The ICO exists to empower you through information.

Control measure: There are active operational controls and processes in place to ensure that large volumes of information in a database or list are being shared in compliance with the law.

Risk: If bulk information is released without the appropriate reviews, risk assessments and authorisations, then there is an increased risk of a data breach, unlawful sharing or sharing incomplete or inaccurate personal information.

Ways to meet our expectations:

  • Ensure written data sharing agreements are detailed enough to meet the requirements of the data sharing code.
  • Ensure data sharing agreements are signed off by senior management.
  • Train teams involved in configuring or generating bulk personal information transfers appropriately. 
  • Ensure these teams clearly understand the authorisation processes, prior to releasing any information or adjusting existing data sets.
  • Develop an approval process for adjustments to existing data sets before changes are actioned. Evidence the change management process. 
  • Clearly define the specific roles that have the authority to configure or generate data sets for release to data sharing partners. 
  • Clearly define the specific roles that have the authority to release information to sharing partners. 
  • Tell sharing partners: 
    • the source of the information; 
    • the lawful basis you obtained it on;
    • how you initially collected it; and 
    • what you told people at the time about the purposes you are processing it for.
  • Implement processes to monitor platforms and other data sharing mechanisms and ensure they are functioning as they should.

Options to consider:

  • Pseudonymise or anonymise information within the database or list, where possible.
  • Encrypt the information in transit.
  • Regularly review how appropriate it is to share the data sets for the purpose.

Useful links

ICO Data sharing code of practice: Sharing personal data in databases and lists | ICO