Control measure: Procedures are in place for responding to ad hoc third-party requests for personal information.
Risk: If there are no procedures in place, this may result in a lack of standardisation about how to deal with ad hoc requests, and increase the risk of inappropriate or incorrect sharing decisions. This may result in a breach of articles 5(1)(f) and 32.
Ways to meet our expectations:
- Implement a policy or procedure for responding to ad hoc third-party requests for personal information and communicate it to staff.
- Keep a record on the person’s file, spreadsheet or monitoring documents indicating when there is a verbal or written disclosure to third parties.
- Consider whether you should put a data sharing agreement in place with the third party, if their ad hoc requests become more frequent.
Options to consider:
- Deliver specific training to key staff in departments where ad hoc requests are most common.
- Develop short checklists on how to handle ad hoc requests for staff to refer to in these departments.
Control measure: Written records are kept of responses and approvals for third-party requests for personal information.
Risk: Without evidence of compliance, there may be a breach of article 5(2).
Ways to meet our expectations:
- Keep a record on the person’s file, in a spreadsheet or monitoring documents indicating verbal or written disclosures to third parties.
- Keep a record of the steps taken to identify the nature of the disclosure, the requester and the reason for it.
- Keep a record of all disclosure approvals, where appropriate.
- Conduct quality assurance on verbal and written disclosures to provide assurances that staff are following procedures and actioning disclosures lawfully.
- Log all inappropriate disclosures as a personal data breach and take appropriate action.
Options to consider:
- Keep a central log of all disclosures.