Control measure: Information sharing is considered and assessed carefully in line with legal requirements and policy. Decisions are documented and procedures are in place to ensure they are approved at the appropriate senior level. Staff likely to make decisions about sharing are adequately trained and made aware of legal requirements and responsibilities.
Risk: Untrained staff may inappropriately share personal information or make unlawful decisions about sharing it. If sharing decisions are not documented and subject to approval, personal information could be shared inappropriately. This may breach UK GDPR article 5(1) or 5(2).
Ways to meet our expectations:
- Implement clear policies, procedures and guidance about data sharing, including who has the authority to make decisions about systematic data sharing or one-off disclosures, and when it is appropriate to do so.
- Identify staff that are likely to have responsibility for data sharing decision-making and ensure they have appropriate training, including induction and refresher training.
- Ensure that staff who are likely to make decisions about sharing children’s information complete specific training.
- Document all sharing decisions for audit, monitoring and investigation purposes (eg use the data sharing decision form template in the ICO’s data sharing code).
- Involve the DPO in the decision-making process.
- Document any advice from the DPO or other people involved in the decision-making process.
- Undertake a data protection impact assessment (DPIA), or at least complete DPIA screening, to assess and work out how to mitigate any risks in proposed data sharing activities.
- Keep policies related to systematic and one-off sharing under regular review to ensure these remain up-to-date and effective.
Options to consider:
- Involve relevant internal and external stakeholders in risk assessments for proposed data sharing activities.
- Keep DPIAs under review and make appropriate interventions where data sharing decisions have changed.
- Include data sharing arrangements within business continuity plans.
- Undertake a training needs analysis (TNA) to formally identify roles requiring specialised data sharing training.
- Keep training content under review to ensure it remains fit for purpose.
- Ensure the DPO has input and oversight into data protection training content.
- Run regular staff awareness exercises to promote the procedures to follow when making sharing decisions.