Data Protection Animation Series: Data Sharing
We round off our Data Protection Animation Series of videos by looking at the (not insurmountable) complexities of data sharing.
It's a full year since the General Data Protection Regulation (GDPR) came into force on 25 May 2018 across the EU.
Since then, many data protection practices and policies have changed, but some have continued as usual.
When it comes to data sharing, thinking about the legal implications as well as the level of risk involved with data sharing might mean that extra protections could be put in place.
Sending off a spreadsheet of your beneficiaries' home addresses and health conditions to a recipient partner organisation without taking a step back to think about why and how this data sharing is taking place is a massively risky action. Taking a bit of time to consider whether this is the right thing to do and what could be done to reduce the risks involved is worth the extra effort to protect people's privacy and avoid potential disaster.
What do we need to consider?
First and foremost, the GDPR requires that all processing of data meets with the six data protection principles. This applies to the sharing of data as much as it does to anything else. It can be useful to compartmentalise the data sharing activity and think about how that complies with these principles itself.
For example—the first principle being that processing should be lawful, fair and transparent—if you could not establish a lawful basis and had not explained to data subjects that their data would be shared and with whom, then it would be likely that this principle has not been met and you are at risk of non-compliance with the legislation.
Depending on whom the data is being shared with, there may be other requirements contained within the GDPR.
It is important to understand the concepts of controller and processor. Guidance in our Data Protection Toolkit helps to explain how these apply to sharing data sharing.
Here, we assume that your organisation has determined the purpose and means of processing of the data to be shared, and that it is therefore the controller.
If the data is being shared with a data processor—that is another organisation that carries out the processing on your behalf—then a written contract with certain clauses is required. This might be the case where you use a service such as a marketing platform, event ticket booking management, or cloud-storage. It will be your responsiblity to check that this written contract is in place, and to follow up with the processor if one has not been automatically applied as part of the terms of service.
If your organisation together with at least one other organsation determined the 'why' and 'how' of using the data, then you are joint controllers. The GDPR requires that joint controllers come to an arrangement that sets out their respective responsibility for complying with the GDPR, such as who is responsible for responding to subject access requests.
Finally, if your organisation is sharing data with another controller with their own purposes for using that data, there are no strictly defined requirements for a contract. However, depending on the volume, complexity, sensitivity and nature of the relationship between the controllers, it may be worthwhile to instigate a data sharing agreement. There is no strict criteria for these agreements, and their terms are up for negotiation between the parties. We have provided some issues that should be considered for including in an agreement.
In all cases, controllers should exercise careful judgement in who they decide to share data with, what they decide to share and why, and how it can be securely transferred. It may be useful to include a procedure for data sharing activities (even if they're limited, one-off events) in your organisation's Data Protection Policy.
Where can I get more help and information?
This has been just a (very) brief overview of some of the implications for organisations sharing personal data with recipients. You will find more guidance on contracts and data sharing agreements in our Data Protection Toolkit.
The Information Commissioner's Office Data Sharing Code of Practice is also a useful resource, though (at this point) it has not been updated since GDPR became law.