Data sharing
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Control measure: There are measures in place to ensure that if children’s personal information is shared with others, it is done so in a fair and transparent manner.
Risk: Without appropriate measures, checks and balances in place to govern the potential and actual sharing of children's information, there is a risk of harm, detriment or unlawful disclosure and a breach of articles 5 (1) & (2) of the UK GDPR.
Ways to meet our expectations:
- Provide privacy information to children that makes it clear what, when and who you might share their personal information with.
- Ask senior management to authorise all sharing decisions and document their authorisation.
- Consider and document all the relevant issues and risks to the child associated with any data sharing and ensure you fully mitigate these risks.
- Confirm that the ‘best interests of the child’ are a primary consideration whenever you share children’s personal information.
- Conduct an assessment of the legality of the sharing.
- Undertake due diligence checks with any third parties you share information with to check the adequacy of their data protection practices and limit any further distribution of the information.
- Give children the option to opt out of the sharing of their information, if this is not a core function of your service.
Options to consider:
- When you share children’s information, provide them with explanations in a range of ways that will meet their differing needs and that they will engage with and understand.