Control measure: People are informed about their personal information being shared.
Risk: If people are not adequately informed, they will be unaware how their personal information is processed and by whom which affects their rights and breaches the transparency principle. This may breach articles 5(1)(a)&(b), 12, 13, and 14.
Ways to meet our expectations:
- Make privacy information publicly available and ensure it actively informs people what information you are sharing, who you are sharing it with and the purpose for the sharing, in line with the requirements under article 13 UK GDPR (unless an exemption applies).
- Use plain and age-appropriate language within privacy information to ensure it is accessible to the audience.
- Identify at least one lawful basis for sharing and provide this information in a way that people can understand. If more than one lawful basis applies, explain the circumstances and processing that each lawful basis applies to.
- Give clear direction in data sharing privacy information on how people may exercise their rights with the organisations that you are sharing their information with.
- Inform people of any intention to transfer information to a third country or international organisation. This also includes any adequacy decision and appropriate safeguards, together with details on where to access them.
- Update privacy information to inform people about any changes to data sharing activities, including the impact of those changes.
- Put agreements in place, where parties are acting as joint controllers, which specify their duties to provide privacy information under articles 13 & 14 (article 26 of the UK GDPR).
Options to consider:
- Provide privacy information in a range of ways to meet people’s differing needs (eg printed media or through signage).
- Adopt a layered approach to providing privacy information.
- Use a variety of methods to update people about changes to data sharing activities.