At a glance
Accountability should form an important part of the culture and business of your organisation.
The specific accountability requirements of the UK GDPR mean that you are responsible for your compliance with the UK GDPR or the DPA 2018. You must be able to demonstrate that compliance.
You should review all your accountability measures regularly.
In more detail
- What is accountability?
- What documentation do we need to keep?
- What is the role of the data protection officer (DPO) in a data sharing arrangement?
Accountability is a legal requirement for data sharing; it is one of the principles applicable to general data processing under the UK GDPR. The importance of accountability cannot be overstated. To be effective, you have to embed the message of accountability in the culture and business of your organisation, from board level through to all your employees and contractors.
You must consider the risks data sharing may create, and take appropriate action. You need to ensure staff are adequately trained, assess your data processing and put data protection at the heart of your organisation. It is more than box ticking or bolt-on compliance. It is an opportunity to make data protection a part of the cultural and business fabric of your organisation. It means not only complying with the legislation, but showing it.
Accountability obligations mean that if you are involved in a data sharing arrangement, you are responsible for your compliance with the UK GDPR or DPA 2018, and you must be able to demonstrate that compliance. As part of this, and where proportionate, you must put in place a data protection policy which adopts a “data protection by design and default” approach. This will help you comply with data protection law and good practice whenever you process data.
There is a general obligation to evidence your compliance and justify your approach, so you should maintain relevant documentation and adopt additional measures as necessary. A data sharing agreement is one example of good practice to demonstrate you are meeting your accountability obligations. If you are unable to justify your approach, it is likely you will fail to meet those obligations.
Successfully embedding accountability will enhance your reputation as a business that can be trusted with personal data. The public are increasingly demanding to be shown how their data is being used and how it is being looked after. They want to know that their personal data is in safe hands, and that you have put in place mechanisms to protect their information.
For law enforcement processing, similar provisions are set out in Chapter 2 of Part 3 of the DPA 2018.
Accountability should form part of a long-term programme of compliance and sound governance within your organisation. Documentation forms one of the requirements to ensure effective accountability, and the UK GDPR is specific on this point. Under Article 30 of the UK GDPR, larger organisations are required to maintain a record of their processing activities. Even if you are not a larger organisation, you should document any data sharing you undertake, and review it regularly.
Documenting this information is a practical way of taking stock of your data sharing. Knowing what information you have, where it is, and what you do with it makes it much easier for you to comply with other aspects of the UK GDPR, such as making sure that you hold accurate and secure information. You should follow good records management practice, and for this purpose you may find it helpful to refer to the codes of practice under section 46 of the Freedom of Information Act 2000 (FOIA) and section 61 of the Freedom of Information (Scotland) Act 2002 (FOISA).
As well as any record of all aspects of the data sharing and other processing activities required under Article 30, you must keep sufficient documentation to demonstrate your compliance with the UK GDPR when sharing data, such as:
- your compliance with all data protection principles, obligations and rights;
- your record of the lawful basis for processing and the privacy information you provide;
- any records of consent; and
- records of any personal data breaches.
For data sharing that constitutes law enforcement processing under Part 3 of the DPA 2018, section 61 of the DPA 2018 sets out the records to keep, including logs of processing operations in automated processing systems.
If you have a DPO, they should be closely involved from the outset in any plans to enter into a data sharing arrangement. Some organisations may have multiple individuals with responsibility for data sharing matters, depending on the context of the data sharing and the arrangements within the organisation. Many of the references to the DPO in this code are applicable to them as well. In all cases, you should document the advice you receive from them.
DPOs play an important role while a data sharing arrangement is under way. Since there will be a number of organisations involved, each of you will have your own responsibilities for the data you share or have received. Often a data sharing arrangement involves processing sensitive information. In each of the organisations, the DPO advises everyone on information governance, ensures compliance with the law, and provides advice to staff faced with decisions about data sharing. They may also be a contact point for individuals to exercise their rights.
The ICO’s main contact point with an organisation is through the DPO and we are here to advise and address their concerns.
An airline looked to develop its service by improving transport schedules, mitigating disruption for passengers and taking steps to improve its carbon footprint. To do this, the airline wanted to use the personal data that it held about its customers for a new purpose.
It considered the requirements of Article 6.4 of the UK GDPR and undertook a DPIA, as the processing required the combination of different datasets.
To implement some of the strategies proposed, the airline needed to provide some of the data to a partner company which had developed software to enhance customer engagement in this area. In sharing the data, the airline considered whether the partner company adhered to appropriate security measures and had a written contract covering the scope of the data sharing and processing.
In this case, the airline had implemented a ‘data protection by design and default’ approach. It had:
- taken appropriate measures to establish if the new processing arrangements were lawful
- been clear with the third party about the extent of the processing permitted; and
- had kept clear evidence of the steps taken to comply with the requirements of the UK GDPR.
A police intelligence database on gangs in an area (the gangs database) had been shared by the police with the local authority. The council went on to share it inappropriately with a number of organisations. This constituted a data breach.
Shortly afterwards there were incidents of gang violence in the area and some victims had featured in the gangs database. Although it was not possible to establish a causal connection to the data breach, it was obvious that there was a risk of distress and harm when this type of sensitive data was not kept secure.
In this case, it was apparent that it was unfair and excessive for the council to have shared the unredacted database with a large number of people and other organisations. It should have realised that there was an obvious risk in doing so.
There is a national concern about the need to tackle gang crime, and it is widely recognised that this is a challenge for public authorities. Data sharing has an important role to play in tackling this challenge; however, it has to be carried out in compliance with the law. Data must be processed lawfully, fairly, proportionately and securely. However, data protection law is not a barrier to data sharing.
To help prevent such incidents happening, organisations processing sensitive data should have in place policies, processes and governance, as well as training for staff. Conducting a DPIA is one way an organisation can try to ensure it is complying with the law. This data sharing code also provides practical information.
A health care organisation provided an out-of-hours emergency telephone service. As calls could be received about clients’ welfare, it was essential that advisors had access to some personal data about the organisation’s clients to carry out their role and where appropriate to share data in the public interest.
A call was taken by a new advisor late one evening from someone identifying themselves as a police officer and requesting the address of one of the organisation’s clients.
The organisation had protocols to follow about sharing data to third parties, and it was mandatory that all new advisors had this training on appointment. The advisor therefore knew the procedure to follow to determine whether or not they could share this information.