Bulk transfers of personal information in databases or lists
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Control measure: There are active operational controls and processes in place to ensure that large volumes of information in a database or list are being shared in compliance with the law.
Risk: If bulk information is released without the appropriate reviews, risk assessments and authorisations, then there is an increased risk of a data breach, unlawful sharing or sharing incomplete or inaccurate personal information.
Ways to meet our expectations:
- Ensure written data sharing agreements are detailed enough to meet the requirements of the data sharing code.
- Ensure data sharing agreements are signed off by senior management.
- Train teams involved in configuring or generating bulk personal information transfers appropriately.
- Ensure these teams clearly understand the authorisation processes, prior to releasing any information or adjusting existing data sets.
- Develop an approval process for adjustments to existing data sets before changes are actioned. Evidence the change management process.
- Clearly define the specific roles that have the authority to configure or generate data sets for release to data sharing partners.
- Clearly define the specific roles that have the authority to release information to sharing partners.
- Tell sharing partners:
- the source of the information;
- the lawful basis you obtained it on;
- how you initially collected it; and
- what you told people at the time about the purposes you are processing it for.
- Implement processes to monitor platforms and other data sharing mechanisms and ensure they are functioning as they should.
Options to consider:
- Pseudonymise or anonymise information within the database or list, where possible.
- Encrypt the information in transit.
- Regularly review how appropriate it is to share the data sets for the purpose.