Skip to main content
Hafan

Data sharing

We need to share personal data with another organisation. Is this allowed?

Yes, if you have a valid reason, you can share personal data with another organisation.

But to do this and comply with data protection law, it’s important that you know what this valid reason is. The data protection term for this reason is the ‘lawful basis’. The lawful basis that’s right for you will depend on the reason you want or need to share the data. You should make a record of your lawful basis either on paper or electronically.

If you’re sharing data with another organisation, you must make sure you only share necessary information, and that you send it securely to the correct person.

You also need to think about whether people have been made aware their data will be used in this way.

For example, Sean uses a payroll company to pay his staff. The payroll company is a data processor, which means they’re handling the data on behalf of Sean’s company, but Sean will still need a lawful basis to share data with them. Before he started doing this, Sean carefully documented his lawful basis for processing – which in Sean’s case is for the performance of a contract. This is because as part of the employment contract Sean has with his employees, he needs to pay them, and he uses the payroll company to do this for him.

Sean knows that he mustn’t send more data than necessary to the payroll company. It’s documented in Sean’s process that the company needs to know the names and some financial information about his staff, but no additional information beyond this. Sean makes sure the information contained in his staff’s HR records, such as their addresses and personal development information, is stored separately from the information he sends to his payroll company, so there’s no confusion.

Sean also emailed staff to make sure they knew about the payroll company’s involvement and access to their personal data, and updated his staff privacy notice.

Before emailing his payroll provider, Sean always double-checks the ‘To’ field of his email. He sends personal data in a password-protected spreadsheet, with the password sent separately from the spreadsheet itself.

Also see:

Do I need to pass the personal data I hold to another company if I go out of business or lose a contract?

Yes, there could be situations when you might need to do this, depending on your business.

For example, you might need to pass the personal data you hold to another company for them to assume controller responsibilities, if you lose a contract or your work is being given to a different service provider. If this happens, you should try and let people know as soon as possible, so they’re aware you’re no longer handling their data and that someone else is, instead.

The new company will also need to consider contacting people and letting them know about how their data will be used from that point.

Also see:

What does data protection say about information relating to criminal offences or convictions?

Data protection law gives extra protection to a wide range of personal data to do with criminal activity and proceedings, which we loosely refer to here as ‘criminal offence data’. This could be specific data about criminal convictions or allegations, but it could also be any personal data about criminal offences or other security concerns.

Occasionally, as a small organisation, you might process criminal offence data. For example, you could have CCTV footage of someone vandalising your premises that you want to pass to the police. Or if you keep details of DBS checks, you’d be handling criminal offence data, even if the checks came back clear and show no criminal convictions.

In data protection law, this type of data needs extra protection because misusing it could cause significant risks to people. For example, it could affect someone’s right to a fair trial, it could limit their freedom to conduct business, or it could negatively impact their private and family life.  

However, unlike the rules around special category data which are there to make sure information that’s particularly high risk or sensitive is treated with special care, the rules around criminal offence data are a bit different. This is because the need to protect people from criminal activity means that using this type of information can be justified in a wider variety of circumstances, despite the potential impact on the person who it's about.

For example, Teresa has CCTV installed at her shop. She catches someone shoplifting and wants to pass the CCTV footage to the police as evidence. At this point in time, Teresa is holding and sharing information relating to a criminal offence. This means that Teresa not only needs a valid reason – or lawful basis – to hold and use this information (which she would have needed in the first place before she started using CCTV), but the criminal offence adds another element. Teresa needs what’s known as a ‘condition to process’ this type of information. In Teresa’s situation, she can collect and share this information with the police to prevent or detect unlawful acts.

If you’re processing information relating to criminal convictions and offences and aren’t sure how to do this in a compliant way, you can contact us for advice.

Also see:

What is a data sharing agreement?

A data sharing agreement sets out why you’re sharing personal data, what happens to the data when you send it to others, how it should be kept safe, and how it’s destroyed when it’s no longer needed. Having an agreement in place is important because it helps everyone involved to know what they can and can’t do with the data.

Also see:

Do I need a data sharing agreement?

If you’re planning to share personal data with another business or organisation – such as the names, addresses and telephone numbers of your customers or clients – it’s good practice to have a data sharing agreement. As a controller, you’re accountable for what happens to the data, so it’s important to have a plan in place before you share it.

It lets people know that you care about their data and helps to demonstrate that you’re meeting your data protection obligations.

Also see:

What should be in a data sharing agreement?

There’s no set format for a data sharing agreement, but here are a few things it should cover:

Also see:

How does data sharing apply to acquisitions and mergers?

You may need to share data with or sell data to another organisation as part of a takeover or other situation involving a change in organisational structure such as an acquisition, merger or insolvency.

If the changes mean there’s a change in the controller of the data, or if the data is being shared with an additional controller, you need to take particular care to make sure it’s handled appropriately.

You need to:

  • consider data sharing as part of your due diligence;
  • establish what data you’re transferring, why you have it in the first place, and your lawful basis for sharing it;
  • comply with data processing principles – especially lawfulness, fairness and transparency; and
  • document your actions and decisions.

You also need to tell the people whose data you’re holding or using that there’s been a change of circumstances, and remind them about their individual rights.

Also see:

Can I share data with the police or other law enforcement authorities?

Yes. Data protection law doesn’t prevent you from sharing personal information with law enforcement agencies where necessary – even if the data you hold wasn’t collected for the purposes of preventing and detecting crime.

You may receive a request from the police, or any other organisation that has legal powers to pursue crime or collect tax, for example, the DWP benefit fraud section.
Where the requester has a warrant or court order for the personal data, or there are other legal requirements in place, you must provide it. Otherwise, you can choose whether to share the information with them if you think it’s appropriate in the circumstances.

When sharing personal data, you should make sure you’re only providing what’s necessary for their purpose, and nothing excessive. You can ask the requester for further information if you’re not sure.

Also see:

Can I share data in an emergency?

Yes, you can share personal data in an emergency where information is required to save someone’s life or protect them or others from serious harm.

In fact, it could be harmful not to share someone’s data, for example if allergy information isn’t given to health staff providing emergency care to someone who’s had an allergic reaction.

You won’t have long to make a decision about whether to share someone’s data in an emergency situation. But you must still make sure that you only share what’s needed, and that you only share it with people who need it. This means you’ll only be sharing what is necessary and proportionate.

While it’s a good idea to consider the steps you might take in an emergency, you can’t plan for every situation. That’s why data protection law is flexible and encourages you to understand and assess the risks separately in each case. We’re here to help – contact us if you’d like more advice on data sharing.

Also see:

Am I allowed to send data outside of the UK?

If you’re sending data outside of the UK, you may need to take some extra steps to make sure the data is protected under the UK GDPR. If it’s recognised (through what’s known as an ‘adequacy decision’) that the country you’re sending the data to already has good rules to protect the data, you won’t need to do anything else. Otherwise, it’s likely you’ll need to put a contract in place with the organisation you’re sending the data to. These contracts are called standard contractual clauses (SCCs) and contain specific terms to make sure that the data is being used correctly when sent internationally. If this isn’t possible, you should look to see whether there are any exceptions which apply to your circumstances.

For example, Jenna is a UK physiotherapist who uses an online app to store her patients’ personal data. This platform uploads the data to a server based in Brazil. As Jenna is sending the data outside of the UK, she needs to make sure it will be protected. There is no adequacy decision to say that Brazil’s rules provide enough protection for the data, so Jenna will probably need to speak with the other organisation and put SCCs in place.  

Also see:

Can my business record and share an online meeting, event or a lesson that we host?

It’s common for meetings, events and lessons to be held virtually, using video conferencing. If you’re recording these sessions, you’ll need to consider people’s rights and your data protection obligations.

You can record video conferencing sessions – including people’s images and voices – where you have a valid purpose that can’t be achieved using less intrusive methods eg taking minutes of meetings. You’ll need to record and justify your lawful basis for doing this.

Before recording, you should tell people why you’re recording, what you’ll use it for, and how long you’ll keep it. This information should be included in your privacy notice.

You shouldn’t usually post recordings online without the permission of the people included. If you need to publish the recording online, you must make this clear to attendees at the start and explain why. You should tell people how they can protect their privacy, such as by turning off their cameras and not entering their full name into the software.