Informed decision-making

Ways to meet our expectations:

• Implement clear policies, procedures and guidance about data sharing, including who has the authority to make decisions about systematic data sharing or one-off disclosures, and when it is appropriate to do so.
• Identify staff that are likely to have responsibility for data sharing decision-making and ensure they have appropriate training, including induction and refresher training. 
• Ensure that staff who are likely to make decisions about sharing children’s information complete specific training. 
• Document all sharing decisions for audit, monitoring and investigation purposes (eg use the data sharing decision form template in the ICO’s data sharing code).
• Involve the DPO in the decision-making process.
• Document any advice from the DPO or other people involved in the decision-making process. 
• Undertake a data protection impact assessment (DPIA), or at least complete DPIA screening, to assess and work out how to mitigate any risks in proposed data sharing activities. 
• Keep policies related to systematic and one-off sharing under regular review to ensure these remain up-to-date and effective.

Options to consider:

• Involve relevant internal and external stakeholders in risk assessments for proposed data sharing activities. 
• Keep DPIAs under review and make appropriate interventions where data sharing decisions have changed.
• Include data sharing arrangements within business continuity plans. 
• Undertake a training needs analysis (TNA) to formally identify roles requiring specialised data sharing training.
• Keep training content under review to ensure it remains fit for purpose.  
• Ensure the DPO has input and oversight into data protection training content.
• Run regular staff awareness exercises to promote the procedures to follow when making sharing decisions.