In the matter in question, a DfE database (containing 28 million records, some relating to children of 14 and over and which contained special category data) intended for use for education purposes was used by an employment screening firm to check whether people opening online gambling accounts were over 18 or not.
It is worth noting that the DfE infringement would have attracted a significant fine (£10.5 million) but for the revised approach being taken by the ICO to action in the public sector and so taking time to plan and execute data sharing in a compliant manner is essential.
We set out below the key steps which you should consider when embarking on a data sharing project.
- Consider whether any internal policies will apply to the sharing. These may be specific data sharing policies, or more general policies, such as those that relate to third-party contract management.
- Plan the sharing. In this stage, you will need to map out factual matters like why the sharing is necessary, what data you need to share, whether the sharing will be one off or continuing, what parties are involved, where (geographically) the data will be sent and used. This is also a good time to develop clear objectives for the data sharing and to ensure you understand how the sharing will achieve these.
- Weigh the benefits and risks of sharing/not sharing the data by means of a DPIA (the ICO recommends this even if there is no legal requirement), keeping the data protection principles in mind.
- Ensure there is a lawful basis for the sharing.
- Consider how to divide up roles such as the provision of privacy information, handling of data breaches and individuals’ rights requests. It is important that the sharing does not endanger compliance with the parties’ obligations in these regards. Where multiple parties are involved, there is a danger of compliance failures if responsibilities are not clearly defined.
- Consider retention and deletion of the data. How long does data need to be kept and how will it be deleted/returned at the end of this period?
- Draw up an agreement. This acts as a record of the sharing and will set out the obligations of each party with respect to it. This will also assist you in complying with your accountability obligations.
- As relevant, consider creating a data sharing policy and procedures to ensure a uniform approach to data sharing is adopted or review existing procedures to ensure they are fit for purpose.
- Review the arrangements. Data sharing should be reviewed regularly to ensure it is still necessary to meet the agreed objectives and that the arrangements in place are working efficiently.
The ICO also has a data sharing code of practice, which is essential reading for those embarking on a data sharing project. You can find this here.