Information accuracy, quality and retention
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Control measure: There are controls in place to ensure that the information shared is adequate for the purpose, accurate and of appropriate quality.
Risk: If information quality is not assured, then there is a risk of inaccurate or unnecessary information sharing. This may result in a data breach or breach of article 5(1)(c) and(d).
Ways to meet our expectations:
- Minimise shared personal information to agreed data sets or redact and clearly distinguish between fact and opinion.
- Create a process to assess whether the information shared is as complete as possible (within the bounds of what you have defined and agreed to share).
- Seek technical advice before sharing information, if different systems are involved.
- Record information in the same format, abiding by open standards when applicable.
- Inform recipients when you amend or update shared information.
- Implement regular quality checks or verification processes to assess whether shared information is accurate and up-to-date. This applies to all sharing partners.
Options to consider:
- Include examples in the sharing agreement to show how to record or convert particular data items (eg dates of birth).
- Establish regular check point meetings between all sharing partners to discuss and confirm information quality check results.
Control measure: There are controls in place to ensure that the information shared is not retained for longer than necessary by all parties.
Risk: If there are no controls in place, a party who you share information with for a particular, limited purpose, may end up retaining it after that purpose is complete. This may breach article 5(1)(e).
Ways to meet our expectations:
- Ensure common retention and disposal arrangements are agreed between all parties prior to sharing information.
- Document the agreed retention and disposal arrangements within data sharing agreements.
- Seek guarantees that recipients will delete, destroy or return shared information:
- once the purpose is served;
- when a relevant retention period expires; or
- in the event of a breach, if appropriate.
Options to consider:
- Request certificates of destruction from sharing partners.
- Regularly review agreed retention and disposal arrangements during the lifecycle of the agreement.