The Information Commissioner's Office (ICO) has issued guidelines to public bodies outlining various factors that local authorities and other public organisations should consider before sharing personal information between departments or with other authorities. The ICO's paper entitled "Sharing Personal Information: Our Approach" explains the ICO's general approach to information sharing which is set out below.
1. Identify the intended benefits and potential risks before sharing personal information
Public authorities must be able to demonstrate that they have considered the benefits that may arise for society as a whole or for the individuals in question and also the risks which may involve intrusion of personal privacy or which threaten the integrity of personal data. This will involve a balancing exercise that must be able to justify the sharing of personal information on the grounds that the benefits outweigh the risks.
2. Take all reasonable steps to safeguard personal information
Where the public authority decides that the sharing of personal information is justified, it must take all reasonable steps to keep any negative effects of such information sharing to a minimum. This should involve adopting a "privacy-friendly" approach by, for example, limiting the use of information in a form that makes people identifiable.
3. Consider whether consent is needed
It is expected that individuals should be able to exercise control and choice to allow their information to be shared where this makes sense. The ICO states that some information such as that relating to an individual's health is especially sensitive and therefore most people would probably expect to be asked for their consent before such information is shared.
4. Ensure transparency about what and when information is being shared
The ICO expects public bodies to take measures to inform individuals about how information about them is being used and how it will be shared which should involve using fair processing notices and including documents regarding their information-sharing policies in their freedom of information publication schemes.
5. Ensure that the quality and security of the information is good enough to support use
The ICO states that this might involve, for example, checking that the information is up to date and taking measures to ensure that inaccurate information is corrected by all organisations with which it has been shared. The ICO expects organisations that have decided to share information to be able to demonstrate that they have addressed the implications of doing so and have implemented the appropriate security measures to ensure that information is stored securely.
Iain Bourne, the head of information sharing at ICO is keen to ensure that local authorities maintain a balance between their "data protection responsibilities" whilst providing "high quality public services."
The guidance also makes it clear that it will not attempt to stifle local authorities with a heavy-handed application of legislation: "ICO will avoid an overly restrictive application of data protection law where that would lead to organisations failing to make sensible use of the information they hold…ICO recognises that modern information technology allows the sophisticated analysis and rapid transmission of information. Our approach will not prevent public bodies making the most of the benefits that technology can bring to society and individuals."