Top tips for compliant data sharing

What do we mean by “data sharing” in data protection?

Data sharing is a term used to describe passing personal data from one controller to another. Each controller uses the data for its own purposes and is responsible for its own data protection compliance.

But what does that mean for data protection compliance checks?

For data sharing to be lawful it must:

Meet one or more lawful bases for processing
Have authority based on fair processing information given to the data subjects prior to obtaining the data (a “Privacy Notice”)
Be securely transferred or shared
Follow data minimisation principles.

We covered the differences between controllers and processors and how to identify them in our earlier article here. Data sharing only occurs between two controllers. Each controller is responsible for its own data protection compliance but before sharing data you need to check that you have a lawful basis for the sharing. One lawful basis is that the transfer is necessary in the legitimate business interests of the parties and that the rights of data subjects are being protected. Alternatively you might obtain the consent of data subjects to the transfer, bearing in mind that consent has to be a positive indication of agreement, silence does not constitute consent nor can it be buried in terms and conditions but must be clear and separate.

Authority to process personal data stems not from consent but from notice to data subjects about the way in which their data will be used. To share data with another controller you must have declared the intention to do so in your privacy notice to the data subjects concerned. Privacy notices should be supplied to data subjects before you obtain their personal data. If you obtain personal data indirectly, then the privacy notice must be provided at the earliest opportunity.

The data protection principles include a security obligation, to provide appropriate security to prevent personal data from being accessed, shared, amended or deleted without authority. This applies to data in transit as well as data held in software, on servers and apps. So ensure that you have agreed a secure transfer mechanism with the receiving party of the data.

Data minimisation means using the minimum personal data possible to achieve the objectives of the data sharing. Take time to review the files that are to be transferred and ensure that only essential information is being shared. Keep a record of the review and what data, if any, was excluded as proof of compliance activity.

In conclusion, although it is not quite as simple as uploading a file to the internet, carrying out these few checks will help to ensure that data sharing between controllers is compliant. These processes are essential to good data protection compliance. We can help with this and other data protection compliance issues.

Mandy P Webster, Data Protection Consultant

About the Author: mandy.webster

Since June 1999 Mandy Webster has been a freelance consultant offering audit, advice and training on privacy, information security and e-commerce issues as Data Protection Consulting Limited. The company’s mission is to help clients from a variety of sectors, and of all sizes, comply with data protection law and to that end it offers a range of solutions. Mandy, a qualified lawyer, is author of ‘Data Protection for the HR Manager’ and ‘Data Protection in the Financial Services Industry’ published by Gower and “Effective Data Protection” and ‘The ICSA Data Protection Troubleshooter’ published by ICSA Publishing Limited. Mandy is a well-known writer, commentator and speaker on data protection.

Top tips for compliant data sharing