People expect organisations to share their personal data where it’s necessary to provide them with the services they want. They expect society to use its information resources to stop crime and fraud. However, people also want to know how their information is being used, who has access to it, and what that means for them. People also expect an appropriate level of choice and control, especially over their sensitive data.
The term ‘sharing’ should not be thought of in the traditional sense but rather, as different types of ‘disclosure’. Traditionally, sharing means giving up part of something that you own. In fact, the GDPR never mentions the word ‘sharing’. Regardless of the interpretation, this activity brings about many responsibilities for all organisations involved – whether private, third sector or public. Disclosure can take the form of one or more organisations providing data to a third party, several different organisations pooling information and making it available to each other or possibly to third parties, different parts of the same organisation making data available to each other or, one-off disclosures e.g. in emergency situations.
a group of retailers exchanging information about former employees who were dismissed for stealing
a local authority disclosing personal data about its employees to an anti-fraud body
the police passing information about the victim of a crime to a counselling charity
a GP sending information about a patient to a local hospital
a supermarket giving information about a customer’s purchases to the police
a school providing information about pupils to a research organisation
a retailer providing customer details to a payment processing company
It’s important to note that the data sharing discussed here happens between and among controllers. Any ‘disclosures’ to processors are managed through processor contracts and do not form part of this guidance. Before any data sharing takes place, it is important to establish the identity of and relationship between and among the parties (controller/processor/sub-processor and whether public, private or third-sector); the purpose and legal basis for sharing; the type, quality and retention periods of personal data being shared and the location of the sharing parties.
HINT: read more about Controller-Processor Relationships elsewhere in the help centre.
Infringements of the relevant provisions shall be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
A summary (detail below)
Establishing purpose, compatibility and legal basis
GDPR Article 5 (1)(b) – Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
Sharing/disclosure generally brings about a further processing purpose
That further purpose must be lawful
Being lawful means that it must also be specified, explicit and legitimate
Being lawful also means that the further purpose must be compatible with the original purpose
We know that any processing purpose must have a legal basis (Article 6)
(Sensitive personal data legal basis comes from Article 9 plus one from Article 6)
If the further purpose is compatible with the original purpose, you don’t need a new legal basis***
If the data subject consents to the further processing, the compatibility test is irrelevant
If the processing is based on Union or Member State law, the compatibility test is irrelevant
This means that for all other legal bases, a compatibility test must be done
Public authorities cannot use the ‘legitimate interests’ legal basis in the performance of their normal tasks +++
There are some instances where you are prohibited from informing the data subject of disclosures to public authorities
Processing of personal data in a way incompatible with the purposes specified at collection is against the law and therefore prohibited.
***(For example, a retailer outsources the delivery of his online sales. Sales is the original purpose and delivery will be the further purpose for processing – there is obvious compatibility, so no separate legal basis is necessary)
+++ This creates a problem for universities and other public bodies that carry out fundraising if they currently use this legal basis.
It is strongly recommended that you go through the following sections. They provide further detail on purpose and legal basis as well as other matters of governance, including differences in requirements between the public and private sectors. For example, are you aware that public authorities cannot use the legitimate interest condition as a legal basis?
The Public Sector
(Including, but not necessarily limited to local government, national health services, maintained schools and other educational institutions, police and various other councils and committees)
Most, if not all, public sector bodies involved in data sharing would be subject to freedom of information legislation (such as the UK’s Freedom of Information Act) and in most cases, this will include their having to publish policies and procedures relating to data sharing/disclosure. The relevant sector legislation will probably define the organisation’s functions in terms of its purposes and the powers which the organisation may exercise in order to achieve those purposes. So, it is necessary to identify where in the legislation the legal basis for data sharing is provisioned.
Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, Article 6 (1)(f) of the GDPR states that the ‘legitimate interests’ legal basis shall not apply to the processing by public authorities in the performance of their tasks.
Public authorities (competent authorities) to which personal data are disclosed should not be regarded as recipients if they receive personal data which are necessary to carry out a particular inquiry. This implies that in certain limited circumstances personal data, including sensitive data, must be shared without the data subject’s knowledge. By way of example, where personal data is processed for the prevention or detection of crime or the apprehension or prosecution of offenders, informing the data subject could prejudice the investigation.
In addition to the GDPR, competent authorities must also comply with legislation specific to the sector such as Directive (EU) 2016/680.
Data sharing agreements – sometimes known as ‘data sharing protocols’ – set out a common set of rules to be adopted by the various organisations involved in a data sharing operation. These could well form part of a wider contract between organisations. It is good practice to have a data sharing agreement in place, and to review it regularly, particularly where information is to be shared on a large scale, or on a regular basis. Public authorities should look to their specific regulators who may possibly provide their relevant data sharing agreement templates.
Private and Third-Sector Organisations
(Third-sector organisations could be described as non-governmental, not for profit organisations such as charities, voluntary and community organisations, faith-based organisations, professional associations, trade unions, self-help and advocacy groups, social enterprises)
Check your organisation’s constitutional documents or policies to make sure there are no restrictions that would prevent you from sharing personal data in a particular context.
Have due regard for any industry-specific regulation or guidance about handling individuals’ information as this may affect your organisation’s ability to share information.
Be aware of the legal issues that can arise when sharing personal data with public-sector bodies – such as within freedom of information legislation.
Identify the objective that the sharing is meant to achieve. Consider the potential benefits and risks, either to individuals or society, of sharing the data and also assess the likely results of not sharing the data. It’s good practice to make use of a Data Protection Impact Assessment.
Be aware that public authorities (competent authorities) to whom you disclose personal data should not be regarded as recipients if they request personal data which are necessary to carry out a particular inquiry. This implies that in certain limited circumstances personal data, including sensitive data, must be shared without the data subject’s knowledge. By way of example, where personal data is processed for the prevention or detection of crime or the apprehension or prosecution of offenders, informing the data subject could prejudice the investigation.
Lawfulness of processing
All parties involved, whether sending or receiving personal data must take into account whether the data sharing meets the principles for and lawfulness of processing.
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Parties must have a clear legal basis for sharing data (e.g. legitimate interest of the data controller or with the consent of the data subject).
Sharing/disclosure generally brings about a purpose other than the purpose for which the personal data was originally collected. The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis, separate from that which allowed the collection of the personal data is required. It goes without saying that the further processing (as well as the original processing) must still be lawful though.
Where the data subject has given consent or the processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller should be allowed to further process the personal data irrespective of the compatibility of the purposes.
Where the further purpose is NOT based on the data subject’s consent or on any restrictions brought about in Union or Member State law (GDPR Recital 23) then, to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
- any link between the purposes for which the personal data have been collected and the purposes of the intended further processing
- the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller
- the nature of the personal data, in particular whether special categories of personal data (sensitive personal data) are processed
- the possible consequences of the intended further processing for data subjects
- the existence of appropriate safeguards, which may include encryption or pseudonymisation
Example 1 – Compatibility is obvious – where the processing is necessary in relation to performance of a contract (sale of goods), there may be the need to disclose the address of the data subject to an external courier company so that goods can be delivered, or the data subject’s credit card details to payments company in order to effect payment.
Example 2 – Compatibility is not obvious and needs further analysis – extending the first example – the retailer wishes to use the customer's email address and purchase history to send personalised offers and discount vouchers for similar products as well as another unrelated product range. He also wishes to provide the customer's name, email address, phone number, and purchase history to a business contact which has opened a similar business to his. In both cases, the retailer cannot assume that this further use is compatible and some additional analysis is necessary, with the possibility of different outcomes. The retailer would also need to consider Article 13 of the e-Privacy Directive (Unsolicited communications).
Example 3 – Incompatibility is obvious – the customer also buys a range of other products on the retailer's website, some of which are discounted. The retailer, without informing the customer, has implemented an off-the-shelf price-customisation software solution, which - among other things - detects whether the customer is using an Apple computer or a Windows PC. The retailer then automatically gives greater discounts to Windows users. In this case, the further use of available data and the unfair collection of additional information, both for an unrelated purpose (allowing secret 'price discrimination'), are problematic.
Processing of personal data in a way incompatible with the purposes specified at collection is against the law and therefore prohibited.
Consent, (explicit consent for sensitive personal data). If it is correctly used, consent is a tool giving the data subject control over the processing of his/her data. If incorrectly used, the data subject’s control becomes illusory and consent constitutes an inappropriate basis for processing. If you are going to rely on consent as your condition you must be sure that individuals know precisely what data sharing they are consenting to and understand its implications for them. They must also have genuine control over whether or not the data sharing takes place. It is bad practice to offer individuals a ‘choice’ if the data sharing is going to take place regardless of their wishes, for example where the data sharing is required by statute or is necessary for the provision of an essential service.
The other conditions that provide a basis for processing non-sensitive personal data include:
the processing is necessary in relation to performance of a contract.
the processing is necessary because of a legal obligation that applies to you (except an obligation imposed by a contract).
the processing is necessary to protect the individual’s vital interests.
the processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions.
the processing is in accordance with the ‘legitimate interests’ condition.
The conditions for processing sensitive personal data are more difficult to satisfy. For example, if you want to process medical data you have to satisfy a condition from the list above (Article 6) and also a more stringent sensitive data condition (Article 9) – one of which specifically legitimises processing of health data for medical purposes, including the provision of treatment and medical research.
Article 6 (1) states – Processing shall be lawful only if and to the extent that:
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
This condition requires a balancing of the legitimate interests of the controller, or any third parties to whom the data are disclosed, against the interests or fundamental rights of the data subject, in particular where the data subject is a child. The outcome of this balancing test will determine whether Article 6(f) may be relied upon as a legal ground for processing. This condition cannot legitimise the processing of special categories of personal data (sensitive personal data).
The GDPR recognises the following legitimate interest scenarios:
processing is strictly necessary for the purposes of preventing fraud
processing for direct marketing purposes
for purposes of ensuring network and information security
for transmitting personal data within a group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data
for disclosing personal data to a competent authority
exercising of the right to freedom of expression or information, including in the media and the arts
processing for historical, scientific or statistical purposes
The Article mentions 'third parties'. Examples of legitimate interests of third parties include:
publication of data for purposes of transparency and accountability – e.g. the salaries of top management in a company
historical or other kinds of scientific research – particularly where access is required to certain databases
general public interest or third party's interest – this may include situations where a controller goes beyond its specific legal obligations set in laws and regulations to assist law enforcement or private stakeholders in their efforts to combat illegal activities, such as money laundering, child grooming, or illegal file sharing online.
It is useful to imagine both the legitimate interests of the controller and the impact on the interests and rights of the data subject on a spectrum. Legitimate interests can range from insignificant through somewhat important to compelling. Similarly, the impact on the interests and rights of the data subjects may be more or may be less significant and may range from trivial to very serious.
To carry out the balancing test it is first important to consider the nature and source of the legitimate interests on the one hand and the impact on the data subjects on the other hand. This assessment should already take into account the measures that the controller plans to adopt to comply with the GDPR. See more detailed guidance on legitimate interests elsewhere in this help centre.
Data Sharing Agreements
Data sharing agreements – sometimes known as ‘data sharing protocols’ – set out a common set of rules to be adopted by the various organisations involved in a data sharing operation. These could well form part of a wider contract between organisations. It is good practice to have a data sharing agreement in place, and to review it regularly, particularly where information is to be shared on a large scale, or on a regular basis. Some industry sectors or public authorities may already have a standard agreement which you might use. Conduct a regular review of your agreements.
The GDPR requires organisations to have appropriate technical and organisational measures in place when sharing personal data. Organisations may be familiar with protecting information they hold themselves, but establishing appropriate security in respect of shared information may present new challenges.
Review what personal data your organisation receives from other organisations, making sure you know its origin and whether any conditions are attached to its use.
Review what personal data your organisation shares with other organisations, making sure you know who has access to it and what it will be used for.
Assess whether you share any data that is particularly sensitive. Make sure you afford this data a suitably high level of security.
Identify who has access to information that other organisations have shared with you; ‘need to know’ principles should be adopted. Avoid giving all your staff access to shared information if only a few of them need it to carry out their job.
Ensure that staff remain aware of the data subject’s access rights, including the rights to rectification, restriction, erasure and data portability.
Consider the effect a security breach could have on individuals.
Consider the effect a security breach could have on your organisation in terms of cost, reputational damage or lack of trust from your customers or clients. This can be particularly acute where an individual provides their data to an organisation, but a third-party recipient organisation then loses the data.
It is important to have procedures in place to maintain the quality of the personal data you hold, especially when you intend to share data. When planning to share data with another organisation, you need to consider all the data quality implications.
Make sure that the format of the data you share is compatible with the systems used by both organisations
Check that the information you are sharing is accurate before you share it
Establish ways for making sure inaccurate data is corrected by all the organisations holding it
Agree common retention periods and deletion arrangements for the data you send and receive
Train your staff so that they know who has the authority to share personal data, and in what circumstances this can take place
Things to avoid
When sharing personal data there are some practices that you should avoid. These practices could lead to regulatory action:
Not establishing a lawful purpose and legal basis for processing
Misleading individuals about whether you intend to share their information. For example, not telling individuals you intend to share their personal data because you think they may object.
Sharing excessive or irrelevant information about people. For example, routinely sharing details about individuals that are not relevant to the purpose that the information is being shared for.
Sharing personal data when there is no need to do so – for example where anonymised statistical information can be used to plan service provision.
Not taking reasonable steps to ensure that information is accurate and up to date before you share it. For example, failing to update address details before sharing information, leading to individuals being pursued at the wrong address or missing out on important information.
Using incompatible information systems to share personal data, resulting in the loss, corruption or degradation of the data.
Not having appropriate security measures in place, leading to loss or unauthorised disclosure of personal details. For example, sending personal data between organisations on an un-encrypted memory stick which is then lost or faxing sensitive personal data to a general office number.
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018