Data sharing and subject access checklist report

• 7: Not yet implemented or planned
• 2: Partially implemented or planned
• 1: Successfully implemented
• 0: Not applicable

RED: not implemented or planned

Areas for focus / suggested actions

In order for the sharing of personal data to be considered fair and lawful the Data Protection Act 1998 imposes a requirement on organisations to explain to individuals how they will use personal data which they collect and who they will share it with. In such data sharing contexts it is important to explain:

• who you are;
• why you are going to share personal data; and
• who you are going to share it with – this could be actual named organisations or types of organisation; and
• provide further information if the situation where the nature of the sharing is such that some aspects of it would not be in the “reasonable expectations” of the individual that you would use their data in that way in order to allow the sharing to be considered fair.

Guidance

• Collecting information about your customers, in ICO small business checklist
• Privacy notices code of practice, ICO

Areas for focus / suggested actions

Your policies, procedures and guidance should set out how staff ought to respond to sharing requests in the appropriate manner. You should:

• have an appropriate policy in place setting out when it is appropriate to share and/or disclose data;
• ensure your policy and processes have considered how staff will ensure that sharing is legal, how the accuracy of the data will be maintained and what security measures should be put in place prior to any sharing of information;
• detail in your policy how compliance with these requirements will be achieved; and
• communicate the policy framework to all staff.

Guidance

• Data sharing checklist, ICO
• Governance, in ICO data sharing code of practice

Suggested actions

You should:

• establish your lawful basis for sharing;
• maintain a log of all your decisions to share personal data;
• review it regularly to ensure that your decisions are well founded and compliant. This also helps you to identify areas where you routinely share large quantities of data ; and
• where you are sharing data routinely, implement appropriate data sharing agreements (DSA) with all parties that you review on a regular basis and record on a central DSA Log.

Guidance

Guide to the UK GDPR – Lawful basis for processing, ICO website

Suggested actions

You should:

• complete a DPIA prior to introducing a DSA to ensure that your business has a lawful basis to share the information and that the sharing complies with the requirements of data protection legislation; and
• regularly review your DSA to ensure it still reflects the current needs of your business and is compliant with data protection legislation. These reviews should address whether you still need the data to fulfil the purposes you are sharing it for whether the DSA reflect current data sharing arrangements.

Guidance

Guide to the UK GDPR – Lawful basis for processing, ICO website

Guide to the UK GDPR – Data protection impact assessments, ICO website

Suggested actions

You should:

• implement a documented process for dealing with requests for personal data efficiently and in accordance with data protection legislation; and
• ensure management has approved the process and make it readily available to staff.

Guidance

Guide to the UK GDPR – Right of access, ICO website

Suggested actions

You should:

• provide appropriate training as part of any induction training on or shortly after appointment;
• ensure all staff receive updates and refresher training at regular intervals thereafter to maintain levels of awareness;
• use awareness materials such as posters, office wide emails, intranet updates, newsletters; and
• give appropriate training to staff with specific responsibilities for processing, logging or overseeing responses to requests for personal data to allow them to carry out their role effectively.

Guidance

Guide to the UK GDPR – Right of access, ICO website

Suggested actions

You should:

• periodically review your documented process and, where appropriate, update it to ensure it remains adequate and relevant;
• put mechanisms in place to regularly monitor and report on agreed performance measures, and any recommendations or lessons learned are applied; and
• consider maintaining records showing measures and reporting, eg management information/KPI, meeting minutes, emails, etc.

Guidance

Guide to the UK GDPR – Right of access, ICO website

AMBER: partially implemented or planned

Where measures have only been partially implemented, please select the appropriate actions from the detail below:

Suggested actions

You should:

• explain who you are, why you are going to share personal data and who you are going to share it with – this could be actual named organisations or types of organisation; and
• provide further information if some aspects of this sharing would not be in the “reasonable expectations” of the individual.

Guidance

Guide to the UK GDPR – The Right to be Informed, ICO website

GREEN: successfully implemented