Bulk transfers of personal information in databases or lists
-
The Data (Use and Access) Act 2026 got Royal Assent on 19 June 2026. All the provisions affecting data protection law and the Privacy and Electronic Regulations Communications are now in force. The Department for Science and Innovation (DSIT) has set out the commencement plans. You can find more details on the Gov.uk website.
Control measure: There are active operational controls and processes in place to ensure that large volumes of information in a database or list are being shared in compliance with the law.
Risk: If bulk information is released without the appropriate reviews, risk assessments and authorisations, then there is an increased risk of a data breach, unlawful sharing or sharing incomplete or inaccurate personal information.
Ways to meet our expectations:
- Ensure written data sharing agreements are detailed enough to meet the requirements of the data sharing code.
- Ensure data sharing agreements are signed off by senior management.
- Train teams involved in configuring or generating bulk personal information transfers appropriately.
- Ensure these teams clearly understand the authorisation processes, prior to releasing any information or adjusting existing data sets.
- Develop an approval process for adjustments to existing data sets before changes are actioned. Evidence the change management process.
- Clearly define the specific roles that have the authority to configure or generate data sets for release to data sharing partners.
- Clearly define the specific roles that have the authority to release information to sharing partners.
- Tell sharing partners:
- the source of the information;
- the lawful basis you obtained it on;
- how you initially collected it; and
- what you told people at the time about the purposes you are processing it for.
- Implement processes to monitor platforms and other data sharing mechanisms and ensure they are functioning as they should.
Options to consider:
- Pseudonymise or anonymise information within the database or list, where possible.
- Encrypt the information in transit.
- Regularly review how appropriate it is to share the data sets for the purpose.