I was having a discussion with an organisation last week and there was some concern, and indeed some confusion, about the future of information sharing under the GDPR (General Data Protection Regulation) and the new Data Protection Act 2018. The concern, rightly or wrongly, is that given the complex and nightmarish structure of the DPA2018 are we going to see more instances of 'DPA says no' to data sharing because staff find the DPA too confusing? Will we see yet more cases like Baby P, Victoria Climbie or the Soham murders etc where information wasn't shared and Data Protection was used as one of many scapegoats?
I've run a few workshops on the DPA2018 now and worked with a number of organisations on their practical implementation of it and I can see where that fear is coming from. The DPA18 is a more complex beast (in terms of structure and indeed content) than it's predecessor but there are some things you can do to help combat that initial 'fear' deterrent for sharing information.
The key is to remember the basics of information sharing and they, as with most aspects of Data Protection, start with the principles. As a reminder, the principles for processing personal data under GDPR (& DPA) are;
- Information is processed fairly, lawfully and in a transparent manner
- Information is used for specific and legitimate purposes and not re-used for other purposes incompatible with that purpose
- Information is limited to what is necessary
- Information is accurate and up to date
- Information is deleted when no longer necessary
- Information is kept secure
- Information is processed in an accountable manner
Therefore when you receive a request or proposal to share information, work your way through the principles as a starter for 10. If you come out of that leaning towards a yes, then it's then worth exploring the next steps.
1. Fair, lawful and transparent. Based on the purpose of the information sharing, would that sharing in of itself be fair? Not just fair to the individual but also would it be a lawful purpose to pursue? 'Fair' is often something that can be quite subjective based on the circumstances at the time so the key is to always bear in mind the individual's reasonable expectations. Would someone that has used your service once for one particular manner expect you to use that information for other matters? Would they also expect you to share everything you have on them simply because it has been asked for?
You also need to consider the legality of the proposed sharing. Is there a legal basis for the sharing that would either allow or make it easier to share that data? Has that basis been agreed and understood by both parties involved?
Note, as a side point, where you receive a police request for information (what was a Section 29) both you and the police have to have satisfied your grounds for processing under GDPR & DPA Part 2 (for you) and DPA part 3 for them. Therefore that establishment and agreement on grounds is even more key under the DPA18.
2. Specific and Legitimate purposes. Very similar to the above principle, where the request for information does not relate to the purpose (reason) for why you are using it in the first place then it could be in breach of this principle. For example, if someone has attended the local library and registered for an account would it be fair or appropriate for you to then share that information with the planning team because they need to get hold of them?
3. Limited to what is necessary. This one always gets people as many frontline staff (but not all, just to be clear) often see a request for information as everything we have about that person. Sometimes the request could simply be confirmation of them being known to X or Y organisation or do we even hold a particular record on that person? It is key, therefore, to always be clear (either as the requestor or the data holder) as to what exactly you want to be shared. There are some cases where this is difficult to achieve up front so there is nothing wrong with speaking to the requesting org/person and scoping it out further. It could be, to the point above, that actually what they want is one specific detail that you may or may not hold. That will then make your assessment a little easier to determine.
4. Accurate & up to date. Seems a little obvious, but one key question to ask when doing your assessment on sharing is to determine firstly, how accurate and up to date is the data you have? If you know, for example, that the contact details you have on someone do not work then it is pointless sharing them with someone as they won't work for them either. Where you are looking to establish an ongoing sharing arrangement, you'll need to establish how information is kept accurate and up to date between you so that any changes in circumstances for the individuals concerned are appropriately managed.
5. Kept for no longer than necessary. A key question to ask is should I have this information in the first place? Not just from a purpose and use point of view (see above) but also from a retention point of view. If information has been asked for, that you have then found and retrieved, that should have officially been deleted some time ago according to either statute or your own retention schedule it is likely that you cannot share that data as your own processing of it is 'illegal'.
Where there is an ongoing sharing of data between organisations, one of the key areas to agree up front is around retention of the records involved. You'd also want to discuss and agree who is the official record holder (if there is to be one) and where and how this is listed on the organisation's retention schedules?
6. Kept secure. If, by this point, you are leaning towards sharing then a key question to answer is physically how this information will be shared between you. Both the GDPR and the DPA talk about the 'appropriate' measures to take when protecting personal data. Rather than locking it down or saying it must be locked down completely and I can't, therefore, I cannot share, look at exactly what you want to share and then look at the risk and options you have. I've worked with a number of IG professionals that all share the same viewpoint, they would rather look the ICO in the eye and explain their risk to share with X or Y protections than not share and look the coroner in the eye and explain why things were not actioned because of a lack of passwords. It is an extreme example, but it does put in context the principle of balancing risk. Sometimes, especially in life and death scenarios, there is a lesser of 2 evils.
If you're leaning towards not sharing then it's pointless looking at this question as if you're not going to share then why bother looking at technical methods of sharing it?
7. Used in an accountable manner. While 'technically' this isn't a principle, I see it as one. Especially as this will remind everyone of one of the key failings of information sharing - NOT DOCUMENTING THE DECISION! (With apologies for shouting). Time and time again staff will make a decision (consciously or sub-consciously) to share or not share personal data and won't document they did or did not do and why. Then, on reflection, no one can understand the decision with hindsight and the whole thing has to be re-explained (usually to the organisations' detriment). Therefore documentation is key! Regardless of whether the sharing is proactive (part of a framework) or a one-off request from the police, keep evidence of what was and was not agreed. This is often the hardest part to implement, especially for one-off requests that staff just deal with rather than seeking help, but it is one of the most important.
I've not gone into the DPA grounds for processing yet that may be used for information sharing, namely because they are far too complex for one blog post alone, but in terms of information sharing basic principles, I and many other organisations tend to follow. If you haven't already I would also recommend that you input into the ICO's consultation on revising their Data Sharing Code of Practice. This closes on the 10 September and you can find a copy of the consultation at www.ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/ico-call-for-views-on-updating-the-data-sharing-code-of-practice/.