9. Data sharing

What do you mean by ‘data sharing’?

Data sharing usually means disclosing personal data to third parties outside your organisation. It can also cover the sharing of personal data between different parts of your own organisation, or other organisations within the same group or under the same parent company.

Data sharing can be done routinely (for example the provider of an educational app routinely sharing data with the child’s school) or in response to a one-off or emergency situation (for example sharing a child’s personal data with the police for safeguarding reasons).

Data sharing includes making a child’s personal data visible to a third party.

Why is it important?

It is important because if you share children’s personal data with third parties or with other parts of your own organisation it needs to be fair to the child to do so. Sharing children’s personal data with third parties, including sharing data inferred or derived from their personal data, can expose children to risks arising from their processing of personal data, which go beyond those inherent in your own processing.

The GDPR provides that:

“5(1) Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.

Articles 13 and 14 of the GDPR require you to tell data subjects who you share the personal data with (the recipients or categories of recipients of the personal data).

How can we make sure that we meet this standard?

Consider the best interests of the child

The best interests of the child should be a primary consideration for you whenever you contemplate sharing children’s personal data.

If you have already made sure that your privacy settings are set to ‘high privacy’ by default, then the amount of data sharing that takes place should already be limited; with children having to actively change the default settings to allow you to share their personal data in many circumstances.

You should not share personal data if you can reasonably foresee that doing so will result in third parties using children’s personal data in ways that have been shown to be detrimental to their wellbeing. You should obtain assurances from whoever you share the personal data with about this, and undertake due diligence checks as to the adequacy of their data protection practices and any further distribution of the data.

Any default settings related to data sharing should specify the purpose of the sharing and who the data will be shared with. Settings which allow general or unlimited sharing will not be compliant.

Ultimately, it is up to the person you have shared the data with to ensure they comply with the requirements of the GDPR (in their role as a data controller for the personal data they receive). However, you are responsible for ensuring that it is fair to share the personal data in the first place. You should not share personal data unless you have a compelling reason to do so, taking account of the best interests of the child.

One clear example of a compelling reason is data sharing for safeguarding purposes, preventing child sexual exploitation and abuse online, or for the purposes of preventing or detecting crimes against children such as online grooming.

An example that is unlikely to amount to a compelling reason for data sharing is selling on children’s personal data for commercial re-use.

Consider the specific issues and risks raised at each stage of your DPIA

You should assess the issues and risks raised at each individual step of your DPIA process. These steps are set out and explained in the section of this code on DPIAs.