In this blog, we’re going to explain how the DPA, UK GDPR and EU GDPR affect the way you process and share personal data. First, here’s a quick intro to the terms by which people are labelled in their relation to data protection law:
- Data controller: a person or organisation who either alone, or jointly, or in common with other persons, determines the purposes for which and the manner in which any personal data are, or are to be, processed.
- Data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- Data subject: an individual to whom data relates in the context of data protection law; an individual with data protection rights.
Processing
Before you can think about sharing data in the first place, you need to ensure that any data you have (and potentially may wish to share) has been processed and stored lawfully. The DPA and GDPR apply only to personal data, which is defined as ‘any information relating to an identified or identifiable natural person,’ i.e. a data subject.
Not all of the data you obtain will count as personal data. If data sets are anonymised and an individual can no longer be identified, then the GDPR will not apply, since the information no longer constitutes personal data.
Six Principles
The regulation defines six principles that must be followed when processing personal data. All personal data must:
- be processed lawfully, fairly and transparently
- be kept to the original purpose
- be minimised (i.e. only the personal data that is necessary is collected)
- have the accuracy upheld
- be removed if they are not necessary
- be kept confidential and their integrity maintained
Legal Basis for processing
You will also need to have a legal basis for processing personal data, of which there are six possible grounds. These are not hierarchical – you use the legal basis that is appropriate.
- consent of the data subject
- necessary for the performance of a contract
- legal obligation placed upon controller
- necessary to protect the vital interests of the data subject
- carried out in the public interest or is in the exercise of official authority
- legitimate interest pursued by controller
The grounds for processing cannot be retroactively adjusted or changed, i.e. you cannot choose to justify the processing or sharing of data in a different way after having done so. Data protection policies must be consistent and trustworthy, regardless of who you are.
Basic things to remember when sharing personal data
Restrictions apply to sharing personal data and therefore not anonymised or pseudonymised data. The latter is often used in healthcare notes, for example. But remember, the pseudonymisation key itself is personal data.
With whom may I share personal data
Examples of sharing personal data include sharing with:
- a joint data controller (for joint purposes).
- another data controller (a third party for their own use).
- a data processor engaged to store or use data for you (for your purposes)
Before sharing personal data, you must ensure:
- there is a good reason for the sharing to take place
- the individuals have been clearly informed that their personal data is being shared, and the details of the sharing, including:
- the details of the data to be shared
- with whom it is to be shared
- the purpose of the sharing
- the legal basis for the sharing
- for how long the data will be held
- the mechanism by which they can give consent / opt out
- the volume of personal data that needs to be shared is minimised.
- the availability of the information is also minimised, or the shared data exists for the minimum time
- any parties processing the data must therefore have clearly stated retention and deletion policies.
- the sharing is secure.
- the sharing is documented.
Contracts and Agreements
Where contracts or other data sharing agreements are required, it is wise to have a data sharing agreement in a framework which can be customised to suit your business needs. A Data Protection Officer (DPO) can help your team create the appropriate frameworks, and develop bespoke data sharing agreements.
If you are sharing to a country outside the UK or EU that has not been declared ‘adequate’ by the EU Commission, then the new EU standard contractual clauses should normally be used, with supplementary measures. These were updated in 2021 to meet the needs of the EU GDPR. The UK has also issued a new “Addendum” enable these SCCs to be used for international transfers from the UK.
Each data sharing process must be considered on a case by case basis. If in doubt consult your DPO and / or a specialist data protection lawyer. And remember, it is important to stay up-to-date by following the latest guidance from a DPO and the relevant data protection authorities (the Information Commissioner’s Office for the UK).