Data sharing – the good practice guide

The sharing of personal information between organisations is not only well established but is also growing. In the public sector the potential benefits can be significant. For example, data sharing can result in improved public services, better protection for the vulnerable, and more accurate statistics which can help inform future local and central government policies. Data sharing is not, however, without risk and must always have due regard to an individual’s right to privacy.

With this in mind, the Information Commissioner has recently issued a code of practice on the sharing of personal information (the “COP”), after it was approved by the Secretary of State and laid before the UK Parliament. The statutory guidance, produced under s 52 of the Data Protection Act 1998 (“DPA”) after consultation, provides a framework for organisations to make informed decisions about the personal information they share internally and with other organisations. The COP is intended to be of practical application to the public and private sectors, and to both routine and one-off instances of data sharing.

While the COP elaborates on what those in the business of data sharing would already consider good practice, its focus is on providing practical guidance by using real world examples and case studies to illustrate the dos and don’ts of sharing personal information, in keeping with the DPA requirements.

It is important to stress that the COP does not impose any additional legal obligations on organisations. Compliance is not required where its good practice recommendations exceed what is required by the DPA; however, it can be used as evidence and taken into account in any legal proceedings.

It’s good to share

One perceived shortcoming of the draft guidance, issued along with the ICO’s original consultation in October 2010, was a lack of clarity around what was meant by “data sharing”. The final form COP clarifies any ambiguity by giving examples of those types of activities which fall within the ambit of data sharing, broadly meaning the disclosure of personal information across or between one or more organisations.

The COP sets out a number of factors for organisations to consider before entering into an arrangement to share personal information, as well as addressing any potential risks of not sharing information. It suggests that organisations should question:

• What is the data sharing meant to achieve? Clear objectives make it easier to ascertain what data to share and with whom.
• What information needs to be shared? Not all personal information should be shared if only certain datasets are required to achieve an organisation’s objectives.
• Who requires access to the shared personal data? Access should only be given on a “need to know” basis.
• When should it be shared? Is the sharing an ongoing, routine process, or does it take place in response to particular events?
• How should it be shared? Organisations should establish common rules for their technical and operational security measures surrounding the transmission of personal information.
• How can an organisation check that the sharing is achieving its objectives? Organisations are expected to judge whether the sharing is still appropriate and that the safeguards in place still match the risk of the sharing.
• What risk does the data sharing pose? Is any individual likely to object to or be harmed by the sharing? Would the sharing undermine an individual’s trust in the organisation?
• Could the same objective be achieved without sharing personal data? Could the personal information be anonymised to achieve the same aim, or would it be possible to achieve the same aim without using personal information?
• Is the current notification sufficient? Is data sharing permitted by the organisation’s data register entry?
• Is information being transferred outside the EEA? If so, how will the requirements of the eighth data protection principle be met?

Justification for sharing data

An organisation will need to ensure that it satisfies at least one of the conditions for processing personal information under the DPA to ensure that data sharing is fair and lawful, and carefully consider whether it has the legal power or ability to share personal information. This may be expressly permitted or implied by law. There may be duties of confidentiality to consider, and data sharing may also have implications for human rights.

Fairness can often be achieved by obtaining individuals’ consent to the data sharing (although in practice valid consent can often be difficult to obtain), or by being satisfied that the data sharing does not prejudice the legitimate interests of the individuals concerned. It may also be acceptable to share personal information on the basis that the individuals have asked to be contacted, for example for the provision of social support services or to conclude a contract.

Where sensitive personal information is involved, additional safeguards will need to be met. This may present particular challenges for the likes of health trusts and social services departments, which routinely handle sensitive personal information.

The COP states that it may be enough, in certain circumstances, to have a privacy notice, which individuals can access should they wish, detailing who is collecting the data (including contact details), who it will be passed to and the purposes for which it is being collected. This approach would be acceptable where the data sharing is within the reasonable contemplation of individuals when providing their details and they are unlikely to object. The Information Commissioner previously issued a Privacy Notices Code of Practice in 2009, and organisations may need to refer back to this when framing appropriate notices.

In adhering to good practice, it is important that the sharer and sharee work together to ensure that individuals know who has, or will have, their personal information and what it is being used for. The COP states that personal information should not normally be shared without the individual’s knowledge, unless under exceptional circumstances such as for the prevention of crime. This may create a problem for older personal information which may have been collected without a compliant privacy notice. As a general rule, objections are less likely when the data sharing is within the individual’s reasonable expectations: for example, passing details of a shopping order to an outsourced mail services supplier or an agent calling a customer back to complete an order.

It is also important to ensure that records are accurate, up to date, and that both the sharer and the sharee adhere to a consistent records retention policy and have appropriate security in place for the storage, processing and transfer of personal information. Likewise, there should be clear instructions about the security steps which need to be followed when sharing information by a variety of methods such as phone, email, fax or face to face. This is especially important as the Information Commissioner has shown a marked willingness to use his powers to fine organisations for serious breaches of the data protection principles. For example, in June 2011 Surrey County Council was issued with a £120,000 penalty after sensitive personal information was emailed to the wrong recipients on three separate occasions.

Establishing a framework

Where personal information is to be shared regularly, or on a large scale, it is good practice for organisations to have a data sharing agreement in place. Such agreements should set out a common set of rules for the storage, processing and transfer of personal information. The COP recommends that such agreements should cover, as a minimum:

• the purpose(s) of the sharing;
• the potential recipients or types of recipients and the circumstances in which they will have access to the data;
• the data to be shared;
• the accuracy, relevance, usability and other factors affecting the quality of the data;
• data security;
• common retention periods for shared data;
• procedures for dealing with access requests, queries and complaints;
• the review mechanism for the effectiveness and termination of the agreement; and
• sanctions for failure to comply with the agreement or breaches by individual members of staff.

The COP also contains short data sharing checklists for those embarking on a data sharing exercise.

The COP is to be welcomed as a valuable and practical guide which should help give organisations the necessary confidence to share data in appropriate circumstances and thereby improve the customer experience. The ICO has also recently been running information sharing events across the UK for the public and voluntary sectors to discuss the importance of effective data sharing and raise awareness of the COP. By following the good practice examples in the COP, it is hoped that organisations will collect and share personal information in a way that is fair, transparent and in line with the rights and expectations of the individuals concerned.

Data sharing pitfalls

In certain cases where organisations do not comply with the DPA, the Information Commissioner has the power to take regulatory action. This includes the ability to serve enforcement notices (which compel an organisation to take specified action to bring about compliance with the DPA), and to serve monetary penalty notices of up to £500,000.

The COP lists a number of examples of bad practice in data sharing, which could lead to regulatory action:

misleading individuals about whether the organisation intends to share their information. For example, not telling individuals the organisation intends to share their personal information because it thinks they may object;

• sharing excessive or irrelevant information about people;
• sharing personal information when there is no need to do so;
• not taking reasonable steps to ensure that information is accurate and up to date before it is shared;
• using incompatible information systems to share personal information, resulting in its loss, corruption or degradation;
• having inappropriate security measures in place, leading to loss or unauthorised disclosure of personal information – for example, by sending personal information on an unencrypted USB stick or faxing sensitive data to a general office number.