Disclosures
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Control measure: Procedures are in place for responding to ad hoc third-party requests for personal information.
Risk: If there are no procedures in place, this may result in a lack of standardisation about how to deal with ad hoc requests, and increase the risk of inappropriate or incorrect sharing decisions. This may result in a breach of articles 5(1)(f) and 32.
Ways to meet our expectations:
- Implement a policy or procedure for responding to ad hoc third-party requests for personal information and communicate it to staff.
- Keep a record on the person’s file, spreadsheet or monitoring documents indicating when there is a verbal or written disclosure to third parties.
- Consider whether you should put a data sharing agreement in place with the third party, if their ad hoc requests become more frequent.
Options to consider:
- Deliver specific training to key staff in departments where ad hoc requests are most common.
- Develop short checklists on how to handle ad hoc requests for staff to refer to in these departments.
Control measure: Written records are kept of responses and approvals for third-party requests for personal information.
Risk: Without evidence of compliance, there may be a breach of article 5(2).
Ways to meet our expectations:
- Keep a record on the person’s file, in a spreadsheet or monitoring documents indicating verbal or written disclosures to third parties.
- Keep a record of the steps taken to identify the nature of the disclosure, the requester and the reason for it.
- Keep a record of all disclosure approvals, where appropriate.
- Conduct quality assurance on verbal and written disclosures to provide assurances that staff are following procedures and actioning disclosures lawfully.
- Log all inappropriate disclosures as a personal data breach and take appropriate action.
Options to consider:
- Keep a central log of all disclosures.