Sharing information is often essential to delivering your mission, whether you’re supporting individuals, working with partners, or reporting to funders. At the Information Commissioner’s Office (ICO), we want to reassure you that data protection is not a barrier to information sharing. In fact, it enables safe, proportionate, and responsible sharing.
Here we set out some practical, quick‑reference checklists to help you think through the key points. For more detail, see our data sharing advice, and our Data Sharing Code of Practice is always there to help you dig deeper.
Check whether the sharing is justified
Before sharing personal data, pause to sense‑check your reasoning:
- What is the specific purpose for sharing the data?
- What are the potential benefits and risks of sharing or not sharing?
- Is sharing the data necessary and proportionate?
- What is the minimum amount of personal data required?
- What safeguards can be put in place to reduce risks? For example, could you password protect the documents?
- Could the same goal be reached without sharing personal data?
Pro tip: In some situations, anonymised, pseudonymised or aggregated information will be sufficient.
Considerations when sharing
If you can justify the data sharing, you should ask:
- What information am I sharing?
- How should I share this information?
- How will the other organisations handle this data?
- What technical and organisational measures do we have in place to ensure the security of the data?
- Are people aware I am processing their data in this way?
Pro tip: To meet your transparency obligations you must clearly explain how and why you share data. Consider whether this is reflected in your privacy policy. Privacy notice not up to date? Try our privacy notice generator.
Check your record keeping
Record keeping doesn’t have to be complex. Noting down answers to the questions below can ensure you are staying accountable.
You should consider documenting:
- why you chose to share (or not share);
- what you shared and the purpose for sharing;
- who you shared it with;
- when and how the sharing happened; and
- which lawful basis you relied on (and any extra conditions for special category data or criminal offence data).
Pro tip: Unsure about your lawful basis? Try our interactive lawful basis tool.
Data sharing agreements
Data sharing agreements (DSA) can help ensure that personal data is handled appropriately between organisations that regularly share data. For one‑off or occasional disclosures, a full DSA may not be necessary.
A helpful DSA will usually set out:
- what information is being shared;
- why it’s being shared;
- who will receive it;
- how the information will be protected;
- responsibilities, for example handling incidents or rights requests; and
- retention and what happens once data is no longer needed.
Pro tip: Review DSAs regularly, especially when sharing arrangements change or after serious complaints or breaches.
More resources
For more information on our Data Fundamentals series, see our launch post and our data retention blog.
Sign up for our next webinar
Data (Use and Access) Act information seminar with ICO | NICVA
If you have any further questions about data sharing or anything data protection related, please visit the ICO website, where you will find guidance specifically for charities and other small-to-medium-sized organisations.