Data sharing and subject access

Designed to help assess your organisation’s data sharing policies and agreements, compliance monitoring, maintaining sharing records, registration and your process for how to deal with a subject access request.


Data sharing policy

Your business has communicated policies, procedures and guidance to all staff which clearly set out when it is appropriate to share or disclose data.

Your policies, procedures and guidance should set out how staff ought to respond to sharing requests in the appropriate manner. Data sharing must be done in a way that complies with the law, is fair, transparent and in line with the rights and expectations of the people whose data is being shared. Your policy should explain how compliance with these requirements will be achieved eg monitoring of information sharing logs, quality assessment of samples of instances of sharing. This policy should be communicated to all relevant staff eg via intranet.



Your business has assigned responsibility to an appropriate member of staff for ensuring effective data sharing.

It is good practice to nominate a senior, experienced person to take on overall responsibility for information sharing, ensuring compliance with the law, and providing advice to staff making decisions about sharing. Your policy should make it clear who this person is and how they can be contacted. The nominated individual should also receive appropriate specialist training to allow them to fulfil this role.


Staff training

Your business provides adequate training on an ongoing basis for staff that are regularly required to make decisions regarding whether or not personal data should be shared with third parties.

It is essential to provide appropriate training to staff that are likely to make significant decisions about data sharing or have access to shared data. The nature of the training will depend on their role within the sharing process. Such training can be incorporated into any training you already give on data protection, security, or legal obligations of staff. Once delivered effort should be made to maintain that awareness. Materials such as posters, office wide emails, intranet updates or data sharing content in newsletters could be employed to achieve this.


Decision log

Your business maintains a log of all decisions to share personal data and this is reviewed regularly.

Your business should be able to justify the reasons why you decided to share specific personal data. Such sharing should be lawful and comply with any statutory restrictions in place on your organisation. When a decision has been made regarding whether to share information or not you should record your decision and your reasoning (regardless of if you shared information) along with what information was shared and for what purpose, who it was shared with, when it was shared and if the information was shared with or without consent. You should review the log of sharing decisions on a regular basis to ensure that decisions to share data are well founded and compliant. You should also use the review to identify areas where large quantities of data are being shared routinely and whether there is a need to formalise this with an information sharing agreement, if one is not in place already.


Information sharing agreements

Your business has agreed data sharing agreements with an appropriate legal basis with all parties with whom personal data is routinely shared or where large quantities of data are to be transferred. These agreements are regularly reviewed.

In some instances you may need to agree and regularise the way you share personal data. This may become clear from the volume of ad hoc requests you receive from a particular organisation or due to the introduction of a new process which will require the sharing of large quantities of data. Prior to introducing a new information sharing agreement (ISA), you should complete and record a legal compliance assessment to ensure that your business has legal authority to share the information and that such sharing complies with the requirements of the DPA. Your information sharing agreement should address all risks relevant to the type of sharing you are undertaking, but at least, should address the following issues: * the purpose, or purposes, of the sharing; * the potential recipients or types of recipient and the circumstances in which they will have access; * the data to be shared (this should be kept to the minimum necessary for your purposes); * data quality – accuracy, relevance, usability etc; data security; * retention of shared data; individuals' rights – procedures for dealing with access requests, queries and complaints; * review of effectiveness/termination of the sharing agreement; and * sanctions for failure to comply with the agreement or breaches by individual staff. In order to ensure that information sharing arrangements still reflect the current needs of your business and are compliant with the DPA they should be reviewed regularly. Such reviews should address whether the data is still needed to fulfil the purposes for which it is being shared and whether the ISA reflect current data sharing arrangements.


Fair processing

Your business informs individuals about the sharing of their personal data.

The first principle of the DPA requires that you process personal data fairly and lawfully. In order for the sharing of personal data to be considered fair you need to explain to individuals how you will use their personal data and who you will share it with. It is good practice to include privacy notices on your website and any forms that you use to collect data. These should clearly explain the reasons for using the data including any disclosures or sharing. The second principle of the DPA requires that you do not process personal data in any manner that is 'incompatible' with your specified purposes. In practice, this means that if you want to use or share personal data for a reason that was not covered in your privacy notice you should consider obtaining prior consent to ensure the new use is fair.


Supervisory authority registration

Your business has considered whether you need to provide the supervisory authority with a description of the individuals or organisations to whom you intend or may wish to disclose personal data.

If you process personal data you may need to record the types of data you hold and why on the public register of data controllers. This is called 'registration'. This registration should include details of other organisations or groups of organisations you intend to share personal data with. Your business should ensure that these details are kept up to date.


Security measures

Your business has appropriate security measures in place to protect data in transit, received by your business and transferred to another business.

The DPA requires organisations to have appropriate technical and organisational measures in place to protect shared personal data. In some instances you may transfer personal data to another organisation but still remain responsible for its security. It is therefore important that you set out, and ensure compliance with, agreed levels of security in relation to the personal data being shared. Please see our information security checklist for hints and tips on how to improve the security of personal data held by your organisation. In addition, when transferring data between organisations appropriate measures should be taken to ensure the security of that data while in transit. This may include the use of encryption on email, secure file transfer protocol (SFTP) or Virtual Private Network (VPN) for electronic files. Equally there should be equivalent security around paper documents in transit. Such controls might include the use of a reliable courier, other secure postage, use of locked containers or tamper evident packaging.


Subject access process

Your business has a documented process for processing subject access requests which has been effectively implemented. Your business has measures in place to ensure requests are appropriately recognised, timescales are met and the appropriate information is provided.

You should assign responsibility for responding to subject access requests to one or more individuals. You should have a documented process for processing subject access requests efficiently and in accordance with the DPA. The documented process should be approved by senior management and made readily available to staff.


Accountability and training

Your business has appropriately resourced and trained all personnel assigned responsibility for processing subject access requests. Your business has made all personnel aware of their responsibility to support subject access requests and where in the organisation they should direct requests to.

All staff should be briefed on their responsibilities in relation to the identifying, processing and escalating subject access requests on or shortly after appointment with updates at regular intervals thereafter to maintain levels of awareness. Awareness materials might include posters, office wide emails, intranet updates, newsletters. Staff with specific subject access request responsibilities such as processing, logging or overseeing responses to subject access requests should receive appropriate training in order to allow them to carry out their role effectively.


Compliance monitoring

The process is monitored and reviewed and, where necessary, additional measures have been implemented to improve compliance.

You should periodically review the documented process and, where appropriate, update it to ensure it remains adequate and relevant. You should have mechanisms in place to regularly monitor and report on agreed performance measures, and apply any recommendations or lessons learned. Your business should consider maintaining records showing measures and reporting, eg management information/KPI, meeting minutes, emails, etc. Compliance checks and audits could be introduced to demonstrate any reviews of process.