There may be situations where you want to share personal information with other organisations. This may include information used in, or generated by, your content moderation processes.
Before sharing any personal information with other organisations, you must consider whether:
- it is necessary; or
- you can achieve your intended purpose without sharing personal information.
For example, you may want to share information with a research organisation to monitor trends in how people share certain content. In this case, it is unlikely that you need to share personal information about the users who are distributing the content.
If you need to share personal information with another organisation, you must identify a lawful basis. If you are disclosing special category information or criminal offence information, you must identify additional conditions for processing. (See section on ‘How do we carry out content moderation lawfully?’ for more information.)
You should put in place a data sharing agreement to:
- set out why you are sharing the information;
- cover what happens to the information at each stage; and
- set standards for sharing.
This helps all the parties involved in sharing the information to be clear about their roles and responsibilities.
Our data sharing code of practice provides guidance about how to share personal information with other organisations. It includes information about sharing information in an emergency and sharing information with law enforcement agencies.
The government intends to publish secondary legislation under the OSA about reports made to the NCA about CSEA content. This may include provisions about the information that you need to include in these reports. We plan to publish further data protection guidance on the requirement to report CSEA content to the NCA under section 66 of the OSA.