The ICO exists to empower you through information.

Step 1 of 5: Data sharing governance

1.1 Data sharing policy

More information

Your policies, procedures and guidance should set out how your staff ought to respond to sharing requests. Any sharing of data must comply with the law, be fair, transparent and in line with the rights and expectations of the individuals whose data you are sharing. Your policy should explain how you will achieve compliance with these requirements, eg monitor information sharing logs, quality assess samples of instances of sharing. Your policy should also link in with your Data protection impact assessment (DPIA) policy or process, as you should carry out a DPIA on any data sharing that poses a high risk to the rights and freedoms of individuals. You should communicate this policy to all staff, eg via your intranet.

1.2 Accountability

More information

It is good practice to nominate a senior, experienced person to take overall responsibility for information sharing, ensure compliance with the law, and provide advice to staff making decisions about sharing. Your policy should make it clear who this person is and how to contact them. You should also provide specialist training to this individual to allow them to fulfil their role.

1.3 Staff training

More information

It is essential to provide appropriate training to staff that are likely to make significant decisions about data sharing or have access to shared data. The nature of the training will depend on their role within the sharing process. You can incorporate this into any training you already give on data protection, security, or legal obligations of staff. You should also maintain staff awareness through materials such as posters, office wide emails, intranet updates or data sharing content in newsletters.