Data Sharing in the Public Sector
The personal data of individuals should only be collected, stored, shared or processed where it is relevant, essential, and necessary to provide them with public services or to carry out another public function.
The Data Protection Commission (DPC) recommends that all data sharing arrangements in the public sector should generally:
- Adhere to the principles set out in Article 5 GDPR including:
- Lawfulness, fairness and transparency: Personal data shall be processed in a manner which is lawful, fair, and transparent;
- Purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Data minimisation: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accuracy: personal data shall be accurate and, where necessary, kept up to date;
- Storage limitation: Securely destroy personal data when it is no longer required;
- Integrity and confidentiality: Have strict access and security controls to ensure the appropriate security of the personal data.
- Implement data protection by design and data protection by default;
- Have a clear legal basis as required by Article 6 GDPR;
- Make clear to individuals that their data may be shared and for what purpose;
- Be proportionate in terms of their application and the objective(s) to be achieved;
- Share the minimum amount of data to achieve the stated public service objective.
Articles 13 and 14 GDPR bestows specific transparency obligations on Public Sector Bodies to provide data subjects with specific pieces of information (please see our guidance note on data sharing in the Public Sector for details).
Article 33 and 34 GDPR requires organisations to report, no later than 72 hours of becoming aware of it, personal data breaches to the relevant supervisory authority, where the breach presents a risk to the affected individuals. Where a breach is likely to result in a high risk to the affected individuals, organisations must also inform those individuals without undue delay.
Article 37 GDPR requires certain data controllers to appoint a designated Data Protection Officer (DPO). This includes all controllers who are public authorities or public bodies. Controllers are also required to publish the details of their DPO and provide these details to the DPC.
More information is available in our guidance note on the general principles required for data sharing in the Public Sector. In addition to the guidance contained in this note, the Data Sharing and Governance Act 2019 provides a generalised legal basis for the sharing of data between public bodies, as well as further appropriate safeguards under which such sharing should take place.