Data sharing and subject access checklist

report
8 July 2024

Overall rating
Your overall rating was red.
 10: Not yet implemented or planned
 0: Partially implemented or planned
 0: Successfully implemented
 0: Not applicable

RED: not implemented or planned

Your business informs individuals about the sharing of their personal

data.

Areas for focus / suggested actions

In order for the sharing of personal data to be considered fair and lawful
the Data Protection Act 1998 imposes a requirement on organisations to
explain to individuals how they will use personal data which they collect
and who they will share it with. In such data sharing contexts it is
important to explain:

 who you are;

 why you are going to share personal data; and
  who you are going to share it with – this could be actual named
organisations or types of organisation; and
 provide further information if the situation where the nature of the
sharing is such that some aspects of it would not be in the
“reasonable expectations” of the individual that you would use their
data in that way in order to allow the sharing to be considered fair.

Guidance

 Collecting information about your customers, in ICO small business

checklist
 Privacy notices code of practice, ICO

Your business has communicated policies, procedures and guidance to

all staff which clearly set out when it is appropriate to share or disclose
data.

Areas for focus / suggested actions

Your policies, procedures and guidance should set out how staff ought to
respond to sharing requests in the appropriate manner. You should:

 have an appropriate policy in place setting out when it is

appropriate to share and/or disclose data;
 ensure your policy and processes have considered how staff will
ensure that sharing is legal, how the accuracy of the data will be
maintained and what security measures should be put in place prior
to any sharing of information;
 detail in your policy how compliance with these requirements will be
achieved; and
 communicate the policy framework to all staff.

Guidance

 Data sharing checklist, ICO

 Governance, in ICO data sharing code of practice
Your business provides adequate training on an ongoing basis for staff
that regularly make decisions about whether to share personal data with
third parties.

Suggested actions

You should:

 provide adequate training on an ongoing basis for staff that

regularly make decisions about whether to share personal data -
with third parties;
 ensure staff with specific responsibility for management or oversight
of sharing processes complete appropriate training to allow then to
fulfil this role; and
 maintain staff awareness through materials such as posters, office
wide emails, intranet updates or data sharing content in
newsletters.

Your business maintains a log of all your decisions to share personal data
and you review this regularly.

Suggested actions

You should:

 establish your lawful basis for sharing;

 maintain a log of all your decisions to share personal data;
 review it regularly to ensure that your decisions are well founded
and compliant. This also helps you to identify areas where you
routinely share large quantities of data ; and
 where you are sharing data routinely, implement appropriate data
sharing agreements (DSA) with all parties that you review on a
regular basis and record on a central DSA Log.

Guidance
Guide to the UK GDPR – Lawful basis for processing, ICO website

Your business has a data sharing agreement (DSA) with any party you
routinely share personal data with or transfer large quantities of data to.
You review these agreements regularly.

Suggested actions

You should:

 complete a DPIA prior to introducing a DSA to ensure that your

business has a lawful basis to share the information and that the
sharing complies with the requirements of data protection
legislation; and
 regularly review your DSA to ensure it still reflects the current
needs of your business and is compliant with data protection
legislation. These reviews should address whether you still need the
data to fulfil the purposes you are sharing it for whether the DSA
reflect current data sharing arrangements.

Guidance

Guide to the UK GDPR – Lawful basis for processing, ICO website

Guide to the UK GDPR – Data protection impact assessments, ICO website

Your business informs individuals about the sharing of their personal

data.

Suggested actions

You should:

 explain who you are, why you are going to share personal data and
who you are going to share it with – this could be actual named
organisations or types of organisation; and
  provide further information if some aspects of this sharing would
not be in the “reasonable expectations” of the individual.

Guidance

Guide to the UK GDPR – The Right to be Informed, ICO website

Your business has appropriate security measures in place to protect data

that is in transit, received by your business or transferred to another
business.

Suggested actions

You should:

 always use an appropriate form of transport eg secure courier for

sensitive paper based personal data and encryption on email,
secure file transfer protocol (SFTP) or Virtual Private Network (VPN)
for electronic files;
 minimise data being transported;
 log the transfer in and out where appropriate and check to ensure
that data is received; and
 employ security measures to safeguard the data in transit such as
tamper evident packaging and storage on encrypted devices.

Your business has a documented process for dealing with requests for
personal data that all your staff are aware of and you have effectively
implemented.

Suggested actions

You should:
  implement a documented process for dealing with requests for
personal data efficiently and in accordance with data protection
legislation; and
 ensure management has approved the process and make it readily
available to staff.

Guidance

Guide to the UK GDPR – Right of access, ICO website

Your business has appropriately trained all personnel who have

responsibility for processing requests for personal data and has made
them aware of how to identify and channel requests to the appropriate
team or person.

Suggested actions

You should:

 provide appropriate training as part of any induction training on or

shortly after appointment;
 ensure all staff receive updates and refresher training at regular
intervals thereafter to maintain levels of awareness;
 use awareness materials such as posters, office wide emails,
intranet updates, newsletters; and
 give appropriate training to staff with specific responsibilities for
processing, logging or overseeing responses to requests for
personal data to allow them to carry out their role effectively.

Guidance

Guide to the UK GDPR – Right of access, ICO website

Your business monitors and reviews all requests for personal data and,
where necessary, implements additional measures to improve
compliance.
Suggested actions

You should:

 periodically review your documented process and, where

appropriate, update it to ensure it remains adequate and relevant;
 put mechanisms in place to regularly monitor and report on agreed
performance measures, and any recommendations or lessons
learned are applied; and
 consider maintaining records showing measures and reporting, eg
management information/KPI, meeting minutes, emails, etc.

Guidance

Guide to the UK GDPR – Right of access, ICO website

You can download this report as a Word document using the button on
the top right corner of the page. If you have a problem downloading the
report into a Word document please let us know.

Thank you for completing this checklist. Please complete our short
feedback survey to help improve our toolkit.

The survey should take around three minutes to complete.

Back