As mentioned elsewhere on our blog, the General Data Protection Legislation (GDPR) is enshrined in UK law by the Data Protection Act 2018 (DPA). In this blog, we’re going to discuss the GDPR’s provisions for data sharing. First, here’s a quick intro to the terms by which people are labelled in their relation to data protection law:
- Data controller: a person or organisation who either alone, or jointly, or in common with other persons, determines the purposes for which and the manner in which any personal data are, or are to be, processed.
- Data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- Data subject: an individual to whom data relates in the context of data protection law; an individual with data protection rights.
Before you can think about sharing data in the first place, you need to ensure that any data you have (and potentially may wish to share) has been processed and stored in compliance with the GDPR. You must adhere to data processing requirements when managing or sharing personal data. And remember that GDPR applies only to personal data, which is defined within the legislation as ‘any information relating to an identified or identifiable natural person,’ i.e. a data subject.
It is also important to recognise that not all of the data you obtain will count as personal data. If data sets are anonymised and any individual is no longer identifiable then the GDPR will not apply, since the information no longer constitutes personal data.
The regulation defines six principles that must be followed when processing personal data. All personal data must:
- be processed lawfully, fairly and transparently
- be kept to the original purpose
- be minimised (i.e. only the personal data that is necessary is collected)
- have the accuracy upheld
- be removed if they are not necessary
- be kept confidential and their integrity maintained
You will also need to have a legal basis for processing personal data, of which there are six possible grounds:
- consent of the data subject
- necessary for the performance of a contract
- legal obligation placed upon controller
- necessary to protect the vital interests of the data subject
- carried out in the public interest or is in the exercise of official authority
- legitimate interest pursued by controller
The grounds for processing cannot be retroactively adjusted or changed, i.e. you cannot choose to justify the processing or sharing of data in a different way after having done so. Data protection policies must be consistent and trustworthy, regardless of who you are.
Basic things to remember when sharing data
- Restrictions only apply to sharing personally identifiable information and therefore not anonymised or pseudonymised data (the latter often used in healthcare notes, for example).
- One can classify sharing as being with:
- a joint data controller (for joint purposes).
- another data controller (a third party for their own use).
- a data processor engaged to store or use data for you.
- there is a good reason for the sharing to take place (cf. the principles outlined for processing)
- the individuals have been reliably informed that their personal data is being shared.
- The volume of personal data that needs to be shared is minimised.
- the availability of the information is also minimised, or the shared data exists for the minimum time; any parties processing the data must therefore have clearly stated retention and deletion policies.
- the sharing is appropriately secure.
- the sharing is documented.
- For some sorts of data sharing, contracts or other agreements are required. It is best practice to have templates which can be customised to suit your business needs. A Data Protection Officer (DPO) or DPO service can help your Data Governance Team to formulate the appropriate templates and bespoke data sharing agreements.
- Each data sharing process must be evaluated on a case by case basis and if in doubt consult your DPO and or a specialist data protection lawyer.
- If you are sharing to a country outside the EU that has not been declared ‘adequate’ by the EU Commission, then the EU model clauses should normally be used (an alternative for US recipients is their registration under the EU-US Privacy Shield). It is important to stay up-to-date by following the latest guidance from a DPO and the relevant data protection authorities (the Information Commissioner’s Office for the UK).