This blog has been written to help sole traders, small business owners, and small organisations understand the different lawful ways in which information about people can be shared with others.
In our experience, SMEs often believe they must have someone’s consent before they can share information about them. In data protection law, to share any information, a ‘lawful basis’ is needed. But there are six lawful bases available. Consent is just one of them. Consent often won’t be appropriate, in which case you should use one of the other five.
There are various reasons why you may need to share information about people with others.
For example, it’s necessary to share information with government agencies about who you employ for tax purposes. If you have an accountant, you’ll need to share some staff information so they can organise your accounts. And you’ll need to share information with the police if they have a warrant for information you hold about someone.
Sharing personal data about someone with another person, business or agency – if done under the right circumstances and for the right reasons – can help protect them or give them a better service. But remember, you have to have a lawful basis for processing, and you should document this.
Here are three examples.
You’d choose ‘contract’ as your lawful basis for processing when you need to share someone’s details so you can enter into a contract.
For example, Sally is a solicitor and wants to give a quotation to Tam, a potential client who is buying a house. As part of Sally’s service, she engages a surveyor for her clients. Sally needs to share limited details about Tam and the property he wants to buy with the surveyor, so that she can produce an accurate quotation for her service. Sally can’t enter into the contract with Tam until he’s accepted the quotation, so she needs to share the details to be able to enter into the contract.
‘Contract’ also works well as your lawful basis for processing when you need to share someone’s details in order to fulfil a contract.
For example, Bill has ordered a book from Coco’s online shop and has paid for it. This means that Bill has entered into a contract with Coco, who needs Bill’s postal address in order to deliver the book. Coco wants to send Bill’s address details to a courier service who delivers books on her behalf. If Coco doesn’t share Bill’s address with the courier service, they won’t be able to deliver the book and Coco’s side of the contract wouldn’t be fulfilled.
2. Legitimate interest
‘Legitimate interest’ can work well for straightforward processing of personal data, particularly when it’s something the person would reasonably expect. It can be helpful, but it’s not necessarily the easiest basis to use for sharing data. This is because it’s best used when the processing isn’t required, and there has to be a limited privacy impact on the person.
For example, Tom bought a car from Shauna’s garage several months ago but has not kept up his car payments. Shauna wants to send Tom’s details to a debt collector so they can get what she’s owed. Tom is unlikely to consent to this, if asked.
Shauna should be able to use ‘legitimate interest’ as her lawful basis to pass Tom’s information to debt collectors. This is because Tom hasn’t paid for the car and it’s in Shauna’s legitimate interest to recover the debt.
But the processing still has to be transparent. This means that when Tom bought the car, Shauna should have made it clear that in the case of non-payment, she would pass relevant information to debt collection agencies so the debt could be recovered.
If you choose to use ‘legitimate interest’ as a reason to share information, it can be helpful to think of it as a balancing test. You need to weigh up your interests as a business against the interests of your customers, members, service users, or anyone else whose data you hold and use.
3. Legal obligation
If you need to use and share someone’s information because you have to by law, then it’s likely to be your legal obligation and you can use this as your lawful basis for processing. However, make sure you clearly identify which law you’re following in order to use and share the information in this way.
For example, Claire recently took on two new apprentices for her plumbing business. She has to share their details with HMRC in-line with tax and employment laws.
It could also be your legal obligation to use and share people’s personal data if you suspect any wrongdoing.
For example, Sharon is a financial advisor. She suspects one of her clients may be involved in (or is attempting) organised crime and money laundering. Sharon is legally obliged to share her suspicions with the National Crime Agency. In this situation, Sharon shouldn’t seek her client’s consent to share their data with the National Crime Agency. ‘Consent’ isn’t the lawful basis she’s using to share the data, so she doesn’t need it. And by not seeking consent, Sharon can avoid alerting her clients to a possible investigation.
You can use our interactive tool to help you choose which lawful basis is most appropriate, depending on the reason you want or need to share the personal data. Make sure you choose your lawful basis carefully because you usually can’t change your mind after you’ve started using people’s data for this reason. You’ll also need to document what lawful basis you’re using, say why you’re using it, and tell people about it in your privacy notice.
If you’re unsure which lawful basis to use in your situation, you can contact us for more advice.