Data Protection Law
Data sharing has no formal definition within the UK GDPR or DPA 2018. However, the Information Commissioner’s Office (ICO), who acts as the UK’s data protection regulatory authority, has recently published and enforced a 2021 Data Sharing Code. The code itself is mandated by section 121 of the DPA 2018 and defines its scope as covering ‘the disclosure of personal data by transmission, dissemination or otherwise making it available’. We often advise on the transfer of data from controllers to processors and, as many well know, a data processing agreement has to facilitate such arrangements. In this blog, however, we explore the relationship between two controllers when sharing data. As stated in the code, its focus ‘is on the sharing of personal data between controllers, i.e. where two separate or joint controllers determine the purposes and means of the processing of personal data’.
Data Sharing Code – what transfers does it cover?
The 2021 Data Sharing Code identifies the following as types of in scope disclosures of personal data:
- “a one-way or reciprocal exchange of data between organisations;
- an organisation providing another organisation with access to personal data on its IT system for a specific research purpose;
- several organisations pooling information and making it available to each other or to a third party or parties;
- data sharing on a routine, systematic basis for an established purpose;
- one-off, exceptional or ad hoc data sharing; and
- one-off data sharing in an urgent or emergency situation”.
The code clarifies that “for the purpose of this code, data sharing does not include providing data access to employees or contractors, or with processors such as third-party IT processors.”
Controllers of personal data must comply with the data protection principles and requirements set out in the data protection legislation. The main risks for controllers when sharing data include:
- Failing to notify individuals about how their data will be processed.
- Collecting personal data for one purpose and later sharing or using it for another incompatible purpose without the data subject’s knowledge or consent.
- Failing to maintain the integrity and security of the data.
- Failing to comply with appropriate governance and accountability, including completing a data protection impact assessment (DPIA) where necessary.
Data sharing agreements
Although it is not mandatory, it is good practice to have a data sharing agreement when controllers share data with one another. Data sharing agreements set out the purpose of the data sharing, cover what happens to the data at each stage, set standards and help all parties involved to be clear about their roles and responsibilities. These agreements help demonstrate that the accountability obligation under the UK GDPR is being met.
There is no set format for a data sharing agreement; it can take a variety of forms, depending on the scale and complexity of the sharing. Such agreements should help you comply with the law, but it does not provide immunity from breaching the law or from the consequences of doing so. However, the ICO will take into account the existence of any relevant data sharing agreement when assessing any complaint they potentially receive.
What should be included in a data sharing agreement?
Data controllers sharing data need to address a range of issues in data sharing agreements. Here are a few (in practice many other issues will need to be considered):
- The agreement should state who the controllers are at every stage, including after the sharing has taken place.
- The agreement should explain the specific aims of the sharing, why the sharing is necessary to achieve those aims and the benefits the data controllers hope to bring to individuals or to society more widely by sharing the data.
- The agreement should clearly identify all the organisations that will be involved in the sharing and should include contact details for their data protection officer or another relevant employee who has responsibility for data sharing, and preferably for other key members of staff. It should also contain procedures for including additional organisations in the data sharing arrangement and for dealing with cases where an organisation needs to be excluded from sharing.
- The agreement should set out the types of data being shared.
- The lawful basis for sharing the data needs to be clearly explained.
- The agreement will need to document the relevant conditions for processing, as appropriate under the UK GDPR or the DPA 2018, if the data being shared contains special category data.
To fully comply with the first data protection principle, controllers must meet the requirement of lawfulness. This means being able to evidence that the processing is undertaken in compliance with specific lawful grounds set out in the UK GDPR and DPA 2018. These include:
- Consent: the individual has given clear consent for you to share their personal data for a specific purpose.
- Contract: the sharing is necessary for a contract you have with the individual or organisation.
- Legal obligation: the sharing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the sharing is necessary to protect someone’s life.
- Public task: the sharing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the sharing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
The UK GDPR makes it burdensome for a controller to rely on consent, so controllers will often need to find another lawful ground for processing/sharing the data. As individuals can withdraw consent unilaterally at any time, with no reason needed in some cases, it is preferable to rely on an alternative lawful basis. This most often includes legitimate interests, necessary for the performance of a contract or required by law. Organisations need to carefully consider their legal position if relying on any of these bases.
Data sharing lawful base(s) – example
In the 2021 Code, the ICO gives an example concerning software made available to consumers by a fintech company. EM law specialises in software and technology law and so comes across similar issues when helping with data protection compliance. Here is the example:
“A fintech company launched paid-for digital tool to assist consumers in handling their finances. The tool could be viewed online and via a mobile phone application. It allowed individuals to access and consider their current accounts, savings accounts, credit cards, investments and pension information in one place. The tool also analysed spending habits and assisted the consumer in developing and managing their budgets. The analysis and planning could be addressed month by month and by different categories, such as grocery shopping, utilities and eating out.
For the service to function correctly, personal data needed to be shared with third-party providers. This was so the customer’s experience could be personalised with third-party services and materials accessible via the tool.
The fintech company relied on ‘performance of a contract’ as its base for sharing/processing under Article 6 of the UK GDPR. As some of the services required the provision of sensitive personal data, explicit consent was also relied on as a condition for processing under Article 9.”
The 2021 Code addresses the transfer of databases or lists of individuals, whether for money or other consideration, and whether for profit or not. Examples of organisations involved in this type of data sharing include data brokers, marketing agencies, franchised businesses etc. Data controllers wishing to share data in this way must tell data subjects who their data is being shared with and for what purpose. Article 13 of the UK GDPR requires that privacy information is given to data subjects at the same time data is collected from them. Article 14 of UK GDPR requires that privacy information must be given to individuals whose data has been shared with a data controller indirectly “within a reasonable period after obtaining the personal data, but at the latest within one month”.
If the controller is receiving data from a database or list it will be responsible for ensuring the integrity of the data received. Once in control of the data, the data controller will have to respond to any complaints made by data subjects about its use.
Data sharing – here to help
Given that UK data protection law requires that an agreement is in place between a data controller and data processor, it seems strange that no agreement is legally required between two data controllers ‘sharing data’ with one another. The ICO, however, gives extended advice and information around such agreements and there is no doubt that they facilitate data protection compliance for the benefit of all parties involved. And even though no agreement is mandatory this is not to say that sharing between controllers is subject to any less regulation. The opposite is true. Considering the legal base(s) upon which a data controller intends to share data to another controller can be a complex undertaking. The potential and likelihood of liability for data controllers receiving data should also incentivise organisations to get agreements in place and have a strong understanding of their position.