Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

At a glance

The government has devised a framework for sharing personal data, for defined purposes across specific parts of the public sector, under the Digital Economy Act 2017 (DEA).
The aim is to improve public services through the better use of data, while ensuring privacy, clarity and consistency in how the public sector shares data.

In more detail

Data sharing under the Digital Economy Act 2017

The government introduced a framework for sharing personal data for defined purposes across specific parts of the public sector, under the Digital Economy Act 2017 (DEA): the DEA framework.

Its aims are to:

  • ensure clarity and consistency in how the public sector shares personal data;
  • improve public services through the better use of data; and
  • ensure data privacy.

The government has also made it clear that you should only share data when there is a clear public benefit.

Part 5 of the DEA focuses on digital government, providing gateways that allow specified public authorities to share data with each other. Some of these gateways enable the sharing of personal data, while others allow the sharing of non-identifying data. The objectives and purposes for data sharing under the DEA powers are tightly defined.

Under the DEA you must still comply with the data protection legislation.

Part 5 of the DEA explicitly:

  • states that all processing of information under the DEA powers must comply with data protection legislation; and
  • prohibits the disclosure of information where it would contravene data protection legislation.

Note that although the DEA pre-dates the coming into force of the EU GDPR and of the UK GDPR, it was drafted with a view to being consistent with EU GDPR provisions, as these were already known following agreement of the EU GDPR text in 2016.

The powers to share information under Part 5 of the DEA are supplemented by statutory codes of practice (the DEA codes) which must be consistent with the Information Commissioner’s data sharing code of practice “as altered or replaced from time”. The DEA codes must follow the data protection principles, ensuring that sharing personal data under the DEA powers is proportionate.

For example, there is a DEA code for public authorities sharing personal data about aspects of public service delivery. Its purpose is to achieve specified public service delivery objectives:

  • to assist people experiencing multiple social or economic disadvantages, or living in fuel or water poverty;
  • to reduce and manage debt owed to the public sector; and
  • to combat fraud against the public sector.

There are also provisions in the DEA facilitating data sharing by and with the Statistics Board to allow the production of statistics, disclosure of information by civil registration officials, disclosure of information by Revenue Authorities, and data sharing for research purposes.

The DEA does not currently cover data sharing relating to the provision of health and social care.

The DEA codes contain guidance about what data you can share and for which purpose. They include safeguards to make sure that the privacy of citizens’ data is protected. The two DEA codes that cover public service delivery, debt and fraud powers, and civil registration powers, require public authorities to put in place a data sharing or information sharing agreement, and specify what the agreement must cover.

Anyone who discloses information under the DEA Part 5 powers must also “have regard” to other codes of practice issued by the Information Commissioner. This is in “so far as they apply to the information in question”:

  • on the identification and reduction of risks to privacy of a proposal to disclose information; and
  • on the information to be provided to individuals about how information collected from them will be used.

The Framework for data processing by government

Section 191 of the DPA 2018 confers a discretionary power on the Secretary of State to publish a Framework for Data Processing by Government. The DEA framework is separate from this, but the expectation is that any government Framework will be consistent with the data sharing code and any future guidance published by government.