Data storage, sharing and security
Latest updates - last updated 30 August 2023
30 August 2023 - A new FAQ has been added to explain what considerations should be made before using the blind carbon copy (BCC) function.
30 January 2023 - A new FAQ has been added to explain what considerations should be made
before using facial recognition technologies (FRT).
9 December 2022 - We've added an FAQ "A sole trader has died and we need to get in touch with their clients. Can we do this?"
24 October 2022 - We’ve added two new FAQs to help businesses understand how to share recorded meetings or events, whether they need consent to use CCTV.
- We need to share personal data with another organisation. Is this allowed?
- What security measures do we need to put in place?
- What do we need to do if we want to use CCTV?
- Why can’t the ICO endorse video call providers?
- What types of data need more protection?
- How do I know if personal data is high risk or sensitive?
- If we’re processing special category data, what do we need to do?
- How long should I store data?
- What’s the best way to destroy documents?
- What data protection responsibilities do I still have, even if my business is closing down?
- I'm closing down my small business. Do I have to let people know I’ll no longer be holding their data?
- Do I need to pass the personal data I hold to another company if I go out of business or lose a contract?
- What does data protection say about information relating to criminal offences or convictions?
- What is a data sharing agreement?
- Do I need a data sharing agreement?
- What should be in a data sharing agreement?
- How does data sharing apply to acquisitions and mergers?
- Can I share data with the police or other law enforcement authorities?
- Can I share data in an emergency?
- Am I allowed to send data outside of the UK?
- Can my business record and share an online meeting, event or a lesson that we host?
- Does my business need consent to install CCTV?
- A sole trader has died and we need to get in touch with their clients. Can we do this?
- Can we use facial recognition technology (FRT) for payment, entry or other security systems?
- Can we use blind carbon copy (BCC) to send emails to multiple people?
We need to share personal data with another organisation. Is this allowed?
Yes, if you have a valid reason, you can share personal data with another organisation.
But to do this and comply with data protection law, it’s important that you know what this valid reason is. The data protection term for this reason is the ‘lawful basis’. The lawful basis that’s right for you will depend on the reason you want or need to share the data. You should make a record of your lawful basis either on paper or electronically.
If you’re sharing data with another organisation, you must make sure you only share necessary information, and that you send it securely to the correct person.
You also need to think about whether people have been made aware their data will be used in this way.
For example, Sean uses a payroll company to pay his staff. The payroll company is a data processor, which means they’re handling the data on behalf of Sean’s company, but Sean will still need a lawful basis to share data with them. Before he started doing this, Sean carefully documented his lawful basis for processing – which in Sean’s case is for the performance of a contract. This is because as part of the employment contract Sean has with his employees, he needs to pay them, and he uses the payroll company to do this for him.
Sean knows that he mustn’t send more data than necessary to the payroll company. It’s documented in Sean’s process that the company needs to know the names and some financial information about his staff, but no additional information beyond this. Sean makes sure the information contained in his staff’s HR records, such as their addresses and personal development information, is stored separately from the information he sends to his payroll company, so there’s no confusion.
Sean also emailed staff to make sure they knew about the payroll company’s involvement and access to their personal data, and updated his staff privacy notice.
Before emailing his payroll provider, Sean always double-checks the ‘To’ field of his email. He sends personal data in a password-protected spreadsheet, with the password sent separately from the spreadsheet itself.
What security measures do we need to put in place?
It depends what type of personal data you’re holding and using, but we’ve written a basic guide covering some practical ways to keep your IT systems safe and secure, to help you get started.
Some security measures are common sense and are likely to be part of your usual procedures, even if you haven’t thought of them as data protection measures before – locking cabinets and ensuring the windows and doors of your workplace are secure, for example. It’s likely you have electronic security measures in place, too, such as strong passwords, firewalls, and anti-virus software.
Other measures might take a little more thought and planning, such as training your staff on how to spot suspicious emails and making sure you don’t hold on to data for longer than you need it.
Information about people that is particularly sensitive – such as health data - needs extra protection.
What do we need to do if we want to use CCTV?
Firstly, you need to make sure that CCTV is really the right option for your company. Why do you need it, and are there any other options you could explore that are less intrusive? Consider what people would expect. For example, CCTV in toilets or public changing areas isn’t likely to be acceptable.
If you decide you need to use CCTV, create a document about how it will be used, why you’re using it, and how long you will keep the recordings. You should also note down how you plan to keep the recordings secured, and the responsibilities of your staff in relation to CCTV. This could include limiting access to the CCTV to a few key members of staff.
You’ll need to put up signs so that people know they’re being recorded. The signs need to be clear and obvious, telling people that CCTV is in operation.
Your business will also need to be registered with the ICO.
Why can’t the ICO endorse video call providers?
As the UK’s data protection regulator, we’re independent. This means we can’t endorse a specific organisation, for video call services or anything else. We also can’t individually vet every new communications service that enters the market.
But what we can do is advise you on what to look out for when you’re choosing a video call provider. It's important that the services offered are secure and safe, so you should check the provider’s privacy and security settings carefully. Look to see if the provider gives clear and transparent details on the security features they have and how best to implement them. You should make sure your staff and any volunteers use the right security settings, and update software as soon as possible when there are updates available.
What types of data need more protection?
There are some types of personal data that are likely to be more sensitive known as special category data under the UK GDPR.
This includes personal data revealing or concerning:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- health;
- a person’s sex life; and
- a person’s sexual orientation.
If you’re processing any of these types of data, you should give particular consideration to how and why the data is used, and make sure you only use it when it’s absolutely necessary.
How do I know if personal data is high risk or sensitive?
You’re probably already familiar with the types of personal data that are generally considered high risk or sensitive based on how you feel about sharing it when it’s about you or someone in your care.
For example, many of us would be cautious about sharing information about our medical history, political opinions, or sexual orientation. But if asked for our email address, we’d probably be less concerned. It would depend on who is asking and what we think might happen to the data.
Data protection law takes this idea and makes some firm rules about the types of data that need more protection, which are known as the ‘special categories’ of personal data.
Outside of these special categories, knowing whether personal data is high risk or sensitive also partly depends on the risk of that data falling into the wrong hands, which your risk assessment - will help you to work out.
If we’re processing special category data, what do we need to do?
Data protection law applies to any personal data you have or use (unless you’re using the data for purely personal or household activities). Your basic data protection obligations include having a lawful basis for processing and appropriate security measures. But where special category data is concerned, even stronger rules apply. This is because the special categories refer to personal information that could cause significant harm, such as discrimination or physical danger, if it was misused.
If you’re processing special category data, you should give particular consideration to how and why the data is used, and make sure you only use it when it’s absolutely necessary. You should also take extra care to keep it safe. Generally speaking, the more sensitive the data, the more safeguards you need to have in place. For example, you might need to do a DPIA and think about how your activities affect people’s rights.
You also need to meet a further condition from the list below, in addition to your lawful basis for processing.
(a) You have the explicit consent of the person it relates to
(b) You’re processing the personal data for employment, social security and social protection purposes (if authorised by law)
(c) You need to process the personal data to protect the vital interests of the person. This can be in situations where someone’s life might depend on you using their data, like a medical emergency
(d) You’re a non-profit body, a charity or fundraising organisation
(e) The data has already been made public by the person it relates to
(f) You need to process the personal data because of a legal claim or a judicial act
(g) You need to process the personal data for reasons of substantial public interest (with a basis in law) such as if it’s something that’s really important for people to know about
(h) You’re processing the data for health or social care purposes (with a basis in law)
(i) You’re processing the data for public health reasons (with a basis in law)
(j) You’re processing the data for archiving, research and statistics (with a basis in law)
Some of these have further conditions attached that you also need to meet. If you’re unsure, please contact us and one of our advisors will help you.
How long should I store data?
You should only keep personal data for as long as you need it. There aren’t any set time limits in data protection law because it depends on your situation.
Think about why you collected people’s personal information in the first place and the reason you’re processing it, known in data protection law as your lawful basis for processing. You must think about, and be able to justify, how long you need to keep it, and this will depend on your reasons for having it.
For example, Claire collected Bill’s name and address to give him a quote on having his house redecorated. Bill contacts her and explains that he’s changed his mind and doesn’t want the job doing anymore. Claire has no reason to keep Bill’s details any longer and deletes them.
Where possible, you’ll also need a policy which sets out how long you keep data for and why. When you no longer need personal data for the reason you collected it, make sure you destroy it securely or anonymise it.
However, if another law says you must keep certain records for a set period, then you should do so. In the example above, Claire may need to keep details of payments she has received from customers for when she is completing her tax returns.
What’s the best way to destroy documents?
Data protection law doesn't say exactly how you should destroy documents that you no longer need. But you need to make sure it’s done securely and in a way that means the information can't be recovered by anyone else.
For example, shredding documents instead of putting them into general waste makes it much more difficult for someone to see information they’re not authorised to see, either accidentally or deliberately.
We’ve produced a short guide on practical methods for destroying documents that are no longer needed which includes tips on how to destroy electronic files securely and has been written with small organisations in mind.
What data protection responsibilities do I still have, even if my business is closing down?
Even if your business is closing down, that business continues to be the controller of the personal data of your customers, clients, and other people you did business with, and data protection laws still apply.
The term ‘data controller’ or ‘controller’ refers to the organisation, business or company that decides why and how people’s personal information is handled. It can be a limited company, or a sole trader and all the different types of companies in between. It’s a legal entity rather than a person who works at the organisation, business, or company.
In practice, if a business is liquidated or goes into administration, it’s unlikely to be the person who used to own the business who carries on making practical decisions to do with the closure. More likely, the liquidator or administrator becomes the new most senior member of staff, and they will take over all key decisions.
Of course, not all businesses that close go into liquidation or administration. Sometimes a business owner may want to stop doing business. Generally speaking, if you still have a legal obligation to continue holding data for a length of time, your business will continue to be the controller of that personal data and data protection laws still apply.
This includes continuing your registration with the ICO unless you’re exempt.
For example, Brian is retiring as a GP and closing his practice. The British Medical Association requires GPs to retain patient records for set periods of time. As Brian must retain this data, and as they’re electronic records, Brian isn’t exempt from having to register with the ICO. He must therefore arrange for his registration to continue.
Even if your business is in good health, it’s good practice to draw up a plan for what should happen to any personal data you need to hold if you stop trading. Your plan could include:
- the personal data you’ll need to keep;
- why you’ll need to keep that data, such as for tax reasons or other legal obligations;
- how and where the data will be stored securely, either by you or a third-party organisation;
- how the data can be accessed if needed;
- how long you need to keep the data;
- your plans for ensuring the data stays accurate where necessary; and
- how you’ll destroy the data securely when the time comes.
I'm closing down my small business. Do I have to let people know I’ll no longer be holding their data?
Yes, if you can. It’s good practice to let people know your business is closing down and you’re not holding their data any longer. This shows people that you value their information even when you no longer need it. It also allows them time to raise any concerns or requests with you.
For some businesses, this will be straightforward and won’t take long. For others, it’s easier said than done. If you’re in this position, it’s a balance between the effort it would take to let them know and, based on the type of information you hold about them, how important it is to contact them.
For example, you might not be able to contact your customers easily because you no longer have access to their information. If the information you hold is sensitive personal data, such as medical information, then there may be more of a necessity to try and contact them than if the information you hold is limited to name and address details. But this should be an exception, rather than a rule, and you’ll need to be confident you can justify your decision.
You can contact us if you’re unsure what to do in your situation.
Also see:
Do I need to pass the personal data I hold to another company if I go out of business or lose a contract?
Yes, there could be situations when you might need to do this, depending on your business.
For example, you might need to pass the personal data you hold to another company for them to assume controller responsibilities, if you lose a contract or your work is being given to a different service provider. If this happens, you should try and let people know as soon as possible, so they’re aware you’re no longer handling their data and that someone else is, instead.
The new company will also need to consider contacting people and letting them know about how their data will be used from that point.
Also see:
What does data protection say about information relating to criminal offences or convictions?
Data protection law gives extra protection to a wide range of personal data to do with criminal activity and proceedings, which we loosely refer to here as ‘criminal offence data’. This could be specific data about criminal convictions or allegations, but it could also be any personal data about criminal offences or other security concerns.
Occasionally, as a small organisation, you might process criminal offence data. For example, you could have CCTV footage of someone vandalising your premises that you want to pass to the police. Or if you keep details of DBS checks, you’d be handling criminal offence data, even if the checks came back clear and show no criminal convictions.
In data protection law, this type of data needs extra protection because misusing it could cause significant risks to people. For example, it could affect someone’s right to a fair trial, it could limit their freedom to conduct business, or it could negatively impact their private and family life.
However, unlike the rules around special category data which are there to make sure information that’s particularly high risk or sensitive is treated with special care, the rules around criminal offence data are a bit different. This is because the need to protect people from criminal activity means that using this type of information can be justified in a wider variety of circumstances, despite the potential impact on the person who it's about.
For example, Teresa has CCTV installed at her shop. She catches someone shoplifting and wants to pass the CCTV footage to the police as evidence. At this point in time, Teresa is holding and sharing information relating to a criminal offence. This means that Teresa not only needs a valid reason – or lawful basis – to hold and use this information (which she would have needed in the first place before she started using CCTV), but the criminal offence adds another element. Teresa needs what’s known as a ‘condition to process’ this type of information. In Teresa’s situation, she can collect and share this information with the police to prevent or detect unlawful acts.
If you’re processing information relating to criminal convictions and offences and aren’t sure how to do this in a compliant way, you can contact us for advice.
What is a data sharing agreement?
A data sharing agreement sets out why you’re sharing personal data, what happens to the data when you send it to others, how it should be kept safe, and how it’s destroyed when it’s no longer needed. Having an agreement in place is important because it helps everyone involved to know what they can and can’t do with the data.
Also see:
Do I need a data sharing agreement?
If you’re planning to share personal data with another business or organisation – such as the names, addresses and telephone numbers of your customers or clients – it’s good practice to have a data sharing agreement. As a controller, you’re accountable for what happens to the data, so it’s important to have a plan in place before you share it.
It lets people know that you care about their data and helps to demonstrate that you’re meeting your data protection obligations.
Also see:
What should be in a data sharing agreement?
There’s no set format for a data sharing agreement, but here are a few things it should cover:
- Names of the organisations sharing data
- Purpose of the data sharing
- Type of data to be shared
- Lawful basis for the sharing
- Responsibilities for people’s data rights
- Rules for formatting, retention, and security
How does data sharing apply to acquisitions and mergers?
You may need to share data with or sell data to another organisation as part of a takeover or other situation involving a change in organisational structure such as an acquisition, merger or insolvency.
If the changes mean there’s a change in the controller of the data, or if the data is being shared with an additional controller, you need to take particular care to make sure it’s handled appropriately.
You need to:
- consider data sharing as part of your due diligence;
- establish what data you’re transferring, why you have it in the first place, and your lawful basis for sharing it;
- comply with data processing principles – especially lawfulness, fairness and transparency; and
- document your actions and decisions.
You also need to tell the people whose data you’re holding or using that there’s been a change of circumstances, and remind them about their information rights.
Also see:
Can I share data with the police or other law enforcement authorities?
Yes. Data protection law doesn’t prevent you from sharing personal information with law enforcement agencies where necessary – even if the data you hold wasn’t collected for the purposes of preventing and detecting crime.
You may receive a request from the police, or any other organisation that has legal powers to pursue crime or collect tax, for example, the DWP benefit fraud section.
Where the requester has a warrant or court order for the personal data, or there are other legal requirements in place, you must provide it. Otherwise, you can choose whether to share the information with them if you think it’s appropriate in the circumstances.
When sharing personal data, you should make sure you’re only providing what’s necessary for their purpose, and nothing excessive. You can ask the requester for further information if you’re not sure.
Also see:
Can I share data in an emergency?
Yes, you can share personal data in an emergency where information is required to save someone’s life or protect them or others from serious harm.
In fact, it could be harmful not to share someone’s data, for example if allergy information isn’t given to health staff providing emergency care to someone who’s had an allergic reaction.
You won’t have long to make a decision about whether to share someone’s data in an emergency situation. But you must still make sure that you only share what’s needed, and that you only share it with people who need it. This means you’ll only be sharing what is necessary and proportionate.
While it’s a good idea to consider the steps you might take in an emergency, you can’t plan for every situation. That’s why data protection law is flexible and encourages you to understand and assess the risks separately in each case. We’re here to help – contact us if you’d like more advice on data sharing.
Also see:
Am I allowed to send data outside of the UK?
If you’re sending data outside of the UK, you may need to take some extra steps to make sure the data is protected under the UK GDPR. If it’s recognised (through what’s known as an ‘adequacy decision’) that the country you’re sending the data to already has good rules to protect the data, you won’t need to do anything else. Otherwise, it’s likely you’ll need to put a contract in place with the organisation you’re sending the data to. These contracts are called standard contractual clauses (SCCs) and contain specific terms to make sure that the data is being used correctly when sent internationally. If this isn’t possible, you should look to see whether there are any exceptions which apply to your circumstances.
For example, Jenna is a UK physiotherapist who uses an online app to store her patients’ personal data. This platform uploads the data to a server based in Brazil. As Jenna is sending the data outside of the UK, she needs to make sure it will be protected. There is no adequacy decision to say that Brazil’s rules provide enough protection for the data, so Jenna will probably need to speak with the other organisation and put SCCs in place.
Also see:
Can my business record and share an online meeting, event or a lesson that we host?
It’s common for meetings, events and lessons to be held virtually, using video conferencing. If you’re recording these sessions, you’ll need to consider people’s rights and your data protection obligations.
You can record video conferencing sessions – including people’s images and voices – where you have a valid purpose that can’t be achieved using less intrusive methods eg taking minutes of meetings. You’ll need to record and justify your lawful basis for doing this.
Before recording, you should tell people why you’re recording, what you’ll use it for, and how long you’ll keep it. This information should be included in your privacy notice.
You shouldn’t usually post recordings online without the permission of the people included. If you need to publish the recording online, you must make this clear to attendees at the start and explain why. You should tell people how they can protect their privacy, such as by turning off their cameras and not entering their full name into the software.
Does my business need consent to install CCTV?
No. You don’t need people’s consent to install and operate CCTV. Consent is one of six lawful bases and isn’t always the most appropriate.
You should only rely on consent where you’re able to give people a genuine choice about whether you collect their personal data or not. In practice, it’s highly unlikely you’d be able to get consent from everyone who may be captured by your CCTV system, especially in public places.
Legitimate interests is likely to be a more appropriate lawful basis for operating CCTV in many cases. To rely on this, you’ll need to balance your purpose for using CCTV against the intrusion on people’s privacy. Completing a legitimate interests assessment (LIA) will help with this.
A sole trader has died and we need to get in touch with their clients. Can we do this?
Yes. If a controller dies while still in possession of personal information, someone needs to take responsibility for that information. For example, this could be an executor or someone appointed by probate, or through confirmation in Scotland. If that’s you, you’ll become the new controller. You’ll need a lawful basis for handling the personal data. It’s likely your lawful basis will either be legitimate interest or legal obligation, depending on your role in relation to the deceased person’s estate or business. For example, if you’re required to act according to probate or confirmation, you’d use legal obligation.
You must contact the affected people to let them know you’re taking control of their data and tell them what you’re going to do with it.
If you no longer need to retain or use the data, you must dispose of it securely as soon as possible. For example, if you’ve told people the original controller has died and the business is being closed, you must securely destroy any personal data no longer required.
Top tip: There are occasions when information needs to be retained for legal reasons or in accordance with industry guidelines. This could be the case even if a business is no longer trading. Check with the relevant industry regulator if you’re not sure.
Also see:
Can we use facial recognition technology (FRT) for payment, entry or other security systems?
This FAQ highlights some of the key issues you should be aware of before using facial recognition technology (FRT). You must give careful consideration before using this type of technology.
FRT and similar technologies may offer certain benefits, such as making it easier to access devices, take payments or allow entry to secure areas. But these technologies can intrude on people’s privacy, so you need to think carefully when deciding whether to implement them. Consider whether there’s a less intrusive method you can use to achieve the same outcome.
Before you use FRT, you must complete a data protection impact assessment (DPIA) to show why using this technology is justified and proportionate. You must also assess how you’ll reduce any associated risks, such as bias or discrimination. This is especially important where you’ll be using personal data relating to children or vulnerable people.
You must identify a lawful basis. Consider whether consent is appropriate. If it is, you’ll need to give people an alternative to FRT, such as using a swipe card to enter a building. Make sure the alternative option doesn't disadvantage anyone.
Remember, FRT is likely to use special category biometric data (facial imaging) so you’ll also need to identify and satisfy a special category condition.
Be transparent with people about your use of FRT. Have clear signs, written in simple language, that tell people what you’re doing and how they can exercise their information rights. You must also include this in your privacy notice.
Can we use blind carbon copy (BCC) to send emails to multiple people?
When you use the ‘BCC’ field to send an email, the recipients can’t see each other’s email addresses.
You can use this if the personal information you’re sharing isn’t sensitive and there’s little risk. But if your email may reveal sensitive information about the recipients, you should assess whether using other secure methods would be more appropriate. For example, bulk email services or mail merge services.
What do we mean by sensitive information?
Whether personal information is sensitive depends on the circumstances. You should consider what impact revealing it would have on people. For example, financial information or information that might be used to commit ID fraud would probably be classed as sensitive.
Disclosing email addresses can reveal people’s information and potentially cause significant harm. Even if email content doesn’t have anything sensitive in it, showing which people receive an email could disclose confidential information about them. For example, sending information about the new opening hours of an HIV clinic would reveal the recipients are likely to use that service.
At the ICO, we’ve seen hundreds of personal data breach reports where a sender has forgotten to use the ‘BCC’ field – a simple case of human error.
To protect the personal information you hold, you must assess which appropriate measures to put in place. You could:
- set rules within your email system to provide alerts and warn email senders when they use the Carbon Copy (CC) field;
- set a delay, allowing time for errors to be corrected before the email is sent;
- turn off the auto-complete email function to prevent the system suggesting email addresses in the recipient’s box; and
- use the NCSC email security check tool.
You must have the appropriate technical and organisational security measures in place to protect personal information when sending bulk emails. Make sure your staff know how to handle personal information securely. You should train staff about sending bulk communications by email.
Your email service provider should provide further information on how to use mail merge. For example, Google and Microsoft provide support on how to use mail merge.