Lowri Phillips 18 July 2019

Data sharing arrangements

Data sharing arrangements image

The GDPR has significantly increased the compliance obligations that public bodies are subject to when sharing personal data. Equally, the risks associated with data sharing are much greater, in particular the financial penalties that can be imposed by the ICO for breaches of the rules.

However, in this day and age, data sharing is not something that public bodies can avoid. The ongoing pressures to make cost savings and to improve services that public bodies are subject to, mean that collaboration between public bodies, shared services arrangements and partnering with private and third sector contractors are par for the course.

In many cases, the sharing of personal data – often on a large scale and often involving special category personal data - will be a necessary part of such initiatives.

So how can public bodies meet their cost and service level targets whilst also ensuring compliance with the increased demands of data protection law? A good starting point is to make sure that, before embarking on any data sharing initiative, you’ve considered and addressed the issues listed below:

General public law considerations

Is the data sharing authorised under powers available to the public body? Such powers may exist under statute (some statutory gateways expressly permit the sharing of personal data, other statutes do so impliedly) or the common law?

Would the data sharing contravene any statutory prohibitions? For example, the restrictions on disclosing data relating to social benefits that are set out in the Social Security Administration Act 1992;

Would the data sharing contravene Article 8 of the European Convention on Human Rights? Here, the key requirement is that the data sharing is proportionate and justifiable;

Is the public body subject to any duties of confidence or contractual obligations that would prevent the data sharing from taking place?

1. Key GDPR considerations

  • Have clear purposes for the data sharing been identified and documented?
  • Have one or more lawful grounds for the sharing of the personal data been established? In many cases, public bodies will be able to rely upon Articles 6(1)(c) (compliance with a legal obligation) and/or 6(1)(e) (performance of a public task in the public interest). Consent and the pursuit of legitimate interests should generally be avoided by public bodies as the lawful basis for any processing.
  • If a public authority will be sharing special category personal data, which of the Article 9(2) conditions apply? When sharing special category personal data, public bodies will also need to consider the requirements of the Data Protection Act 2018, in particular the need to satisfy a Schedule 1, Part 1 or Part 2 condition.
  • How will the requirements for fairness and transparency be met? Obviously, a key aspect of this will be ensuring that, in general, the data subjects concerned have been provided with clear information about who their personal data is being shared with and for what purpose. The fairness of the data sharing in a broader sense should also be considered (e.g. would the data subjects have anticipated that their personal data would be used in this way?).
  • How will the security and integrity of the personal data being shared be preserved? Any kind of data sharing arrangement inevitably increases the risk of a personal data breach occurring, so particular consideration should be given to this issue. The organisational and technical measures appropriate to each stage of the data sharing process should be evaluated, including the need to ensure secure transmission and storage and that access to personal data is suitably restricted.
  • How will the data minimisation, data retention and data accuracy requirements be fulfilled? Also, how will the data protection by design and default obligations be met?
  • Should a data protection impact assessment (“DPIA”) be undertaken? Although a DPIA is only mandatory in certain circumstances, undertaking a DPIA will frequently be advisable when public bodies are sharing personal data, particularly special category data, as a way of identifying and establishing ways of mitigating, key risks.

2. Protocols, arrangements and contracts

  • What contractual documentation, protocols or other written arrangements need to be put in place? To a certain extent, what is required will depend on the status of the parties: where the parties to a data sharing initiative will be processing personal data as joint controllers, the requirements of Article 26 will need to be satisfied; any controller/processor relationships must meet the requirements of Article 28 of the GDPR.
  • However, even where the parties to an arrangement are independent controllers, it will generally be advisable to put in place a written contract or data sharing protocol which sets out the rights and obligations of the organisations involved. Any such agreement should also deal with the practical aspects of the arrangement. For example: who will be responsible for communicating with data subjects; who will deal with any rights requests? what procedures must be followed if a personal data breach is identified?
  • If you’d like more information about the legal issues involved in data sharing or ways to minimise the risks, the ICO’s Data Sharing Code of Practice is a useful resource (even though it hasn’t yet been updated to take account of the GDPR).

Lowri Phillips is head of the information law team at Geldards

For your free daily news bulletin
Highways jobs

Education, Health and Care (EHC) Co-ordinators

Buckinghamshire Council
£30,874 - £37,188 per annum
Interested in a career as an EHC Coordinator? Come along to our drop-in event to meet members of the SEND team and find out more about the role! England, Buckinghamshire, Aylesbury
Recuriter: Buckinghamshire Council

Social Worker - Leaving and After Care

Essex County Council
£27775 - £41425 per annum + Plus Excellent Benefits Package
Knowledge, Skills and Experience * Diploma or Degree in Social Work, CQSW, CSS or equivalent * Registration with the Health & Care Professions Council (HCPC) as Registered Social Worker * Demonstrable capability of practice in accordance with curre England, Essex, Chelmsford
Recuriter: Essex County Council

Built Heritage Consultant

Essex County Council
Job Purpose
Recuriter: Essex County Council

Principal Social Worker

Telford & Wrekin Council
£44,632 - £47,534 per annum
We have an established management team, committed to developing excellent practice and ensuring that our staff receive the best support we can offer. Telford, Shropshire
Recuriter: Telford & Wrekin Council

ASC Occupational Therapist - Physical & Sensory Impairment Team

Essex County Council
£30300 - £41425 per annum
Essex County Council (ECC) is one of the largest and most dynamic local authorities in the UK, serving a population of 2 million residents, and has a England, Essex, Harlow
Recuriter: Essex County Council

Local Government News

Latest issue - Local Goverrnemnt News

This issue of Local Government News explores how councils can tackle modern slavery and trafficking in their supply chains, finds out more about Cambridge's first cohousing scheme and the launch of a new project to build a shared service pattern library for local government.

This issue also contains a special focus on children's services and how councils are protecting children following local safeguarding children boards being abolished.

Register for your free magazine