The ICO exists to empower you through information.

Control measure: Procedures are in place for responding to ad hoc third-party requests for personal information.

Risk: If there are no procedures in place, this may result in a lack of standardisation about how to deal with ad hoc requests, and increase the risk of inappropriate or incorrect sharing decisions. This may result in a breach of articles 5(1)(f) and 32.

Ways to meet our expectations:

  • Implement a policy or procedure for responding to ad hoc third-party requests for personal information and communicate it to staff.
  • Keep a record on the person’s file, spreadsheet or monitoring documents indicating when there is a verbal or written disclosure to third parties.
  • Consider whether you should put a data sharing agreement in place with the third party, if their ad hoc requests become more frequent. 

Options to consider:

  • Deliver specific training to key staff in departments where ad hoc requests are most common. 
  • Develop short checklists on how to handle ad hoc requests for staff to refer to in these departments.

 

Control measure: Written records are kept of responses and approvals for third-party requests for personal information.

Risk: Without evidence of compliance, there may be a breach of article 5(2).

Ways to meet our expectations:

  • Keep a record on the person’s file, in a spreadsheet or monitoring documents indicating verbal or written disclosures to third parties.
  • Keep a record of the steps taken to identify the nature of the disclosure, the requester and the reason for it.
  • Keep a record of all disclosure approvals, where appropriate.
  • Conduct quality assurance on verbal and written disclosures to provide assurances that staff are following procedures  and actioning disclosures lawfully.
  • Log all inappropriate disclosures as a personal data breach and take appropriate action. 

Options to consider:

  • Keep a central log of all disclosures.