Lowri Phillips 18 July 2019

Data sharing arrangements

Data sharing arrangements image

The GDPR has significantly increased the compliance obligations that public bodies are subject to when sharing personal data. Equally, the risks associated with data sharing are much greater, in particular the financial penalties that can be imposed by the ICO for breaches of the rules.

However, in this day and age, data sharing is not something that public bodies can avoid. The ongoing pressures to make cost savings and to improve services that public bodies are subject to, mean that collaboration between public bodies, shared services arrangements and partnering with private and third sector contractors are par for the course.

In many cases, the sharing of personal data – often on a large scale and often involving special category personal data - will be a necessary part of such initiatives.

So how can public bodies meet their cost and service level targets whilst also ensuring compliance with the increased demands of data protection law? A good starting point is to make sure that, before embarking on any data sharing initiative, you’ve considered and addressed the issues listed below:

General public law considerations

Is the data sharing authorised under powers available to the public body? Such powers may exist under statute (some statutory gateways expressly permit the sharing of personal data, other statutes do so impliedly) or the common law?

Would the data sharing contravene any statutory prohibitions? For example, the restrictions on disclosing data relating to social benefits that are set out in the Social Security Administration Act 1992;

Would the data sharing contravene Article 8 of the European Convention on Human Rights? Here, the key requirement is that the data sharing is proportionate and justifiable;

Is the public body subject to any duties of confidence or contractual obligations that would prevent the data sharing from taking place?

1. Key GDPR considerations

  • Have clear purposes for the data sharing been identified and documented?
  • Have one or more lawful grounds for the sharing of the personal data been established? In many cases, public bodies will be able to rely upon Articles 6(1)(c) (compliance with a legal obligation) and/or 6(1)(e) (performance of a public task in the public interest). Consent and the pursuit of legitimate interests should generally be avoided by public bodies as the lawful basis for any processing.
  • If a public authority will be sharing special category personal data, which of the Article 9(2) conditions apply? When sharing special category personal data, public bodies will also need to consider the requirements of the Data Protection Act 2018, in particular the need to satisfy a Schedule 1, Part 1 or Part 2 condition.
  • How will the requirements for fairness and transparency be met? Obviously, a key aspect of this will be ensuring that, in general, the data subjects concerned have been provided with clear information about who their personal data is being shared with and for what purpose. The fairness of the data sharing in a broader sense should also be considered (e.g. would the data subjects have anticipated that their personal data would be used in this way?).
  • How will the security and integrity of the personal data being shared be preserved? Any kind of data sharing arrangement inevitably increases the risk of a personal data breach occurring, so particular consideration should be given to this issue. The organisational and technical measures appropriate to each stage of the data sharing process should be evaluated, including the need to ensure secure transmission and storage and that access to personal data is suitably restricted.
  • How will the data minimisation, data retention and data accuracy requirements be fulfilled? Also, how will the data protection by design and default obligations be met?
  • Should a data protection impact assessment (“DPIA”) be undertaken? Although a DPIA is only mandatory in certain circumstances, undertaking a DPIA will frequently be advisable when public bodies are sharing personal data, particularly special category data, as a way of identifying and establishing ways of mitigating, key risks.

2. Protocols, arrangements and contracts

  • What contractual documentation, protocols or other written arrangements need to be put in place? To a certain extent, what is required will depend on the status of the parties: where the parties to a data sharing initiative will be processing personal data as joint controllers, the requirements of Article 26 will need to be satisfied; any controller/processor relationships must meet the requirements of Article 28 of the GDPR.
  • However, even where the parties to an arrangement are independent controllers, it will generally be advisable to put in place a written contract or data sharing protocol which sets out the rights and obligations of the organisations involved. Any such agreement should also deal with the practical aspects of the arrangement. For example: who will be responsible for communicating with data subjects; who will deal with any rights requests? what procedures must be followed if a personal data breach is identified?
  • If you’d like more information about the legal issues involved in data sharing or ways to minimise the risks, the ICO’s Data Sharing Code of Practice is a useful resource (even though it hasn’t yet been updated to take account of the GDPR).

Lowri Phillips is head of the information law team at Geldards

Supporting the most vulnerable in Herts image

Supporting the most vulnerable in Herts

Hertfordshire CC is investing £9.6m to support its most vulnerable residents in overcoming the repercussions of the pandemic. Scott Crudgington explains why the council is determined to remain ‘a county of opportunity’ for all.
For your free daily news bulletin
Highways jobs

People Technology / HRIS Analyst

Essex County Council
Up to £42174 per annum
The Opportunity The People Technology / HRIS Analyst will be responsible for supporting the ongoing management of people-based technology including England, Essex, Chelmsford
Recuriter: Essex County Council

Principal Energy Engineer

Surrey County Council
£45,734 - £51,725 per annum
Do you have experience in working with delivering carbon reduction measures into a range of building projects? Surrey
Recuriter: Surrey County Council

Wellbeing and Independence Practitioner - Safeguarding

Essex County Council
£27203 - £31370 per annum
Please note, this role is a Fixed Term Contract until the end of March 2022. With us, you can achieve more - for yourself as well as those you work England, Essex, Chelmsford
Recuriter: Essex County Council

Chief Fire Officer/Chief Executive

Essex County Fire & Rescue Service
c. £150,000
Are you ready for an exciting and rewarding opportunity Essex
Recuriter: Essex County Fire & Rescue Service

Housing Development Manager

City of York Council
£36,476 to £41,830 per annum
Do you want to play a key part in the delivery of “the UK’s most ambitious council-led housing programme in a generation”? York, North Yorkshire
Recuriter: City of York Council

Public Property

Latest issue - Public Property News

This issue of Public Property examines how how flexible workspaces can lead the way in regeneration for local authorities, Why local authority intervention is key to successful urban regeneration schemes and if the Government’s challenge of embracing beauty is an opportunity for communities.

The March issue also takes a closer look at Blackburn with Darwen Council's first digital health hub to help people gain control over health and care services.

Register for your free digital issue