The ICO exists to empower you through information.

At a glance

In a data sharing arrangement, you must have policies and procedures that allow data subjects to exercise their individual rights easily.

There are additional requirements if your data sharing involves automated decision-making.

The position on individual rights is slightly different for law enforcement processing.

In more detail

What is the impact of the rights of individuals on data sharing?

In a data sharing arrangement, you must have policies and procedures that allow data subjects to exercise their individual rights.

The rights available to an individual data subject under the UK GDPR and under Part 3 of the DPA 2018 (law enforcement processing) differ in some respects. Please see the paragraph below on individual rights under Part 3 for law enforcement processing.

The UK GDPR gives individuals specific rights over their personal data. For general data processing under the UK GDPR, in summary these are:

  • the right to access personal data held about them (the right of subject access);
  • the right to be informed about how and why their data is used - and you must give them privacy information;
  • the rights to have their data rectified, erased or restricted;
  • the right to object;
  • the right to portability of their data; and
  • the right not to be subject to a decision based solely on automated processing.

There are exemptions and restrictions that can, in some circumstances, be legitimately applied to exempt or qualify the right of individuals to exercise their rights.

This section of the code does not seek to replicate existing ICO guidance on individual rights, but rather focuses on how the rights impact on data sharing. You should refer to guidance on the ICO website for more details.

How do we allow individuals to exercise their information rights in a data sharing scenario under the UK GDPR?

  • You must have policies and procedures that allow individuals to exercise their rights easily, and you must set these out in your data sharing agreement.
  • If you are a joint controller, these should be set out clearly in the transparent arrangement you and your other joint controller or controllers are required to enter into under Article 26 of the UK GDPR (for law enforcement processing, it is set out in section 58 in Part 3 of the DPA 2018).
  • You must provide details of how to exercise these rights in the privacy information you issue to individuals.
  • You must make the exercise of individual rights as straightforward as possible. Be aware that although your DPO may be the first point of contact, individuals may contact any part of your organisation.
  • Where several organisations are sharing data, it may be difficult for an individual to decide which organisation they should contact. You should make that clear in the privacy information you provide to them at the time you collect their data, as well as in any transparent arrangement made under Article 26.
  • In a data sharing arrangement it is good practice to provide a single point of contact for individuals, which allows them to exercise their rights over the data that has been shared without making multiple requests to several organisations. However, they are permitted to choose to exercise their rights against any controller they wish.

Example

A social sector organisation providing childcare services held information shared from a local authority and the NHS. The Article 26 transparency arrangement set out a clear procedure that whichever organisation received a request for personal data should take a lead on providing the data and notify the other parties if necessary.

The arrangement also set out procedures for how to deal with the exercising of other individual rights.

The procedures were also provided in privacy information given to service users and contained in a data sharing agreement published on the respective organisations’ websites.

What is the impact on a data sharing arrangement of requests for erasure, rectification or the restriction of processing?

Under Articles 16, 17 and 18 of the UK GDPR, data subjects have a right to request erasure, rectification of their data, or the restriction of processing of their data. As with other individual rights, it will be easier for you and for the other organisations in a data sharing arrangement if you have clear policies and procedures about how to handle such requests.

Under Article 19 of the UK GDPR, if you have shared information with other organisations you must inform them of the rectification, erasure or restriction of the personal data, unless this proves impossible or involves disproportionate effort. If asked, you must also inform the individual about those organisations that you have shared their data with.

How do we deal with complaints and queries from individuals about sharing their data?

Individual data subjects may have queries or complaints about the sharing of their personal data, particularly if they think the data is wrong or that the sharing is having an adverse effect on them.

The way you handle these queries and complaints makes a difference both to the individuals and to your organisation. It is not always a case of simply providing a response. The comments you receive might be an invaluable resource for you when you are reviewing your data sharing arrangement.

It is good practice to:

  • have procedures to deal with any complaints and queries in a quick and helpful way;
  • provide a single point of contact for complainants or enquirers;
  • review the comments (good and bad) you receive in order to obtain a clearer understanding of public attitudes to the data sharing you carry out;
  • take the opportunity to provide individuals with information about your data sharing, further to that contained in your privacy information, when answering their specific queries;
  • use any significant objections, negative comments or other expressions of concern you receive when you inform people about your data sharing, to help you review your data sharing: the amount of data you share, or which organisations you share it with. You may need to decide whether the sharing can go ahead in the face of public opposition. For example, you might decide to go ahead because you are under a legal obligation to share the data; and
  • consider setting up focus groups to explore individuals’ concerns, if you are carrying out large-scale data sharing operations.

What do we need to do if the data sharing involves solely automated processing?

Article 22 of the UK GDPR gives data subjects additional protective rights if your data sharing arrangement involves solely automated processing:

“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”

“Solely” here means that there is no human influence on the outcome.

Example of solely automated decision-making

A bank made a decision not to grant a loan to an individual:

  • based on personal data obtained about the individual from a range of sources; and
  • using algorithms, rather than the decision-making input of a member of bank staff.

If your data sharing arrangement involves any automated decision-making, including profiling, you must document the specific lawful basis for that in your data protection policy.

Documenting your processing activities will help you to decide whether they constitute profiling and solely automated decision-making.

Processing involving automated processing and profiling has a high level of risk. The UK GDPR requires you to carry out a DPIA in respect of processing that meets the Article 22 definition, to show you have considered the risks and how you will deal with them.

The UK GDPR allows you to carry out processing falling within Article 22, so long as you can rely on one of three exceptions:

  • When the decision is necessary for a contract.
  • When the decision is authorised by domestic law.
  • When the decision is based on the individual’s specific consent.

In respect of any processing that falls within Article 22 you must also:

  • give individuals specific information about the processing;
  • explain to them their rights to challenge a decision and request human intervention; and
  • ensure you have measures in place to prevent errors, bias and discrimination in your systems.

Where the processing includes profiling, you must tell individuals that they have a right under Article 21 of the UK GDPR to object to it in certain circumstances.

What do we need to do if the data sharing involves automated decision-making or profiling that does not fall within Article 22 of the UK GDPR?

If your data sharing arrangement features automated decision-making or profiling, but does not fall within Article 22, it is still good practice to tell individuals about it; this will help you to meet your transparency obligation. Think carefully about what they would expect you to do with their data.

You must still comply with UK GDPR principles, document your lawful basis and allow individuals to exercise their rights easily.

You must also tell individuals that they have a right under Article 21 of the UK GDPR to object to profiling in certain circumstances.

All automated decision-making or profiling of special category data and of children’s personal data has additional protections.

What individual rights are provided by Part 3 of the DPA 2018: law enforcement processing?

The individual rights are:

  • the right to be informed;
  • the right of access;
  • the right to rectification;
  • the right to erasure or restrict processing; and
  • the right not to be subject to automated decision-making.

Certain rights under the UK GDPR, such as the right to object and the right to data portability, do not exist in Part 3 of the DPA 2018. As with the UK GDPR, there are also exemptions and restrictions that can, in some circumstances, be legitimately applied to exempt or qualify the exercise of individuals’ rights.