Data Sharing in the Public SectorThe issue of sharing personal data between state agencies, and the related issue of use of the PPSN have featured regularly in our annual reports.
Compliance with the following guidelines can provide a basis for a general approach to data sharing within the public sector based on the principles set out below. These principles should ensure that such data sharing is proportionate and in accordance with the Data Protection Acts.
1. Demonstrable Justification
The public policy objective being pursued by a particular data sharing arrangement without consent should be explicit. An assessment should be made as to whether the likely benefits of the sharing justify the overriding of the individual’s data protection rights. The assessment should represent a careful balancing of these factors. It should take account of the fact that such sharing could increase the reluctance of individuals to provide accurate personal data to state authorities. It should also take account of any disproportionately negative impact on particular sections of society.
2. Explicit legal basis
The legal basis for data sharing, including the conditions under which such sharing is permitted, should be set out in primary legislation.
Any decision to share personal data between public bodies (and thereby to set aside a person’s right to privacy) must not be taken lightly. This is especially the case when bulk data is shared. Such decisions should only be taken following due consideration at senior management level.
If relevant, it should be made clear to individuals when they give personal data to a state body that this information may be shared with other state bodies. The reason for such sharing should be stated clearly. Under the Data Protection Acts, state bodies are legally required to include such disclosures in their public registration with our Office. In addition, it is good practice for a public body to regularly publish a list of their data sharing arrangements.
5. Data minimisation
Only the minimum amount of personal data should be shared. In many cases all that is required is a "yes” or “no" in regard to whether an individual is, for example, a holder of a permit or a license.
6. Data access and security
Enhanced access and security requirements should apply to personal data received as part of an approved data sharing arrangement. Access to such data should be limited to a very small number of officials and security measures should rule out any possibility of data leakage (bearing in mind the increased emphasis on the State’s responsibility to prevent data breaches and the reputational damage that would result from failure to protect shared personal data).
7. Data retention
Personal data provided as part of an approved data sharing arrangement should be securely destroyed when no longer required.
» Permanent Link