The ICO exists to empower you through information.

Assessing the legality, risks and benefits of sharing

Share Download options

Pages

Format

Control measure: There is a process to assess the legality of sharing and document any outcomes.

Risk: If there is no consistent process to assess the legality of sharing, information may be shared illegally, impacting people’s rights and freedoms and resulting in a personal data breach. If you cannot demonstrate why sharing is legal, this may breach article 5(1)(a)&(b), 5(2), 9 & 10.

Ways to meet our expectations:

  • Complete an assessment of the legality of the sharing and document the outcome. 
  • Ensure that the purpose of sharing is compatible with the purposes for which the information was originally collected (unless a valid exemption applies) (article 5(1)b or DPA18 section 36, or both).
  • Carry out a legitimate interest assessment (LIA), if you are relying on legitimate as the lawful basis for sharing.  
  • Document the lawful basis (article 9,10 or DPA18 section 35, or both) and relevant conditions from schedule 1 or 9 of the DPA18, if the information you are sharing includes special category or criminal offence information under the UK GDPR.  
  • Assess whether there is compelling reason to share it in line with the ICO’s data sharing code and the children’s code, prior to doing so.
  • For public authorities - Consider whether there is the legal power to share (outside the UK GDPR or DPA18) (ie a statutory obligation). Document the express or implied statutory legal power relied on.

Options to consider:

  • Check that the appropriate decision-maker(s) makes the assessment about the legality of sharing within your organisation.
  • Keep the assessment under regular review.
  • Keep under review the methods for obtaining, recording and managing consent, where you are relying on this.

 

Control measure: There is a process to assess the potential risks and benefits of sharing and any outcomes are documented.

Risk: If the process to assess the risks and benefits of sharing is not consistent, this may result in a personal data breach. If you cannot demonstrate why sharing is justified, this may breach article 5(1)&(2), and 35.

Ways to meet our expectations:

  • Complete a DPIA to assess the risks before entering into any new data sharing activity. There is an obligation to do this when sharing is likely to result in a high risk to people’s rights and freedoms. 
  • Always complete a DPIA if the data sharing involves children's personal information, in line with the data sharing code.
  • Seek input from all stakeholders to ensure that you properly consider risk factors when you are relying on a DPIA that is produced by other parties involved in the sharing.

Options to consider:

  • Use a template or common fields for completing DPIAs to ensure a consistent approach.
  • Have processes for managing and reviewing completed DPIAs to ensure these can be accessed as required, remain fit for purpose and within risk appetite.
  • Establish consistent methods for reviewing DPIAs produced by other parties involved in the sharing.