Data sharing – when is it unlawful?
This simple guide has been written to help SMEs understand the difference between situations where you can share personal data and situations where it’s unlawful.
There are various reasons why you may need to share information about people with others – and you can, as long as you’ve got a good reason to and you do it responsibly.
Sharing data can make life easier and more convenient. Some agencies share information about their customers to keep them safe. Some businesses share data to give their users better services. As long as organisations understand how to share data lawfully, fairly and transparently and take all the necessary steps to keep it safe, they can share data with each another.
It’s important to understand when it’s ok to share personal data and when it’s unlawful. This simple guide will help you work that out.
It's OK to share data when...
...it makes life easier, more efficient or more comfortable.
For example:
- Joined-up care records enable health and social care providers to share information about their patients’ needs, which means they can make better decisions about each person’s care.
- It’s helpful for banks and lenders to share credit information with credit reference agencies and for credit reference agencies to share with them. This makes checking credit history easier and speeds up the process for people applying for credit.
- An external HR provider could receive employee sickness records so they can support with staff administration.
...you have evidence of criminal activity.
For example:
- A shopkeeper can share CCTV footage with the police if there’s a court order or if it’s relevant to a police investigation – and in this situation, the shopkeeper wouldn’t need to inform the suspect.
Sharing this type of information is justified, despite the potential impact on the person who it’s about, because of the need to protect us all from criminal activity.
If your organisation provides financial services, telecommunications or digital platforms, our guidance on sharing personal information when preventing, detecting and investigating scams and frauds may be useful to you if you suspect any wrongdoing or have evidence of criminal activity.
...you need to protect vulnerable people.
For example:
- You can share data in a safeguarding situation, such as to prevent child sexual exploitation and abuse online, or for the purposes of preventing or detecting crimes against children such as online grooming.
...someone's life is in danger.
For example:
- A pharmacist might need to tell a hospital about medication that they gave to a patient receiving urgent or emergency treatment.
You can share data about someone in an emergency if it will save their life or protect them or others from serious harm.
It's unlawful to share data when...
...you don't have a lawful basis.
This rule applies to all of the examples in this list. If you haven’t got a good reason (or a ‘lawful basis’) to share someone’s data, then you shouldn’t be sharing it. You can use our lawful basis checker to help you work this out.
For example:
Wendy is a supermarket director and she collects and stores information about her customers’ shopping habits through her supermarket’s loyalty card scheme. From this information, Wendy’s supermarket can see that Vernon buys cat food every week. It’s likely that Vernon has a cat, but Wendy wouldn’t have a good reason (a ‘lawful basis’) to share Vernon’s information with a local vet, who wants to market cat owners with his services. It’s also a bad idea because Vernon wouldn’t expect that to happen. He neither agreed to this nor knows about it and it wouldn’t be fair to him.
...you haven’t got appropriate security measures in place for sharing and storage.
You have to keep people’s personal data safe and destroy it securely when it’s no longer needed. If you’re holding and sharing data, you must assess the risks and put appropriate security measures in place. These could include measures such as strong passwords and only allowing a limited number of people to access different areas of your systems.
...the information is particularly ‘sensitive’ and you haven’t taken this into consideration.
For example, sharing certain information like someone’s sexual preference, ethnicity, medical condition or political views could lead to discrimination.
So you not only need to have a lawful basis, but you also need to take extra steps to keep sensitive data safe. But if you haven’t got a lawful basis then you shouldn’t share it, no matter what extra steps you take or measures you put in place.
...it’s part of a general or unlimited sharing arrangement.
For example, social care organisations can only share data with one another when they have taken all the necessary steps to keep it safe. In particular, they need to understand how to share data lawfully, fairly and transparently. If organisations share data regularly, it’s good practice to have a data sharing agreement. The data sharing must be reasonable and proportionate and people should know what’s happening to their information. A general or unlimited sharing arrangement is unlikely to be either lawful or fair, because a blanket approach can’t take every situation into account.
...you haven’t been transparent with people.
For example:
- A catalogue company that sells extreme sports accessories wants to sell their customer list to a travel agent who offers adventure holidays. The catalogue company didn’t make their customers aware that they’d share their information with others and so this would be unlawful. Even if they had customers’ consent for marketing, this doesn’t include third party companies unless specifically stated.
...it’s not required.
For example:
- An online retailer uses a delivery company to send out a product to one of their customers. As well as providing the name and address of the customer, the retailer also shares the customer’s payment details with the delivery company, because on their system it’s easier to share a full customer record than take extracts. The delivery company doesn’t need this information to do their job, so by doing this the online retailer is acting unlawfully.
...you’re sharing children’s data without a compelling reason.
Sharing data about anyone without a lawful basis is unlawful, but there are specific regulations to protect children online and their data needs greater protection. For example, it’s unlawful to sell on children’s personal data for commercial re-use. We’ve written specific guidance on how to handle children’s data here. Essentially, you mustn’t share data about children unless you’ve got a compelling reason to do so, taking account of the best interests of the child.