The Data Protection Commissioner (DPC) has published new guidance on 'Data sharing in the public sector' following the decision of the CJEU in Bara (C-201/14) (see our previous blog on the Bara judgment).
The Bara judgment serves as a reminder that any decision by public bodies to share personal data bodies should not be taken lightly, and only the minimum amount of personal data should be shared. It shows the importance of public bodies informing individuals as to how their personal data is used, for what purpose, and who has access to it.
In summary, the DPC recommends that all data sharing arrangements in the public sector should:
- Have a basis in primary legislation;
- Be made clear to individuals that their data may be shared and for what purpose;
- Be proportionate in terms of their application and the objective to be achieved;
- Have a clear justification for individual data sharing arrangements;
- Share the minimum amount of data to achieve the stated public service objective;
- Have strict access and security controls; and
- Ensure secure disposal of shared data.
The guidance highlights that the public policy objective being pursued by a particular data sharing arrangement without consent should be explicit. It notes that when considering whether to enter into an arrangement to share data, it is imperative to identify the purpose that it is meant to achieve. In doing so, public bodies should consider the potential benefits and risks, either to individuals or society, of sharing the data. An assessment of the likely results of not sharing the data should also be conducted.
Explicit Legal Basis
The DPC recommends that, in general, an explicit legal basis for sharing the data should be set out in primary legislation. The legislation should clearly identify the public sector bodies involved, the information that will be shared, and the purpose of sharing the information. Public bodies should also ensure that adequate, appropriate and relevant safeguards are put in place to protect the data rights of individuals.
Transparency & Communication
The DPC is of the view that even if a legislative measure provides the requisite legal basis to implement a data sharing arrangement it is still necessary for all data controllers to ensure that individuals are fully aware of those arrangements and the safeguards contained therein. The DPC highlights that whilst in some cases having an information note available explaining the data sharing arrangement may be acceptable, in other situations this may not suffice. In determining whether active communication about the data sharing arrangement is necessary, by sending a letter or email is necessary, the DPC suggests the following non-exhaustive checklist should be considered:
- Is the public sector body sharing sensitive personal data?
- Is the data sharing unexpected or objectionable?
- Will the data sharing have a significant effect on the individual?
- Is the data sharing widespread or involving entities which individuals might not expect?
- Is the data sharing being carried out for a range of different purposes?
- Is the individual likely to suffer any detriment as a result of the data sharing arrangement?
If the response to any of the above questions is yes, then the DPC recommends that the public body consider actively communicating the details of the data sharing arrangement to each individual.
Public sector bodies should review their existing and future data sharing arrangements in light of the DPC's new guidance and ensure it is compliance with data protection law