The GDPR has significantly increased the compliance obligations that public bodies are subject to when sharing personal data. Equally, the risks associated with data sharing are much greater, in particular the financial penalties that can be imposed by the ICO for breaches of the rules.
However, in this day and age, data sharing is not something that public bodies can avoid. The ongoing pressures to make cost savings and to improve services that public bodies are subject to, mean that collaboration between public bodies, shared services arrangements and partnering with private and third sector contractors are par for the course.
In many cases, the sharing of personal data – often on a large scale and often involving special category personal data - will be a necessary part of such initiatives.
So how can public bodies meet their cost and service level targets whilst also ensuring compliance with the increased demands of data protection law? A good starting point is to make sure that, before embarking on any data sharing initiative, you’ve considered and addressed the issues listed below:
General public law considerations
Is the data sharing authorised under powers available to the public body? Such powers may exist under statute (some statutory gateways expressly permit the sharing of personal data, other statutes do so impliedly) or the common law?
Would the data sharing contravene any statutory prohibitions? For example, the restrictions on disclosing data relating to social benefits that are set out in the Social Security Administration Act 1992;
Would the data sharing contravene Article 8 of the European Convention on Human Rights? Here, the key requirement is that the data sharing is proportionate and justifiable;
Is the public body subject to any duties of confidence or contractual obligations that would prevent the data sharing from taking place?
1. Key GDPR considerations
- Have clear purposes for the data sharing been identified and documented?
- Have one or more lawful grounds for the sharing of the personal data been established? In many cases, public bodies will be able to rely upon Articles 6(1)(c) (compliance with a legal obligation) and/or 6(1)(e) (performance of a public task in the public interest). Consent and the pursuit of legitimate interests should generally be avoided by public bodies as the lawful basis for any processing.
- If a public authority will be sharing special category personal data, which of the Article 9(2) conditions apply? When sharing special category personal data, public bodies will also need to consider the requirements of the Data Protection Act 2018, in particular the need to satisfy a Schedule 1, Part 1 or Part 2 condition.
- How will the requirements for fairness and transparency be met? Obviously, a key aspect of this will be ensuring that, in general, the data subjects concerned have been provided with clear information about who their personal data is being shared with and for what purpose. The fairness of the data sharing in a broader sense should also be considered (e.g. would the data subjects have anticipated that their personal data would be used in this way?).
- How will the security and integrity of the personal data being shared be preserved? Any kind of data sharing arrangement inevitably increases the risk of a personal data breach occurring, so particular consideration should be given to this issue. The organisational and technical measures appropriate to each stage of the data sharing process should be evaluated, including the need to ensure secure transmission and storage and that access to personal data is suitably restricted.
- How will the data minimisation, data retention and data accuracy requirements be fulfilled? Also, how will the data protection by design and default obligations be met?
- Should a data protection impact assessment (“DPIA”) be undertaken? Although a DPIA is only mandatory in certain circumstances, undertaking a DPIA will frequently be advisable when public bodies are sharing personal data, particularly special category data, as a way of identifying and establishing ways of mitigating, key risks.
2. Protocols, arrangements and contracts
- What contractual documentation, protocols or other written arrangements need to be put in place? To a certain extent, what is required will depend on the status of the parties: where the parties to a data sharing initiative will be processing personal data as joint controllers, the requirements of Article 26 will need to be satisfied; any controller/processor relationships must meet the requirements of Article 28 of the GDPR.
- However, even where the parties to an arrangement are independent controllers, it will generally be advisable to put in place a written contract or data sharing protocol which sets out the rights and obligations of the organisations involved. Any such agreement should also deal with the practical aspects of the arrangement. For example: who will be responsible for communicating with data subjects; who will deal with any rights requests? what procedures must be followed if a personal data breach is identified?
- If you’d like more information about the legal issues involved in data sharing or ways to minimise the risks, the ICO’s Data Sharing Code of Practice is a useful resource (even though it hasn’t yet been updated to take account of the GDPR).
Lowri Phillips is head of the information law team at Geldards