At a glance
You must identify at least one lawful basis for sharing data before you start.
You must be able to show that you considered this before sharing any data, in order to satisfy the accountability principle.
What are the provisions on lawful basis?
You must identify at least one lawful basis for sharing data. The lawful bases are different for:
- general processing under the UK GDPR and Part 2 of the DPA 2018; and
- law enforcement processing under Part 3 of the DPA 2018.
At least one lawful basis must apply before you start. You must be able to show that you considered this before sharing any data, in order to satisfy the accountability principle in the UK GDPR and in Part 3 of the DPA 2018. And without at least one lawful basis for processing, any data sharing you do will be in breach of the first principle in each piece of legislation.
Example
A water company and an electricity network operator conducted a data sharing trial to share priority service data with one another. The two companies worked together to jointly identify and safeguard customers who might have found themselves in vulnerable circumstances if their services were disrupted.
Both companies previously held their own registers. The trial allowed the organisations to work together to simplify their processes and introduce a ‘tell us once’ style registration system. The organisations gained explicit consent from relevant customers before undertaking the trial, sharing the data manually and securely on Excel spreadsheets.
Due to the success of the trial, the two companies decided to continue the data sharing as part of their business as usual operations.
Example
A government office responsible for overseeing business competition required information about the practices of a supermarket chain and its performance in the online retail sector.
To understand how the supermarket chain operated, the office gathered evidence about customers’ online shopping habits. The data assisted the office in understanding the range and quality of online services provided by the supermarket chain, as well as its overall value.
As the review formed part of a statutory function, the office was able to demonstrate that the processing was necessary in the public interest and relied on this as its lawful basis for obtaining the customer data from the supermarket chain.
Example
A fintech company launched a paid-for digital tool to assist consumers in handling their finances. The tool could be viewed online and via a mobile phone application. It allowed individuals to access and consider their current accounts, savings accounts, credit cards, investments and pension information in one place. The tool also analysed spending habits and assisted the consumer in developing and managing their budgets. The analysis and planning could be addressed month by month and by different categories, such as grocery shopping, utilities and eating out.
For the service to function correctly, personal data needed to be shared with third-party providers. This was so the customer’s experience could be personalised with third-party services and materials accessible via the tool.
The fintech company relied on ‘performance of a contract’ as its basis for processing under Article 6 of the UK GDPR. As some of the services required the provision of sensitive personal data, explicit consent was also relied on as a condition for processing under Article 9.