Organisations will need to share data to deliver services for their clients, members, patients or customers.
What is data sharing?
Data sharing means the disclosure of data from one or more organisations to a third-party organisation or organisations. Data sharing can take the form of:
- a reciprocal exchange of data;
- one or more organisations providing data to a third party or parties;
- several organisations pooling information and making it available to each other;
- several organisations pooling information and making it available to a third party or parties;
- exceptional, one-off disclosures of data in unexpected or emergency situations.
The Information Commissioners Office has issued a code of practice which gives guidance in respect of the two main types of data sharing:
- systematic, routine data sharing where the same data sets are shared between the same organisations for an agreed purpose. This could also involve a group of organisations arranging to 'pool' their data for specific purposes.
- exceptional, one-off decisions to share data for any of a range of purposes.
Factors to consider
Before sharing any personal data, you will need to consider all the legal implications of doing so. Your ability to share information is subject to several legal constraints which go beyond the requirements of GDPR. There may well be other considerations such as specific statutory prohibitions on sharing, copyright restrictions or a duty of confidence that may affect your ability to share personal data.
When deciding whether to enter into an arrangement to share personal data (either as a provider, a recipient or both) you need to identify the objective that it is meant to achieve. You should consider the potential benefits and risks, either to individuals or society, of sharing the data. You should also assess the likely results of not sharing the data. You need to ask:
- What is the sharing meant to achieve? You should have a clear objective. Being clear about this will allow you to work out what data you need to share and who with. It is good practice to document this.
- What information needs to be shared? You should not share all the personal data you hold if only certain data items are needed to achieve your objectives. For example, you might need to share somebody's current name and address but not other information.
- Who requires access to the shared personal data? You should employ 'need to know' principles, meaning that other organisations should only have access to your data if they need it, and that only relevant staff within those organisations should have access to the data. This should also address any necessary restrictions on onward sharing of data with third parties.
- When should it be shared? Again, it is good practice to document this, for example setting out whether the sharing should be an on-going, routine process or whether it should only take place in response to particular events. • How should it be shared? This involves addressing the security surrounding the transmission or accessing of the data and establishing common rules for its security.
- How can we check the sharing is achieving its objectives? You will need to judge whether it is still appropriate and confirm that the safeguards still match the risks.
- What risk does the data sharing pose? For example, is any individual likely to be damaged by it? Is any individual likely to object? Might it undermine an individual's trust in the organisations that keep records about them?
- Could the objective be achieved without sharing the data or by anonymising it? It is not appropriate to use personal data to plan service provision, for example, where this could be done with information that does not amount to personal data.
The Data Sharing Agreement
It is essential that the agreement follows the recommendations of the ICO in the code of practice whilst at the same time enabling the organisations who are to share the data to achieve the stated aim and protect themselves.
How can Affinity Resolutions Help?
We understand the needs of an organisation to share data. With our unique legal, practical and marketing approach we will ensure that we create for you a bespoke agreement which both meets GDPR and enables the organisations who are to share the data to achieve their aims and be protected.
How can Affinity Resolutions Help?
We understand the needs of an organisation to use an outside business. With our unique legal, practical and marketing approach we will ensure that we create for you a bespoke agreement which both meets the GDPR and allows you to carry on your business as you wish