Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

We need to share personal data with another organisation. Is this allowed?

Yes, if you have a valid reason, you can share personal data with another organisation.

But to do this and comply with data protection law, it’s important that you know what this valid reason is. The data protection term for this reason is the ‘lawful basis’. The lawful basis that’s right for you will depend on the reason you want or need to share the data. You should make a record of your lawful basis either on paper or electronically.

If you’re sharing data with another organisation, you must make sure you only share necessary information, and that you send it securely to the correct person.

You also need to think about whether people have been made aware their data will be used in this way.

For example, Sean uses a payroll company to pay his staff. The payroll company is a data processor, which means they’re handling the data on behalf of Sean’s company, but Sean will still need a lawful basis to share data with them. Before he started doing this, Sean carefully documented his lawful basis for processing – which in Sean’s case is for the performance of a contract. This is because as part of the employment contract Sean has with his employees, he needs to pay them, and he uses the payroll company to do this for him.

Sean knows that he mustn’t send more data than necessary to the payroll company. It’s documented in Sean’s process that the company needs to know the names and some financial information about his staff, but no additional information beyond this. Sean makes sure the information contained in his staff’s HR records, such as their addresses and personal development information, is stored separately from the information he sends to his payroll company, so there’s no confusion.

Sean also emailed staff to make sure they knew about the payroll company’s involvement and access to their personal data, and updated his staff privacy notice.

Before emailing his payroll provider, Sean always double-checks the ‘To’ field of his email. He sends personal data in a password-protected spreadsheet, with the password sent separately from the spreadsheet itself.

What security measures do we need to put in place?

It depends what type of personal data you’re holding and using, but we’ve written a basic guide covering some practical ways to keep your IT systems safe and secure, to help you get started.

Some security measures are common sense and are likely to be part of your usual procedures, even if you haven’t thought of them as data protection measures before – locking cabinets and ensuring the windows and doors of your workplace are secure, for example. It’s likely you have electronic security measures in place, too, such as strong passwords, firewalls, and anti-virus software. 

Other measures might take a little more thought and planning, such as training your staff on how to spot suspicious emails and making sure you don’t hold on to data for longer than you need it.

Information about people that is particularly sensitive – such as health data - needs extra protection.

What do we need to do if we want to use CCTV?

Firstly, you need to make sure that CCTV is really the right option for your company. Why do you need it, and are there any other options you could explore that are less intrusive? Consider what people would expect. For example, CCTV in toilets or public changing areas isn’t likely to be acceptable.

If you decide you need to use CCTV, create a document about how it will be used, why you’re using it, and how long you will keep the recordings. You should also note down how you plan to keep the recordings secured, and the responsibilities of your staff in relation to CCTV. This could include limiting access to the CCTV to a few key members of staff.

You’ll need to put up signs so that people know they’re being recorded. The signs need to be clear and obvious, telling people that CCTV is in operation.

Your business will also need to be registered with the ICO.

Why can’t the ICO endorse video call providers?

As the UK’s data protection regulator, we’re independent. This means we can’t endorse a specific organisation, for video call services or anything else. We also can’t individually vet every new communications service that enters the market.

But what we can do is advise you on what to look out for when you’re choosing a video call provider. It's important that the services offered are secure and safe, so you should check the provider’s privacy and security settings carefully. Look to see if the provider gives clear and transparent details on the security features they have and how best to implement them. You should make sure your staff and any volunteers use the right security settings, and update software as soon as possible when there are updates available.

What types of data need more protection?

There are some types of personal data that are likely to be more sensitive known as special category data under the UK GDPR.

This includes personal data revealing or concerning:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • health;
  • a person’s sex life; and
  • a person’s sexual orientation.

If you’re processing any of these types of data, you should give particular consideration to how and why the data is used, and make sure you only use it when it’s absolutely necessary.

How do I know if personal data is high risk or sensitive?    

You’re probably already familiar with the types of personal data that are generally considered high risk or sensitive based on how you feel about sharing it when it’s about you or someone in your care.

For example, many of us would be cautious about sharing information about our medical history, political opinions, or sexual orientation. But if asked for our email address, we’d probably be less concerned. It would depend who is asking and what we think might happen to the data.

Data protection law takes this idea and makes some firm rules about the types of data that need more protection, which are known as the ‘special categories’ of personal data.

Outside of these special categories, knowing whether personal data is high risk or sensitive also partly depends on the risk of that data falling into the wrong hands, which your risk assessment - will help you to work out.

If we’re processing special category data, what do we need to do?

Data protection law applies to any personal data you have or use (unless you’re using the data for purely personal or household activities). Your basic data protection obligations include having a lawful basis for processing and appropriate security measures. But where special category data is concerned, even stronger rules apply. This is because the special categories refer to personal information that could cause significant harm, such as discrimination or physical danger, if it was misused. 

If you’re processing special category data, you should give particular consideration to how and why the data is used, and make sure you only use it when it’s absolutely necessary. You should also take extra care to keep it safe. Generally speaking, the more sensitive the data, the more safeguards you need to have in place. For example, you might need to do a DPIA and think about how your activities affect people’s rights.

You also need to meet a further condition from the list below, in addition to your lawful basis for processing.

(a) You have the explicit consent of the person it relates to

(b) You’re processing the personal data for employment, social security and social protection purposes (if authorised by law)

(c) You need to process the personal data to protect the vital interests of the person. This can be in situations where someone’s life might depend on you using their data, like a medical emergency

(d) You’re a non-profit body, a charity or fundraising organisation

(e) The data has already been made public by the person it relates to

(f) You need to process the personal data because of a legal claim or a judicial act

(g) You need to process the personal data for reasons of substantial public interest (with a basis in law) such as if it’s something that’s really important for people to know about

(h) You’re processing the data for health or social care purposes (with a basis in law)

(i) You’re processing the data for public health reasons (with a basis in law)

(j) You’re processing the data for archiving, research and statistics (with a basis in law)

Some of these have further conditions attached that you also need to meet. If you’re unsure, please contact us and one of our advisors will help you.

How long should I store data?

You should only keep personal data for as long as you need it. There aren’t any set time limits in data protection law because it depends on your situation.

Think about why you collected people’s personal information in the first place and the reason you’re processing it, known in data protection law as your lawful basis for processing. You must think about, and be able to justify, how long you need to keep it, and this will depend on your reasons for having it.

For example, Claire collected Bill’s name and address to give him a quote on having his house redecorated. Bill contacts her and explains that he’s changed his mind and doesn’t want the job doing anymore. Claire has no reason to keep Bill’s details any longer and deletes them.

Where possible, you’ll also need a policy which sets out how long you keep data for and why. When you no longer need personal data for the reason you collected it, make sure you destroy it securely or anonymise it.

However, if another law says you must keep certain records for a set period, then you should do so. In the example above, Claire may need to keep details of payments she has received from customers for when she is completing her tax returns.

What’s the best way to destroy documents?

Data protection law doesn't say exactly how you should destroy documents that you no longer need. But you need to make sure it’s done securely and in a way that means the information can't be recovered by anyone else.

For example, shredding documents instead of putting them into general waste makes it much more difficult for someone to see information they’re not authorised to see, either accidentally or deliberately.

We’ve produced a short guide on practical methods for destroying documents that are no longer needed which includes tips on how to destroy electronic files securely and has been written with small organisations in mind.

What data protection responsibilities do I still have, even if my business is closing down?

Even if your business is closing down, that business continues to be the controller of the personal data of your customers, clients, and other people you did business with, and data protection laws still apply.

The term ‘data controller’ or ‘controller’ refers to the organisation, business or company that decides why and how people’s personal information is handled. It can be a limited company, or a sole trader and all the different types of companies in between. It’s a legal entity rather than a person who works at the organisation, business, or company.

In practice, if a business is liquidated or goes into administration, it’s unlikely to be the person who used to own the business who carries on making practical decisions to do with the closure. More likely, the liquidator or administrator becomes the new most senior member of staff, and they will take over all key decisions.

Of course, not all businesses that close go into liquidation or administration. Sometimes a business owner may want to stop doing business. Generally speaking, if you still have a legal obligation to continue holding data for a length of time, your business will continue to be the controller of that personal data and data protection laws still apply.

This includes continuing your registration with the ICO unless you’re exempt.

For example, Brian is retiring as a GP and closing his practice. The British Medical Association requires GPs to retain patient records for set periods of time. As Brian must retain this data, and as they’re electronic records, Brian isn’t exempt from having to register with the ICO. He must therefore arrange for his registration to continue.

Even if your business is in good health, it’s good practice to draw up a plan for what should happen to any personal data you need to hold if you stop trading. Your plan could include:               

  • the personal data you’ll need to keep;
  • why you’ll need to keep that data, such as for tax reasons or other legal obligations;
  • how and where the data will be stored securely, either by you or a third-party organisation;
  • how the data can be accessed if needed;
  • how long you need to keep the data;
  • your plans for ensuring the data stays accurate where necessary; and
  • how you’ll destroy the data securely when the time comes.

I'm closing down my small business. Do I have to let people know I’ll no longer be holding their data?

Yes, if you can. It’s good practice to let people know your business is closing down and you’re not holding their data any longer. This shows people that you value their information even when you no longer need it. It also allows them time to raise any concerns or requests with you.

For some businesses, this will be straightforward and won’t take long. For others, it’s easier said than done. If you’re in this position, it’s a balance between the effort it would take to let them know and, based on the type of information you hold about them, how important it is to contact them.

For example, you might not be able to contact your customers easily because you no longer have access to their information. If the information you hold is sensitive personal data, such as medical information, then there may be more of a necessity to try and contact them than if the information you hold is limited to name and address details. But this should be an exception, rather than a rule, and you’ll need to be confident you can justify your decision.

You can contact us if you’re unsure what to do in your situation.

Do I need to pass the personal data I hold to another company if I go out of business or lose a contract?

Yes, there could be situations when you might need to do this, depending on your business.

For example, you might need to pass the personal data you hold to another company for them to assume controller responsibilities, if you lose a contract or your work is being given to a different service provider. If this happens, you should try and let people know as soon as possible, so they’re aware you’re no longer handling their data and that someone else is, instead.

The new company will also need to consider contacting people and letting them know about how their data will be used from that point.

What does data protection say about information relating to criminal offences or convictions?

Data protection law gives extra protection to a wide range of personal data to do with criminal activity and proceedings, which we loosely refer to here as ‘criminal offence data’. This could be specific data about criminal convictions or allegations, but it could also be any personal data about criminal offences or other security concerns.

Occasionally, as a small organisation, you might process criminal offence data. For example, you could have CCTV footage of someone vandalising your premises that you want to pass to the police. Or if you keep details of DBS checks, you’d be handling criminal offence data, even if the checks came back clear and show no criminal convictions.

In data protection law, this type of data needs extra protection because misusing it could cause significant risks to people. For example, it could affect someone’s right to a fair trial, it could limit their freedom to conduct business, or it could negatively impact their private and family life.  

However, unlike the rules around special category data which are there to make sure information that’s particularly high risk or sensitive is treated with special care, the rules around criminal offence data are a bit different. This is because the need to protect people from criminal activity means that using this type of information can be justified in a wider variety of circumstances, despite the potential impact on the person who it's about.

For example, Teresa has CCTV installed at her shop. She catches someone shoplifting and wants to pass the CCTV footage to the police as evidence. At this point in time, Teresa is holding and sharing information relating to a criminal offence. This means that Teresa not only needs a valid reason – or lawful basis – to hold and use this information (which she would have needed in the first place before she started using CCTV), but the criminal offence adds another element. Teresa needs what’s known as a ‘condition to process’ this type of information. In Teresa’s situation, she can collect and share this information with the police to prevent or detect unlawful acts.

If you’re processing information relating to criminal convictions and offences and aren’t sure how to do this in a compliant way, you can contact us for advice.

What is a data sharing agreement?

A data sharing agreement sets out why you’re sharing personal data, what happens to the data when you send it to others, how it should be kept safe, and how it’s destroyed when it’s no longer needed. Having an agreement in place is important because it helps everyone involved to know what they can and can’t do with the data.

Do I need a data sharing agreement?

If you’re planning to share personal data with another business or organisation – such as the names, addresses and telephone numbers of your customers or clients – it’s good practice to have a data sharing agreement. As a controller, you’re accountable for what happens to the data, so it’s important to have a plan in place before you share it.

It lets people know that you care about their data and helps to demonstrate that you’re meeting your data protection obligations.

What should be in a data sharing agreement?

There’s no set format for a data sharing agreement, but here are a few things it should cover:

How does data sharing apply to acquisitions and mergers?

You may need to share data with or sell data to another organisation as part of a takeover or other situation involving a change in organisational structure such as an acquisition, merger or insolvency.

If the changes mean there’s a change in the controller of the data, or if the data is being shared with an additional controller, you need to take particular care to make sure it’s handled appropriately.

You need to:

  • consider data sharing as part of your due diligence;
  • establish what data you’re transferring, why you have it in the first place, and your lawful basis for sharing it;
  • comply with data processing principles – especially lawfulness, fairness and transparency; and
  • document your actions and decisions.

You also need to tell the people whose data you’re holding or using that there’s been a change of circumstances, and remind them about their information rights.

Can I share data with the police or other law enforcement authorities?

You may be asked to share personal information with the police or another law enforcement authority (known as a ‘competent authority’) such as a local council, to help them investigate, prevent, detect or prosecute a crime. For you to be able to share the information with them, you must be satisfied that they are who they say they are, and that you’ve had a clear explanation from them about why they need it.

However, under data protection law, information relating to criminal offences or convictions needs to be treated with particular care.

Can I share data in an emergency?

Yes, you can share personal data in an emergency where information is required to save someone’s life or protect them or others from serious harm.

In fact, it could be harmful not to share someone’s data, for example if allergy information isn’t given to health staff providing emergency care to someone who’s had an allergic reaction.

You won’t have long to make a decision about whether to share someone’s data in an emergency situation. But you must still make sure that you only share what’s needed, and that you only share it with people who need it. This means you’ll only be sharing what is necessary and proportionate.

While it’s a good idea to consider the steps you might take in an emergency, you can’t plan for every situation. That’s why data protection law is flexible and encourages you to understand and assess the risks separately in each case. We’re here to help – contact us if you’d like more advice on data sharing.


Am I allowed to send data outside of the UK?

If you’re sending data outside of the UK, you may need to take some extra steps to make sure the data is protected under the UK GDPR. If it’s recognised (through what’s known as an ‘adequacy decision’) that the country you’re sending the data to already has good rules to protect the data, you won’t need to do anything else. Otherwise, it’s likely you’ll need to put a contract in place with the organisation you’re sending the data to. These contracts are called standard contractual clauses (SCCs) and contain specific terms to make sure that the data is being used correctly when sent internationally. If this isn’t possible, you should look to see whether there are any exceptions which apply to your circumstances.

For example, Jenna is a UK physiotherapist who uses an online app to store her patients’ personal data. This platform uploads the data to a server based in Brazil. As Jenna is sending the data outside of the UK, she needs to make sure it will be protected. There is no adequacy decision to say that Brazil’s rules provide enough protection for the data, so Jenna will probably need to speak with the other organisation and put SCCs in place.