At a glance
The gateway to getting data sharing right is always to share personal data fairly and in a transparent manner.
- You must treat individuals fairly and not use their data in ways that would have unjustified adverse effects on them.
- When you share personal data, you must ensure it is reasonable and proportionate.
- You must ensure that individuals know what is happening to their data.
- Before sharing data, you must tell individuals about what you propose to do with their personal data in a way that is accessible and easy to understand.
Fairness and transparency are fundamental to your approach to sharing data under the UK GDPR, and they are closely linked. Understanding that you are responsible for ensuring fairness and transparency will help you to ensure your general compliance with data protection law.
Fairness also forms a key part of the principles under the law enforcement provisions of Part 3 of the DPA 2018. However, the principles in Part 3 do not include transparency; this is due to the potential to prejudice an ongoing law enforcement investigation in certain circumstances. It is essential that the law enforcement agencies have the powers that they need to investigate crimes and bring offenders to justice. However, section 44 of the DPA 2018 sets out the information a controller should make available to data subjects for law enforcement processing purposes.
As part of fairness and transparency considerations, you should also bear in mind ethical factors when deciding whether to share personal data; ask yourself whether it is right to share it.
Example
Two county councils and 19 relevant partner organisations (both public and private sector) decided to share personal information in order to prevent social exclusion amongst young people who had been, or were at high risk of, disengaging from education, employment or training. By sharing information, the partner organisations aimed to co-ordinate their approach to identifying and contacting each young person to support and encourage them back into education, or into work or training.
While the partner organisations took the view that the data sharing would benefit the young people, data protection law required them to consider whether it was fundamentally fair to the young people. The organisations had to pause and consider certain questions before deciding they could go ahead with the sharing:
- Would they only be sharing data in a way that would be in line with the reasonable expectations of the individuals concerned?
- How sure were they that they would not be sharing data in a way that would adversely affect the individuals?
- Did they mislead the individuals when they collected their personal data?
The organisations also had to consider whether they had met their transparency obligations:
- Were they open and honest with the individuals as to how they would use their personal data?
- Did they tell the individuals about the proposed use of their personal data in a clear, accessible way?
The councils were not prevented by data protection law from sharing data, but had to be sure they had done so fairly and transparently by answering these questions.