing?
- Data minimisation
What is the smallest amount of data that you can share and still achieve your objective?
- Individual rights
Are the necessary policies and procedures in place to uphold the rights of the individuals?
- Retention and destruction of data
Are the processes in place for the secure destruction of data, have you agreed how long you will be keeping the data for?
- Data Sharing Agreement
Have you implemented the DSA?
- DPIA (Data Protection Impact Assessment)
Have you conducted a DPIA? We Can Help
If you need any further advice on data sharing then please do contact us, we are here to help.