Skip to main content

Annex A: data sharing checklist

Contents

This checklist provides a step-by-step guide to deciding whether to share personal data.

You should use it alongside the data sharing code and guidance on the ICO website ico.org.uk.

It highlights what you should consider in order to ensure that your sharing complies with the law and meets individuals’ expectations.

Check whether the sharing is justified

Key points to consider:

☐ What is the sharing meant to achieve?

☐ Have you assessed the potential benefits and risks to individuals and/or society of sharing or not sharing?

☐ Is it fair to share data in this way?

☐ Is the sharing necessary and proportionate to the issue you are addressing?

☐ What is the minimum data you can share to achieve the aim?

☐ Could the objective be achieved without sharing personal data, or by sharing less personal data?

☐ What safeguards can you put in place to minimise the risks or potential adverse effects of the sharing?

☐ Is there an applicable exemption in the DPA 2018?

Consider doing a Data Protection Impact Assessment

Decide whether you need to carry out a DPIA:

☐ You must do a DPIA for data sharing that is likely to result in a high risk to individuals. This will depend on the nature, scope, context and purposes of the sharing. For more details on this, see the relevant section of this code and guidance on the ICO website ico.org.uk.

☐ For any data sharing plans, you may find it useful to follow the DPIA process as a flexible and scalable tool to suit your project.

If you decide to share

It is good practice to have a data sharing agreement. As well as considering the key points above, your data sharing agreement should cover the following issues. You should ensure you cover these matters in any event, whether or not you have a formal agreement in place:

☐ What information will you share?

☐ Is any of it special category data (or does it involve sensitive processing under Part 3 of the DPA 2018)? What additional safeguards will you have in place?

☐ How should you share the information?

  • You must share information securely.
  • You must ensure you are giving the information to the right recipient.

☐ What is to happen to the data at every stage?

☐ Who in each organisation can access the shared data? Ensure it is restricted to authorised personnel in each organisation.

☐ What organisation(s) will be involved? You all need to be clear about your respective roles.

☐ How will you comply with your transparency obligations?

  • Consider what you need to tell people about sharing their data and how you will communicate that information in a way that is concise, transparent, easily accessible and uses clear and plain language.
  • Consider whether you have obtained the personal data from a source other than the individual.
  • Decide what arrangements need to be in place to comply with individuals’ information rights. Bear in mind the differences under Part 3 of the DPA 2018, if applicable.

☐ What quality checks are appropriate to ensure the shared data is accurate and up-to-date?

☐ What technical and organisational measures are appropriate to ensure the security of the data?

☐ What common retention periods for data do you all agree to?

☐ What processes do you need to ensure secure deletion takes place?

☐ When should regularly scheduled reviews of the data sharing arrangement take place? 

Accountability principle

You must comply with the principles; this point focuses on the accountability principle:

☐ The accountability principle means that you are responsible for your compliance with the UK GDPR or DPA 2018 as appropriate and you must be able to demonstrate that compliance.

☐ You must maintain documentation for all your data sharing operations.

☐ This obligation encompasses the requirement to carry out a DPIA when appropriate.

☐ You must implement a “data protection by design and default” approach, putting in appropriate technical and organisational measures to implement data protection principles and safeguard individual rights.

☐ You must ensure that staff in your organisation who are likely to make decisions about sharing data have received the right training to do so appropriately.

Decide what your lawful basis is for sharing the data 

Key points to consider:

☐ What is the nature of the data and the purpose for sharing it, as well as the scope and context?

☐ Are you relying on legitimate interests as a lawful basis? If so, you must carry out a legitimate interests assessment (LIA).

☐ Is any of the data either special category data or criminal offence data? If so, you need to identify additional conditions.

☐ For law enforcement processing under Part 3 of the DPA 2018, please refer to the references throughout the code and in particular to the Part 3 section.

Check whether you have the power to share

Key points to consider:

☐ What type of organisation you work for. The position is different for the public and private sectors. Please refer to the data sharing code for more details.

☐ Any relevant functions or powers of your organisation.

☐ The nature of the information you have been asked to share.

☐ Whether there are any legal requirements that need to be met when sharing the data - such as copyright or a duty of confidence, or any prohibitions.

☐ Whether there is a legal obligation or other legal requirement about sharing information – such as a statutory requirement, a court order or common law.

Document your decision 

Document your data sharing decision and your reasoning – whether or not you share the information.

If you shared information you should document:

☐ your justification for sharing;

☐ what information was shared and for what purpose;

☐ who it was shared with;

☐ when and how it was shared;

☐ whether the information was shared with or without consent, and how that was recorded;

☐ the lawful basis for processing and any additional conditions applicable;

☐ individuals’ rights;

☐ Data protection impact assessment reports;

☐ compliance with any DPO advice given (where applicable);

☐ evidence of the steps you have taken to comply with the UK GDPR and the DPA 2018 as appropriate; and

☐ where you have reviewed and updated your accountability measures at appropriate intervals.