Assessing the legality, risks and benefits of sharing
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Control measure: There is a process to assess the legality of sharing and document any outcomes.
Risk: If there is no consistent process to assess the legality of sharing, information may be shared illegally, impacting people’s rights and freedoms and resulting in a personal data breach. If you cannot demonstrate why sharing is legal, this may breach article 5(1)(a)&(b), 5(2), 9 & 10.
Ways to meet our expectations:
- Complete an assessment of the legality of the sharing and document the outcome.
- Ensure that the purpose of sharing is compatible with the purposes for which the information was originally collected (unless a valid exemption applies) (article 5(1)b or DPA18 section 36, or both).
- Carry out a legitimate interest assessment (LIA), if you are relying on legitimate as the lawful basis for sharing.
- Document the lawful basis (article 9,10 or DPA18 section 35, or both) and relevant conditions from schedule 1 or 9 of the DPA18, if the information you are sharing includes special category or criminal offence information under the UK GDPR.
- Assess whether there is compelling reason to share it in line with the ICO’s data sharing code and the children’s code, prior to doing so.
- For public authorities - Consider whether there is the legal power to share (outside the UK GDPR or DPA18) (ie a statutory obligation). Document the express or implied statutory legal power relied on.
Options to consider:
- Check that the appropriate decision-maker(s) makes the assessment about the legality of sharing within your organisation.
- Keep the assessment under regular review.
- Keep under review the methods for obtaining, recording and managing consent, where you are relying on this.
Control measure: There is a process to assess the potential risks and benefits of sharing and any outcomes are documented.
Risk: If the process to assess the risks and benefits of sharing is not consistent, this may result in a personal data breach. If you cannot demonstrate why sharing is justified, this may breach article 5(1)&(2), and 35.
Ways to meet our expectations:
- Complete a DPIA to assess the risks before entering into any new data sharing activity. There is an obligation to do this when sharing is likely to result in a high risk to people’s rights and freedoms.
- Always complete a DPIA if the data sharing involves children's personal information, in line with the data sharing code.
- Seek input from all stakeholders to ensure that you properly consider risk factors when you are relying on a DPIA that is produced by other parties involved in the sharing.
Options to consider:
- Use a template or common fields for completing DPIAs to ensure a consistent approach.
- Have processes for managing and reviewing completed DPIAs to ensure these can be accessed as required, remain fit for purpose and within risk appetite.
- Establish consistent methods for reviewing DPIAs produced by other parties involved in the sharing.