Data sharing is a form of data processing and is widely pervasive – its not just about selling customer names to marketing list companies. You are data sharing, when you send PAYE and NICs information to HMRC. You are data sharing, when you prepare a fundraising campaign with your marketing agency and you are data sharing if you provide data to other support organisations in order to provide your services.
There is a distinction between data that is shared with a processor and data that is shared with another controller. Processors must be subject to a data processing agreement that will include mandatory clauses. As the controller, you impose standards of care on your processors that will protect the data on behalf of data subjects. But, sharing data with other controllers is different. The regulations require that an “arrangement” is in place between joint controllers (such as charities presenting a joint promotion to donors) but is not express with regard to independent controllers, for example sharing donor lists with like-minded or sister charitable organisations. Nonetheless, from a risk management point of view, a detailed agreement regarding data sharing between controllers is equally a must. For example, you may have invested in considerable cyber security, but if your fundraising provider is using paper-based forms and there is no downside for them to do better, your investment is wasted. You will both be liable to report the breach, deal with the costs, damages and potential fines associated with breach, but the financial liability and reputational damage is likely to hit you harder as your name will be familiar to supporters and volunteers.
Other example risks when data sharing are:
- One party using the data beyond the limits of what it was collected for
- Keeping data longer than is necessary
- The data received is inaccurate or out of date and leads to inappropriate or distressing outcomes (a common one, is sending direct mail to deceased persons)
- The data is inaccurately collated between the controllers and leads to incorrect assumptions about the data subject (such as their wealth or propensity to charitable giving)
The old Data Protection Act (1998) was very quiet with regard to how data could be shared between parties and in order to fill the gap, the ICO issued the Data Sharing Code in 2011. This code was revised by the ICO in light of the GDPR and the new DPA 2018, with a consultation on the draft wording closing in September 2019. I think, in the ordinary course of events, the new code would be with us by now, but there is no news as yet from the ICO about formal publication of the 2020 version. However, the ICO is legally required to issue a new code and the Courts have given weight to the 2011 version, so it is advised to refer to the draft code when considering data sharing arrangements.
Data sharing agreements should cover the following
- Detail who the parties are to the sharing. Be careful about intra-group relationships. Is the data being shared with a whole group or just the particular counterparty?
- Detail what data is being shared. Set-out why it is necessary to share this much data (underlining adherence to the data minimisation principle)
- What is the purpose of the sharing? Set out a clear agreement on the purpose. Be honest if there is a commercial element.
- Set out responsibility for preparing a data protection impact assessment and keeping it updated.
- Is the data quality going to be tested? How will this work, in practice? If the data quality is sub-standard, how will this be addressed?
- Set out how risk shall be apportioned? For example, what level of security are both parties expected to apply to the data.
- Include indemnities where parties do not adhere to the terms agreed
- Set out procedures for dealing with complaints.
- Set out procedures for dealing with data subject access requests, including the cost burden for preparation of a response.
- Set out procedures for the parties to deal with data breaches, including how liability for damages will be apportioned.
- What will happen to the data, if the data sharing agreement is terminated or breached?