What do we mean by “data sharing” in data protection?
Data sharing is a term used to describe passing personal data from one controller to another. Each controller uses the data for its own purposes and is responsible for its own data protection compliance.
But what does that mean for data protection compliance checks?
For data sharing to be lawful it must:
- Meet one or more lawful bases for processing
- Have authority based on fair processing information given to the data subjects prior to obtaining the data (a “Privacy Notice”)
- Be securely transferred or shared
- Follow data minimisation principles.
We covered the differences between controllers and processors and how to identify them in our earlier article here. Data sharing only occurs between two controllers. Each controller is responsible for its own data protection compliance but before sharing data you need to check that you have a lawful basis for the sharing. One lawful basis is that the transfer is necessary in the legitimate business interests of the parties and that the rights of data subjects are being protected. Alternatively you might obtain the consent of data subjects to the transfer, bearing in mind that consent has to be a positive indication of agreement, silence does not constitute consent nor can it be buried in terms and conditions but must be clear and separate.
Authority to process personal data stems not from consent but from notice to data subjects about the way in which their data will be used. To share data with another controller you must have declared the intention to do so in your privacy notice to the data subjects concerned. Privacy notices should be supplied to data subjects before you obtain their personal data. If you obtain personal data indirectly, then the privacy notice must be provided at the earliest opportunity.
The data protection principles include a security obligation, to provide appropriate security to prevent personal data from being accessed, shared, amended or deleted without authority. This applies to data in transit as well as data held in software, on servers and apps. So ensure that you have agreed a secure transfer mechanism with the receiving party of the data.
Data minimisation means using the minimum personal data possible to achieve the objectives of the data sharing. Take time to review the files that are to be transferred and ensure that only essential information is being shared. Keep a record of the review and what data, if any, was excluded as proof of compliance activity.
In conclusion, although it is not quite as simple as uploading a file to the internet, carrying out these few checks will help to ensure that data sharing between controllers is compliant. These processes are essential to good data protection compliance. We can help with this and other data protection compliance issues.
Mandy P Webster, Data Protection Consultant