Many organisations have been sharing data successfully, but there seems to be a belief by some in the public and private sectors that data protection law is a barrier to doing this. This belief is unfounded.
Data protection law provides organisations with a framework to help them be confident they can share personal data lawfully, while protecting the people whose data is being shared.
Here we bust some of the common myths and the misconceptions surrounding data sharing and data protection law.
Myth #1: Data protection law stops all organisations and businesses from sharing personal data.
Fact: Data protection law enables organisations and businesses to share personal data securely, fairly and proportionately.
If you shared data under the previous data protection regime, then it is very likely that you can continue doing so under the General Data Protection Regulation (GDPR), along with the Data Protection Act 2018.
Our data sharing code of practice provides guidance, alongside practical tools, to help organisations be confident they can share data within the law.
As a starter, you should read our checklist, which sets out what you should consider before sharing personal data, as well as what to include in any data sharing agreement. Another practical way to do this is through a Data Protection Impact Assessment (DPIA), which is a process to help you identify and minimise the data protection risks of a project, while promoting public trust and transparency.
And remember, if you are already sharing information in a way that is proportionate and justified then you should continue to do so.
Myth #2: Only large tech companies gain any benefit from data sharing.
Fact: Data sharing can bring significant social and economic benefits for a wide range of organisations and for individuals, including job creation, efficient delivery of public services - including support for the vulnerable - and improved customer experience.
Done in line with data protection law, data sharing can drive innovation in technology and exciting new uses of data, while protecting the people whose data is being shared.
The ICO runs a successful regulatory sandbox to help public and private organisations of all sizes explore new data uses, while ensuring people’s privacy is respected.
The ICO’s Sandbox is currently accepting applications from all types of organisations – from start-ups, SMEs and large organisations, across private, public and voluntary sectors – that are developing products and services that support complex data sharing in the public interest. Find out more about the Sandbox.
Myth #3: Personal data can’t be shared in emergency situations.
Fact: You can share data in an emergency, and you should do whatever is necessary and proportionate to save someone’s life. Data protection does not stop that.
Examples of an emergency situation are the risk of serious harm to human life, a public health crisis, or the protection of national security.
Organisations should be confident that relevant personal information can be shared lawfully if it is to protect someone from serious physical, emotional or mental harm. For instance, safeguarding in an education context.
Where possible, you should plan ahead for different situations and put contingencies in place. View more information on sharing data in an emergency.
Myth #4: Data protection law prevents organisations from sharing sensitive personal data with the police or other law enforcement authorities.
Fact: When the police and other ‘competent authorities’, as described in Part 3 of the Data Protection Act 2018, ask organisations and businesses for information to help them investigate, prevent, detect or prosecute a crime, the law enables appropriate data sharing to take place.
We have a toolkit that helps organisations and businesses make a decision on when and what to share with the police and other law enforcement authorities.
If you’re a law enforcement authority it is important that any requests you make for personal data are relevant to the investigation, and that you explain the reason behind the request to the other organisation in a clear and timely manner.
When there’s a need to share data on a more frequent or larger scale basis, having a data sharing agreement in place is a way that allows organisations and businesses to share information quickly and lawfully. In Wales, more than 400 organisations, including the police and emergency services, have signed up to an accord on sharing personal information, where they receive help on putting data sharing agreements in place so information is shared in a safe and timely way when needed.
The sooner a consistent, documented process is in place, the easier it is to demonstrate compliance and how people’s data is being safeguarded.
Myth #5: Consent is always needed to share people’s data with another organisation.
Fact: Not always. You can usually share without consent if you have a good reason to do so. And often it is inappropriate to rely on consent.
Banks share data for fraud protection purposes, insurance companies request information for claims, and local authorities need personal data to process council tax bills – none of these examples use consent as a lawful basis to share personal information.
Data protection law provides other lawful bases that may be more appropriate than consent.