The ICO exists to empower you through information.

20 May 2024

 

Overall rating

Your overall rating was red.

  • 10: Not yet implemented or planned
  • 0: Partially implemented or planned
  • 0: Successfully implemented
  • 0: Not applicable

 

RED: not implemented or planned

 

Your business informs individuals about the sharing of their personal data.

 

Areas for focus / suggested actions

In order for the sharing of personal data to be considered fair and lawful the Data Protection Act 1998 imposes a requirement on organisations to explain to individuals how they will use personal data which they collect and who they will share it with. In such data sharing contexts it is important to explain:

  • who you are;
  • why you are going to share personal data; and
  • who you are going to share it with – this could be actual named organisations or types of organisation; and
  • provide further information if the situation where the nature of the sharing is such that some aspects of it would not be in the “reasonable expectations” of the individual that you would use their data in that way in order to allow the sharing to be considered fair.

Guidance

Your business has communicated policies, procedures and guidance to all staff which clearly set out when it is appropriate to share or disclose data.

 

Areas for focus / suggested actions

Your policies, procedures and guidance should set out how staff ought to respond to sharing requests in the appropriate manner. You should:

  • have an appropriate policy in place setting out when it is appropriate to share and/or disclose data;
  • ensure your policy and processes have considered how staff will ensure that sharing is legal, how the accuracy of the data will be maintained and what security measures should be put in place prior to any sharing of information;
  • detail in your policy how compliance with these requirements will be achieved; and
  • communicate the policy framework to all staff.

Guidance

Your business provides adequate training on an ongoing basis for staff that regularly make decisions about whether to share personal data with third parties.

 

Suggested actions

You should:

  • provide adequate training on an ongoing basis for staff that regularly make decisions about whether to share personal data -with third parties;
  • ensure staff with specific responsibility for management or oversight of sharing processes complete appropriate training to allow then to fulfil this role; and
  • maintain staff awareness through materials such as posters, office wide emails, intranet updates or data sharing content in newsletters.

 

Your business maintains a log of all your decisions to share personal data and you review this regularly.

 

Suggested actions

You should:

  • establish your lawful basis for sharing;
  • maintain a log of all your decisions to share personal data;
  • review it regularly to ensure that your decisions are well founded and compliant. This also helps you to identify areas where you routinely share large quantities of data ; and
  • where you are sharing data routinely, implement appropriate data sharing agreements (DSA) with all parties that you review on a regular basis and record on a central DSA Log.

Guidance

Guide to the UK GDPR – Lawful basis for processing, ICO website

 

Your business has a data sharing agreement (DSA) with any party you routinely share personal data with or transfer large quantities of data to. You review these agreements regularly.

 

Suggested actions

You should:

  • complete a DPIA prior to introducing a DSA to ensure that your business has a lawful basis to share the information and that the sharing complies with the requirements of data protection legislation; and
  • regularly review your DSA to ensure it still reflects the current needs of your business and is compliant with data protection legislation. These reviews should address whether you still need the data to fulfil the purposes you are sharing it for whether the DSA reflect current data sharing arrangements.

Guidance

Guide to the UK GDPR – Lawful basis for processing, ICO website

Guide to the UK GDPR – Data protection impact assessments, ICO website

Your business informs individuals about the sharing of their personal data.

 

Suggested actions

You should:

  • explain who you are, why you are going to share personal data and who you are going to share it with – this could be actual named organisations or types of organisation; and
  • provide further information if some aspects of this sharing would not be in the “reasonable expectations” of the individual.

Guidance

Guide to the UK GDPR – The Right to be Informed, ICO website

Your business has appropriate security measures in place to protect data that is in transit, received by your business or transferred to another business.

 

Suggested actions

You should:

  • always use an appropriate form of transport eg secure courier for sensitive paper based personal data and encryption on email, secure file transfer protocol (SFTP) or Virtual Private Network (VPN) for electronic files;
  • minimise data being transported;
  • log the transfer in and out where appropriate and check to ensure that data is received; and
  • employ security measures to safeguard the data in transit such as tamper evident packaging and storage on encrypted devices.

 

Your business has a documented process for dealing with requests for personal data that all your staff are aware of and you have effectively implemented.

 

Suggested actions

You should:

  • implement a documented process for dealing with requests for personal data efficiently and in accordance with data protection legislation; and
  • ensure management has approved the process and make it readily available to staff.

Guidance

Guide to the UK GDPR – Right of access, ICO website

Your business has appropriately trained all personnel who have responsibility for processing requests for personal data and has made them aware of how to identify and channel requests to the appropriate team or person.

 

Suggested actions

You should:

  • provide appropriate training as part of any induction training on or shortly after appointment;
  • ensure all staff receive updates and refresher training at regular intervals thereafter to maintain levels of awareness;
  • use awareness materials such as posters, office wide emails, intranet updates, newsletters; and
  • give appropriate training to staff with specific responsibilities for processing, logging or overseeing responses to requests for personal data to allow them to carry out their role effectively.

Guidance

Guide to the UK GDPR – Right of access, ICO website

Your business monitors and reviews all requests for personal data and, where necessary, implements additional measures to improve compliance.

 

Suggested actions

You should:

  • periodically review your documented process and, where appropriate, update it to ensure it remains adequate and relevant;
  • put mechanisms in place to regularly monitor and report on agreed performance measures, and any recommendations or lessons learned are applied; and
  • consider maintaining records showing measures and reporting, eg management information/KPI, meeting minutes, emails, etc.

Guidance

Guide to the UK GDPR – Right of access, ICO website

 

 

 


You can download this report as a Word document using the button on the top right corner of the page. If you have a problem downloading the report into a Word document please let us know.

Thank you for completing this checklist. Please complete our short feedback survey to help improve our toolkit.

The survey should take around three minutes to complete.