Annex C: case studies

Supermarket providing privacy information to customers

A supermarket held information about its customers through its loyalty card scheme, in-store CCTV and records of payments. The company did not normally disclose any information to third parties, such as for marketing purposes. However, it would do so if the information it held was relevant to a police investigation or in response to a court order, for example.

The supermarket or the loyalty card scheme operator had to give customers privacy information that provided an explanation, in general terms, of the sorts of circumstances in which it would share information about scheme members with a third party, such as the police.

If the supermarket were to disclose information about a particular scheme member to the police, it would not need to inform the individual of the disclosure if this would prejudice crime prevention.

Sharing customer details with a credit reference agency

A mobile phone company decided to share details of customer accounts with a credit reference agency.

It had to inform customers when they opened an account that it would share information with credit reference agencies.

Credit reference agencies need to be able to link records to the correct individual, so the mobile phone company had to ensure it was collecting adequate information to distinguish between individuals; for example dates of birth.

The organisations involved had to put procedures in place to deal with complaints about the accuracy of the information they shared.

Duty to process data fairly when carrying out research using shared data

A university wanted to conduct research into the academic performance of children from deprived family backgrounds in the local area. The university wanted to identify the relevant children by finding out which ones were eligible for Pupil Premium. Therefore it decided to ask all local primary and secondary schools to share this personal data, as well as the relevant children’s test results for the previous three years.

The DPA 2018 contains various provisions that are intended to facilitate the processing of personal data for research purposes. However, there is no exemption from the general duty to process the data fairly. Data about families’ income levels, or eligibility for benefits, could be inferred from the Pupil Premium status of a child.

In this example, parents and their children might well have objected to the disclosure of this data because they considered it sensitive and potentially stigmatising. Data about a child’s academic performance could be considered equally sensitive.

Instead the school could have identified eligible children on the researchers’ behalf and contacted their parents, explaining what the research was about and what data the researchers wanted. The school might have wished to obtain parents’ consent for sharing the data, but other lawful bases could have been available to it.

Alternatively, the school could have disclosed an anonymous data set, or statistical information, to the researchers.

Information sharing framework in healthcare

Healthcare partners in one county decided to develop an information sharing framework to standardise their sharing processes and encourage agencies to share personal data safely. The framework helped their staff to comply with data protection law by sharing information lawfully, securely and confidentially. As a result, they were able to integrate service provision across the county and deliver better care outcomes for their residents. In a key step, partners brought together information governance leads to oversee the changes needed to develop the framework.

Main purposes of the framework were to ensure that:

• people only had to tell their story once and could expect a better service delivery;
• local people had clear guidance about how their information was shared (and in what circumstances their consent might need to be sought to share it);
• professionals had access to the information they needed, when they needed it, to support better outcomes for local people;
• good decision making was supported by an information sharing framework, providing staff with clear direction; and
• unnecessary appointments and admissions could be avoided.

The principles of the framework were to:

a) identify the appropriate lawful basis for information sharing;
b) provide the basis for security of information and the legal requirements associated with information sharing;
c) address the need to develop and manage the use of Information Sharing Agreements (ISAs);
d) encourage flows of personal data and develop good practice across integrated teams;
e) provide the basis for county-wide processes which would monitor and review data flows, and information sharing between partner services;
f) protect partner organisations from unlawful use of personal data; and
g) reduce the need for individuals to repeat their story when receiving an integrated service.

Key learning from the introduction of the framework

• Staff needed to be empowered to feel confident about sharing information between partners. Senior leaders needed to be visible to give staff the confidence to share patient information.
• Internal culture needed to be supportive. The culture needed to be underpinned by strong values and ethos. It was essential for a learning culture to be developed so that mistakes could be shared and learnt from, rather than brushed aside. This learning included developing formal training for all staff who were using an integrated care record, supported by the framework.
• Transparency needed to be established so that there was a collective understanding of how the data would be shared and by whom. Staff needed to have clarity around their roles and responsibilities and the benefits of sharing information.
• A need to develop a culture of appropriate sharing in plain English. Messages needed to be simplified to avoid confusion, and jargon needed to be reduced.

Data sharing required by law

A local authority was required by law to participate in a nationwide anti-fraud exercise that involved disclosing personal data about its employees to an anti–fraud body. The exercise was intended to detect local authority employees who were illegally claiming benefits that they were not entitled to.

Even though the sharing was required by law, the local authority still had to inform any employees affected that data about them was going to be shared and still had to explain why this was taking place, unless this would have prejudiced proceedings.

The local authority had to say what data items were going to be shared – names, addresses and National Insurance numbers - and to provide the identity of the organisation they would be shared with.

There was no need for the local authority to seek employees’ consent for the sharing because the law says the sharing could take place without consent. The local authority also had to be clear with its employees that even if they objected to the sharing, it would still take place.

The local authority had to be prepared to investigate complaints from any employees who believed they had been treated unfairly because, for example, their records had been mixed up with those of an employee with the same name.

Considerations for a healthcare data sharing agreement

Relevant parts of the NHS and social services in a region shared personal information with the region’s police force to ensure that mental health service users who were in contact with the police were safeguarded and had access to appropriate specialist support.

The partner organisations had developed a data sharing agreement to support their joint mental health policy. Depending on the circumstances of each case, the lawful basis might have been consent or a task carried out in the public interest. The data sharing agreement clearly identified the various pieces of law that each partner relied on to specify their public functions and the provisions they needed to meet if relying on consent. As special category data was likely to be necessary for referrals, they also identified Article 9 conditions. The data sharing agreement reminded all parties to maintain the rights and dignity of patients, their carers and families, involving them in risk assessments wherever possible while also ensuring their safety and that of others.

A data sharing arrangement in the private sector relating to the use of new software

A company specialising in both business-to-business and business-to-consumer transactions used a software-as-a-service (“SaaS”) provider to manage client contact information and integrate communications into its operations. The SaaS provider automated the processes and kept all information up to date. To comply with the requirements of the UK GDPR, the company entered into a data sharing agreement with the SaaS provider.

The agreement outlined a number of obligations for the SaaS provider, such as the nature and scope of information that was to be processed and how the parties intended to implement appropriate security measures.

The company ensured its privacy information was up to date and accurately reflected the data sharing arrangement entered into with the SaaS provider. The fair processing information explained who the data was being shared with and for what purposes. The company also made use of a preference management tool, ensuring individuals were able to control non-essential elements of data sharing between the parties.

Public sector bodies sharing data to provide a co-ordinated approach

Personal information was shared between two councils, their local schools and colleges, housing providers, relevant community organisations, the local job centres and careers service in order to identify young people who already had been or were currently at high risk of disengaging from education, employment or training. By sharing the information, the partner organisations were able to ensure a co-ordinated approach to providing the most appropriate support to the young person to encourage them back into education, work or training.

The partners used a data sharing agreement to set out their purpose, lawful bases and the information to be shared. The agreement included a section on how to handle data subjects’ rights, and agreed shared security standards; the partners also updated their privacy notices. To quality-assure their agreement, they shared it with a regional group of data protection practitioners for feedback. A timescale was also set for the partners to regularly review the agreement to ensure it stayed up to date and fit for purpose.

Both Companies House (CH) and Her Majesty’s Revenue and Customs (HMRC) collect annual accounts from businesses. The accounts contain key corporate and financial information about the company, such as the names of company directors or financial reporting figures showing their profit and loss.

There is the opportunity, however, for the same company to file a different set of accounts to each of the two organisations. By filing inflated accounts at CH and lower figures at HMRC, they would simultaneously increase their creditworthiness with financial institutions and wider government while also reducing tax liabilities.

Until 2018, restrictions on data sharing had prevented HMRC and CH from sharing company accounts for comparison. With the introduction of the Digital Economy Act 2017, however, a permissive legal gateway was provided to share information to combat fraud.

Prior to sharing information, CH and HMRC met to draw up the governance and processes:

• They would share information as a pilot.
• Both parties designed and agreed a data specification.
• They completed a data protection impact assessment (DPIA) to ensure they considered proportionality and fair processing.
• Both parties signed an information sharing agreement.

HMRC disclosed the first set of company accounts information to CH in October 2018 – the very first transfer of data under the Digital Economy Act powers.

The pilot sought to address the fraud problem through 10 defined data analytics and compliance work streams, each one relating to a mode of behaviour indicating false account filing and fraudulent activity. For the first time, the pilot utilised qualitative analysis to access and compare key words and phrases. Further to this, the pilot also utilised CH back-office data to uncover previously hidden links between companies, combined for the first time with HMRC intelligence.

The data sharing pilot identified around £10m of savings, with upwards of £50m potential annual savings projected if the data share was embedded as business as usual.

In addition, they identified over 3,500 sets of accounts as incorrect at Companies House, thereby improving the integrity of the data held on the register.

Understanding how young people enter the labour market and progress through their early careers helps to highlight disparities in opportunities and shine a light on differing experiences of being in work, incomes and social mobility. The factors that influence labour market and earnings progression, as well as the geographic mobility of workers, had been a long-standing evidence gap in official statistics and analysis.

In 2018, the Office for National Statistics (ONS) brought together data from the 2011 Census with data on earnings and benefits from the Department for Work and Pensions (DWP) and HM Revenue and Customs (HMRC), for the period 2012 to 2016. This new longitudinal study created a dataset of 28 million individual records, allowing for new analysis of how earnings had changed over this period, not previously possible using the traditional survey sources. Only anonymised data was used in the analysis and results were published at an aggregated level, so that individuals could never be identified by ONS analysts undertaking the research or in the published research outputs.

Alongside 2011 Census data on individual and household characteristics, the new dataset drew on local geography information contained in the DWP administrative dataset to produce analysis of the impact of moving home on pay and earnings progression, especially patterns of movement of young people between local authorities and how earnings growth varied depending on the geographical place of origin and different city or regional destinations. While this showed that four in five young people did not move between local authority areas over the period of the study, for those that did move, on average, young people experienced higher earnings growth. Those moving to London experienced the highest average annual growth in earnings (+22%) while those that either did not move local authority or moved elsewhere had much lower earnings growth (+7%).

Further analysis was published as experimental research on the ONS website in Young People’s Earnings Progression and Geographic Mobility.

Sharing data between a local authority and local NHS trust to provide better early help and support to families

Families sometimes have hidden needs so don’t receive the support they require from public services – or may be receiving support through one organisation for a specific issue, but have other needs too.

A council worked with an NHS trust to establish a data sharing arrangement between the council and health services to help identify children and families who would benefit from receiving co-ordinated and targeted early help for a range of issues they might be facing.

The data sharing arrangement cross-referenced NHS trust and council caseload data and identified children and families who were being supported by the trust, but not by the council’s early help services. These families would then be engaged in wider support to address their needs through the Troubled Families Programme. The data would also be used to understand whether families had in fact benefitted from the support they received and to inform future commissioning of services.

Before sharing data, the two organisations worked together to put measures in place to ensure that the data would be protected and shared responsibly:

• A data protection impact assessment, led by the Head of Information Governance and data protection officer (DPO) at the NHS trust, which identified the potential risks to privacy and how those risks would be mitigated.
• An operational agreement setting out the arrangements for the exchange of data, under the overarching information sharing framework signed by the trust and the council.
• A methodology to make sure the minimum amount of data was shared.
• Privacy information.

Organisations involved: Children's public health, Health Visiting, and Child and Adolescent Mental Health Services (CAMHS); the council and local NHS trust.