The ICO exists to empower you through information.

At a glance

In addition to considering whether the data sharing achieves a benefit and is necessary, you must consider your overall compliance with data protection law when sharing data.

We recommend that as a first step you carry out a Data Protection Impact Assessment (DPIA), even if you are not legally obliged to carry one out. Carrying out a DPIA is an example of best practice, allowing you to build in openness and transparency.

A DPIA will help you assess the risks in your planned data sharing and determine whether you need to introduce any safeguards. It will help you assess those considerations, and document them. This will also help to provide reassurance to those whose data you plan to share.

In more detail

What do we need to consider?

We have described earlier the benefits of data sharing to society, to organisations, and to us all as citizens and consumers.

When thinking about sharing data, as well as considering whether there is a benefit to the data sharing and whether it is necessary, you must consider your overall compliance with data protection legislation, including fairness and transparency.

As a first step, we recommend that you carry out a Data Protection Impact Assessment (DPIA). A DPIA is an invaluable tool to help you assess any risks in your proposed data sharing, and work out how to mitigate these risks. It will help you to ensure you are sharing data fairly and transparently. It will help you to consider these matters, and to document them.

In law you are required to consider doing a DPIA. However, even if you are not legally obliged to carry one out, it is very beneficial for you to follow the DPIA process.

Do we need to do a DPIA?

We recommend that you carry out a DPIA, as it can benefit both you and the public whose data you plan to share. It will help you to:

  • assess any risks in your planned data sharing; and
  • promote public trust in your data sharing plans.

You are obliged to carry out a DPIA for data sharing that is likely to result in a high risk to individuals. This includes some specified types of processing.

To help you determine whether you need to carry out a DPIA, you can:

  • use our screening checklists on the ICO website; and
  • read the detailed guidance on DPIAs on the ICO website.

It is good practice to carry out a DPIA if you have a major project that involves disclosing personal data, or any plans for routine data sharing, even if there is no specific indicator of likely high risk.

If you have taken into account the nature, scope, context and purposes of the sharing and you are confident that the type of data sharing you have in mind is unlikely to result in high risk, you are not legally required to carry out a DPIA.

However, we recommend that you carry out a DPIA even where you are not legally obliged to do so. You can use the DPIA process as a flexible and scalable tool to suit your project. A DPIA is a practical tool that will help you assess the risks in any planned data sharing. A DPIA need not be a ‘bolt-on’ process - you can integrate the DPIA into any risk frameworks your organisation may already have in place.

As already stated in this code, data sharing must be done in a fair and proportionate way. Using the DPIA to assess the risks in your proposed data sharing will help you achieve that proportionality, as the process will help you to fully understand:

  • whether you can share the data at all; and
  • whether you can share the data, but with steps to mitigate the risks.

Therefore, the DPIA process will help not only to ensure the protection of the data, but will also help you to put additional safeguards in place to mitigate risk where needed. In turn, this will help to provide reassurance to the people whose data you are sharing.

Further reading

The former Article 29 Working Party (WP29) produced guidelines on data protection impact assessments, which have been endorsed by the European Data Protection Board (EDPB). The EDPB, which replaced WP29, includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the EU GDPR. Whilst EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime, they may still provide helpful guidance on certain issues.