Lowri Phillips 18 July 2019

Data sharing arrangements

Data sharing arrangements image

The GDPR has significantly increased the compliance obligations that public bodies are subject to when sharing personal data. Equally, the risks associated with data sharing are much greater, in particular the financial penalties that can be imposed by the ICO for breaches of the rules.

However, in this day and age, data sharing is not something that public bodies can avoid. The ongoing pressures to make cost savings and to improve services that public bodies are subject to, mean that collaboration between public bodies, shared services arrangements and partnering with private and third sector contractors are par for the course.

In many cases, the sharing of personal data – often on a large scale and often involving special category personal data - will be a necessary part of such initiatives.

So how can public bodies meet their cost and service level targets whilst also ensuring compliance with the increased demands of data protection law? A good starting point is to make sure that, before embarking on any data sharing initiative, you’ve considered and addressed the issues listed below:

General public law considerations

Is the data sharing authorised under powers available to the public body? Such powers may exist under statute (some statutory gateways expressly permit the sharing of personal data, other statutes do so impliedly) or the common law?

Would the data sharing contravene any statutory prohibitions? For example, the restrictions on disclosing data relating to social benefits that are set out in the Social Security Administration Act 1992;

Would the data sharing contravene Article 8 of the European Convention on Human Rights? Here, the key requirement is that the data sharing is proportionate and justifiable;

Is the public body subject to any duties of confidence or contractual obligations that would prevent the data sharing from taking place?

1. Key GDPR considerations

  • Have clear purposes for the data sharing been identified and documented?
  • Have one or more lawful grounds for the sharing of the personal data been established? In many cases, public bodies will be able to rely upon Articles 6(1)(c) (compliance with a legal obligation) and/or 6(1)(e) (performance of a public task in the public interest). Consent and the pursuit of legitimate interests should generally be avoided by public bodies as the lawful basis for any processing.
  • If a public authority will be sharing special category personal data, which of the Article 9(2) conditions apply? When sharing special category personal data, public bodies will also need to consider the requirements of the Data Protection Act 2018, in particular the need to satisfy a Schedule 1, Part 1 or Part 2 condition.
  • How will the requirements for fairness and transparency be met? Obviously, a key aspect of this will be ensuring that, in general, the data subjects concerned have been provided with clear information about who their personal data is being shared with and for what purpose. The fairness of the data sharing in a broader sense should also be considered (e.g. would the data subjects have anticipated that their personal data would be used in this way?).
  • How will the security and integrity of the personal data being shared be preserved? Any kind of data sharing arrangement inevitably increases the risk of a personal data breach occurring, so particular consideration should be given to this issue. The organisational and technical measures appropriate to each stage of the data sharing process should be evaluated, including the need to ensure secure transmission and storage and that access to personal data is suitably restricted.
  • How will the data minimisation, data retention and data accuracy requirements be fulfilled? Also, how will the data protection by design and default obligations be met?
  • Should a data protection impact assessment (“DPIA”) be undertaken? Although a DPIA is only mandatory in certain circumstances, undertaking a DPIA will frequently be advisable when public bodies are sharing personal data, particularly special category data, as a way of identifying and establishing ways of mitigating, key risks.

2. Protocols, arrangements and contracts

  • What contractual documentation, protocols or other written arrangements need to be put in place? To a certain extent, what is required will depend on the status of the parties: where the parties to a data sharing initiative will be processing personal data as joint controllers, the requirements of Article 26 will need to be satisfied; any controller/processor relationships must meet the requirements of Article 28 of the GDPR.
  • However, even where the parties to an arrangement are independent controllers, it will generally be advisable to put in place a written contract or data sharing protocol which sets out the rights and obligations of the organisations involved. Any such agreement should also deal with the practical aspects of the arrangement. For example: who will be responsible for communicating with data subjects; who will deal with any rights requests? what procedures must be followed if a personal data breach is identified?
  • If you’d like more information about the legal issues involved in data sharing or ways to minimise the risks, the ICO’s Data Sharing Code of Practice is a useful resource (even though it hasn’t yet been updated to take account of the GDPR).

Lowri Phillips is head of the information law team at Geldards

Declaring a climate change emergency image

Declaring a climate change emergency

Local authorities can play a key role in tackling climate change – and there is plenty for them to do. Never before has thinking globally and acting locally been more important, says Mark Whitehead.
Open letter to Boris Johnson image

Open letter to Boris Johnson

The MJ's editor Heather Jameson asks the new PM a simple question: do you want to fund local government or do you want to scale back services to the basics?
Highways jobs

Senior Practitioner - Placement Finding Team

Essex County Council
£28500.0 - £50400.0 per annum
Senior Practitioner - Children and Young People Placement Service- Placement Finding Team Interviews to be held on the 10th September at County Hall, England, Essex, Chelmsford
Recuriter: Essex County Council

People Information Analyst

Essex County Council
Up to £33330 per annum
Please note this is a fixed term contract role for a duration of 12 months. Essex County Council (ECC) is one of the largest and most dynamic local au England, Essex, Chelmsford
Recuriter: Essex County Council

Key stage Officer

Royal Borough of Greenwich
£32430 - £34794
Key Stage Education Officer (Secondary Phase) to work with children in our care, supporting them in classrooms and in their homes with their education SE18 6HQ
Recuriter: Royal Borough of Greenwich

Solicitor/Barrister Advocate - Children’s x4

Sandwell Metropolitan Borough Council
Band I, SCP 44 - 47 (£46,564 - £49,538 per annum) (£24.14 - 25.68 per hour)
To act as the principal advocate for all aspects of advocacy legal work relating to the children’s social care in the county court and high court. Sandwell Council House, Freeth Street, Oldbury B69 3DE
Recuriter: Sandwell Metropolitan Borough Council

Business Support Officer

Sandwell Metropolitan Borough Council
Band C, SCP 5 - 8 (£18,795 - £19,945 per annum) pro rata (£9.74 - £10.34 per hour)
The successful candidate will provide administrative business support to service teams within Adult Social Care, Health and Wellbeing. The Lyng, Health & Social Care Centre, Frank Fisher Way, West Bromwich, B70 7AW
Recuriter: Sandwell Metropolitan Borough Council

Local Government News

Latest issue - Local Goverrnemnt News

The June issue of Local Government News contains the full details of all the winning schemes in the 2019 Street Design Awards. From Children's Play to Pedestrian Environment, find out who has been recognised for their innovation and use of best practice.

This issue also explores how local government pension funds can hedge currency risk, how councils can best address the shortfall in school places, and an update on the number of authorities banning the use of Roundup over safety fears.

Register for your free magazine