The ICO exists to empower you through information.

At a glance

In order to comply with the lawfulness principle, you must ensure that your data sharing is lawful in a general sense.

This includes checking that you have a legal power to share data.

The legal power to share data is separate from the lawful basis provisions.

In more detail

Introduction

This section looks at the principle of lawfulness and discusses the legal constraints on you, outside data protection legislation, and the legal powers you have to share data.

Before sharing any personal data, you must consider all the legal implications. You must ensure that your data sharing is lawful in a general sense in order to comply with the lawfulness principle. For public sector bodies, this includes identifying whether you have a legal power to share data.

Compliance with the lawfulness principle is in addition to identifying a lawful basis for your data sharing. Do not confuse lawful basis with general lawfulness or legal powers that are beyond the UK GDPR/DPA 2018. However, there is a link with the lawful bases - if you do not have a lawful basis to share data, you will be in breach of the lawfulness principle.

This might sound complex, so this section will break down the different elements you should consider.

Do we have a legal power to share data?

If you wish to share personal data with another organisation, either by a one-off disclosure or as part of a routine data sharing arrangement, you need to consider:

  • what type of organisation you are, because your legal status also affects your ability to share information. In particular, it depends on whether you are within the public, private or social sector; and
  • whether you have a general legal power to share information, for instance, under the law setting you up, or under your constitution. This is likely to be more relevant to public sector organisations.

What are the legal powers in the public sector?

Public sector organisations must check that they have the legal power to share data. When deciding whether you may proceed with any data sharing initiative, you should identify and document the law that is relevant to you. Even if this does not mention data sharing explicitly (and usually it doesn’t) it is likely to lead you to a clearer understanding of your legal position.

Public sector organisations mostly derive their powers from sources such as the Act of Parliament or Royal Charter which set them up, or from case law, or duties under common law, or other laws regulating their activities. Government departments headed by a Minister of the Crown have common law powers to share information.

The relevant legislation probably defines your functions in terms of your purposes, the things that you must do and the powers you may exercise in order to achieve those purposes. So you should identify where the data sharing would fit, if at all, into the range of things that you are able to do. Broadly speaking, there are three ways in which you may do so:

  • Express statutory obligations

Occasionally, a public body is legally obliged to share particular information with a named organisation. This is only the case in highly specific circumstances.

  • Express statutory powers

Sometimes, a public body has an express power to share information. An express power is often designed to permit disclosure of information for certain purposes. Express statutory obligations and powers to share information are often referred to as “gateways”. For example, specific gateways exist under the Digital Economy Act 2017 (DEA). Under the DEA there is a framework providing a legal gateway for data sharing for defined purposes between specified public authorities, for the public benefit. There is a separate section in this code on the DEA.

  • Implied statutory powers

Often, the law regulating a public body’s activities is silent on the issue of data sharing. In these circumstances, it may be possible to rely on an implied power to share information derived from the express provisions of legislation. This is because express statutory powers may be taken to authorise the organisation to do other things that are reasonably incidental to those which are expressly permitted.

Public authorities are likely to rely on the public task lawful basis in Article 6.3 of the UK GDPR. This requires the legal power to be laid down by law; however it does not need to be contained in an explicit piece of legislation, but could be a common law task, function or power. You can rely on this power to share data so long as it is sufficiently foreseeable and transparent.

Whatever the source of your power to share information, you must check that the power covers that specific disclosure or data sharing arrangement. If it does not, you must not share the information unless, in the particular circumstances, there is an overriding public interest in a disclosure taking place.

What are the legal powers for private and social sector organisations?

The legal framework that applies to private and social sector organisations differs from that for public sector organisations. Most private and social sector organisations do not need to identify a specific power to share data. They have a general ability to share information, provided this does not breach the data protection legislation or any other law. If you are a private or social sector organisation you should check your constitutional documents, legal agreements or any other legal or regulatory requirements (such as the common law duty of confidentiality, or the Scottish law of privacy) to make sure you are complying with those requirements and that there are no restrictions that would prevent you from sharing personal data in a particular context. Big organisations with complex, larger scale processing should consider obtaining legal advice.

Private and social sector organisations should pay attention to any industry-specific regulation, guidance or UK GDPR code of conduct about handling personal data, as this might affect your ability to share information.

What is the impact of human rights law?

Public authorities must comply with the Human Rights Act 1998 (HRA) in the performance of their functions. The HRA also applies to organisations in the private sector insofar as they carry out functions of a public nature.

Where the HRA applies, organisations must not act in a way that would be incompatible with rights under the European Convention on Human Rights. Article 8 of the Convention, which gives everyone the right to respect for their private and family life, home and correspondence, is especially relevant to sharing personal data.

If you disclose or share personal data only in ways that comply with the data protection legislation, the sharing or disclosure of that information is also likely to comply with the HRA.

You should seek specialist advice if you have any concerns about human rights issues (other than the data protection elements of Article 8) regarding the disclosure or data sharing arrangement you are proposing.

Have we checked whether there are any additional legal requirements that need to be met when sharing data?

Your ability to share information may be subject to a number of legal constraints outside data protection law. There might be other considerations such as specific legal requirements that need to be met, for example:

  • prohibitions on sharing;
  • copyright restrictions; or
  • a duty of confidence that might affect your ability to share personal data. 

A duty of confidence might be stated explicitly, or it might be implied, either by the content of the information or because it was collected in circumstances where confidentiality is expected (eg medical or banking information). If you are a big organisation planning to carry out complex, larger scale processing, you should consider obtaining legal advice on your data sharing plans.

In some private sector contexts, there are legal constraints on the disclosure of personal data, other than data protection law.