Data Sharing – when and how to share

Data sharing is central to the continuation of commerce in both the public and private sectors. However, what you can share is governed by the DPA 2018. The DPA 2018 doesn’t stop you sharing data, but it does mean that you must ensure that your data sharing is both lawful and transparent.

In December 2020 the ICO published its Data Sharing Code of Practice. An 88-page document that covers topics that will help you.

Data sharing does have benefits, it encourages collaboration, offers joined up customer care, has potential benefits for the patient when in the healthcare sector. The code of practice aims to guide organisations through the practical steps they need to take to share data while protecting people’s privacy. Data protection law should be an enabler for fair and proportionate data sharing, rather than a blocker.

Organisations need to understand that sometimes it can be more harmful not to share data. You must be sure that you process personal data securely, with appropriate organisational and technical measures in place.

There are several points when sharing data that needs to be given consideration, these include:

  • What data are you sharing and why?
  • What are the risks and benefits of sharing and not sharing?
  • When do you need to carry out a DPIA (Data Protection Impact Assessment)?
  • When should you use a Data Sharing Agreement?
  • What is your lawful basis for sharing the data?
  • What are the policies and procedures that need to be put in place?
  • If you are sharing data belonging to children, you must take into account the best interests of the child
  • When should you share data with law enforcement agencies?

What is a Data Sharing Agreement?

A data sharing agreement covers what is to happen to the data at each stage, sets standards and helps all the parties to be clear about their respective roles. It helps you to demonstrate your accountability under the GDPR. Within your data sharing arrangement, you should have policies and procedures that allow data subjects to exercise their individual rights easily.

When might you share data?

  • Controller to another controller
  • Controller to processor – this is covered under Article 28 GDPR
  • Within your own organisation
  • Under emergency conditions
  • Sharing data in an emergency

You can share data in an emergency, as is necessary and proportionate. An emergency situation is where there is risk of serious harm to human life, or the immediate need to protect national security.

Sharing personal data of children

You may only share children’s data if you can demonstrate a compelling reason to do so, taking account of the best interests of the child.

Sharing personal data in emergency situations

If you need to share with data with doctors paramedics, hospitals then you should share. The ICO is quite clear, ‘in an emergency you should go ahead and share data as is necessary and proportionate.’

Sharing personal data with law enforcement agencies

When sharing data with law enforcement agencies the same considerations must be given to the personal data that is being shared.

In summary

When sharing data, you must think about:

  • Necessity

Do you really need to share the data or can you achieve your objective without sharing the data?

  • Transparency

Have you told the individuals that you will be sharing their data – is it in your privacy notice?

  • Lawful basis

Have you documented the lawful basis for sharing?

  • Data minimisation

What is the smallest amount of data that you can share and still achieve your objective?

  • Individual rights

Are the necessary policies and procedures in place to uphold the rights of the individuals?

  • Retention and destruction of data

Are the processes in place for the secure destruction of data, have you agreed how long you will be keeping the data for?

  • Data Sharing Agreement

Have you implemented the DSA?

  • DPIA (Data Protection Impact Assessment)

Have you conducted a DPIA? We Can Help

If you need any further advice on data sharing then please do contact us, we are here to help.

Scroll to Top