Control measure: There are active operational controls and processes in place to ensure that large volumes of information in a database or list are being shared in compliance with the law.
Risk: If bulk information is released without the appropriate reviews, risk assessments and authorisations, then there is an increased risk of a data breach, unlawful sharing or sharing incomplete or inaccurate personal information.
Ways to meet our expectations:
- Ensure written data sharing agreements are detailed enough to meet the requirements of the data sharing code.
- Ensure data sharing agreements are signed off by senior management.
- Train teams involved in configuring or generating bulk personal information transfers appropriately.
- Ensure these teams clearly understand the authorisation processes, prior to releasing any information or adjusting existing data sets.
- Develop an approval process for adjustments to existing data sets before changes are actioned. Evidence the change management process.
- Clearly define the specific roles that have the authority to configure or generate data sets for release to data sharing partners.
- Clearly define the specific roles that have the authority to release information to sharing partners.
- Tell sharing partners:
- the source of the information;
- the lawful basis you obtained it on;
- how you initially collected it; and
- what you told people at the time about the purposes you are processing it for.
- Implement processes to monitor platforms and other data sharing mechanisms and ensure they are functioning as they should.
Options to consider:
- Pseudonymise or anonymise information within the database or list, where possible.
- Encrypt the information in transit.
- Regularly review how appropriate it is to share the data sets for the purpose.
Useful links
ICO Data sharing code of practice: Sharing personal data in databases and lists | ICO