Your policies, procedures and guidance should set out how staff ought to respond to sharing requests in the appropriate manner. Data sharing must be done in a way that complies with the law, is fair, transparent and in line with the rights and expectations of the people whose data is being shared. Your policy should explain how compliance with these requirements will be achieved eg monitoring of information sharing logs, quality assessment of samples of instances of sharing.

Data sharing checklist, ICO

Governance, in ICO Data sharing code of practice

It is good practice to nominate a senior, experienced person to take on overall responsibility for information sharing, ensuring compliance with the law, and providing advice to staff making decisions about sharing. Your policy should make it clear who this person is and how they can be contacted. The nominated individual should also receive appropriate specialist training to allow them to fulfil this role.

Governance , in ICO Data sharing code of practice

It is essential to provide appropriate training to staff that are likely to make significant decisions about data sharing or have access to shared data. The nature of the training will depend on their role within the sharing process. Such training can be incorporated into any training you already give on data protection, security, or legal obligations of staff. Once delivered effort should be made to maintain that awareness. Materials such as posters, office wide emails, intranet updates or data sharing content in newsletters could be employed to achieve this.

* Governance,in ICO Data sharing code of practice

Your business should be able to justify the reasons why you decided to share specific personal data. Such sharing should be lawful and comply with any statutory restrictions in place on your organisation.

When a decision has been made regarding whether to share information or not you should record your decision and your reasoning (regardless of if you shared information) along with what information was shared and for what purpose, who it was shared with, when it was shared and if the information was shared with or without consent.

You should review the log of sharing decisions on a regular basis to ensure that decisions to share data are well founded and compliant. You should also use the review to identify areas where large quantities of data are being shared routinely and whether there is a need to formalise this with an information sharing agreement, if one is not in place already.

* How do we decide the legal basis for sharing?, Centre of Excellence for Information Sharing website

* Conditions for processing, in Data sharing code of practice, ICO

* How to record decisions on sharing personal information, Department for Education

* Template data sharing decision form,in Data sharing code of practice, ICO

In some instances you may need to agree and regularise the way you share personal data. This may become clear from the volume of ad hoc requests you receive from a particular organisation or due to the introduction of a new process which will require the sharing of large quantities of data.

Prior to introducing a new information sharing agreement (ISA), you should complete and record a legal compliance assessment to ensure that your business has legal authority to share the information and that such sharing complies with the requirements of the DPA.

You must also have a written contract setting out what the provider is allowed to do with the personal data and requiring them to take the same security measures you would have to take to comply with the DPA.

Your information sharing agreement should address all risks relevant to the type of sharing you are undertaking, but at least, should address the following issues:

* the purpose, or purposes, of the sharing;
* the potential recipients or types of recipient and the circumstances in which they will have access;
* the data to be shared (this should be kept to the minimum necessary for your purposes);
* data quality – accuracy, relevance, usability etc; data security;
* retention of shared data; individuals' rights – procedures for dealing with access requests, queries and complaints;
* review of effectiveness/termination of the sharing agreement; and
* sanctions for failure to comply with the agreement or breaches by individual staff.

In order to ensure that information sharing arrangements still reflect the current needs of your business and are compliant with the DPA they should be reviewed regularly. Such reviews should address whether the data is still needed to fulfil the purposes for which it is being shared and whether the ISA reflect current data sharing arrangements.

The first principle of the DPA requires that you process personal data fairly and lawfully. In order for the sharing of personal data to be considered fair you need to explain to individuals how you will use their personal data and who you will share it with. It is good practice to include privacy notices on your website and any forms that you use to collect data. These should clearly explain the reasons for using the data including any disclosures or sharing.

The second principle of the DPA requires that you do not process personal data in any manner that is 'incompatible' with your specified purposes. In practice, this means that if you want to use or share personal data for a reason that was not covered in your privacy notice you should consider obtaining prior consent to ensure the new use is fair.

*Collecting information about your customers checklist,ICO

* Privacy notices code of practice,ICO

If you process personal data you may need to record the types of data you hold and why on the public register of data controllers. This is called 'registration'.

This registration should include details of other organisations or groups of organisations you intend to share personal data with. Your business should ensure that these details are kept up to date.

* Register (notify) under the Data Protection Act, ICO

* Registration self assessment, ICO

* Registration FAQs, ICO

The DPA requires organisations to have appropriate technical and organisational measures in place to protect shared personal data. In some instances you may transfer personal data to another organisation but still remain responsible for its security. It is therefore important that you set out, and ensure compliance with, agreed levels of security in relation to the personal data being shared.

Please see our information security checklist for hints and tips on how to improve the security of personal data held by your organisation.

In addition, when transferring data between organisations appropriate measures should be taken to ensure the security of that data while in transit. This may include the use of encryption on email, secure file transfer protocol (SFTP) or Virtual Private Network (VPN) for electronic files. Equally there should be equivalent security around paper documents in transit. Such controls might include the use of a reliable courier, other secure postage, use of locked containers or tamper evident packaging.

* Security, in Data sharing code of practice, ICO

You should assign responsibility for responding to subject access requests to one or more individuals.

You should have a documented process for processing subject access requests efficiently and in accordance with the DPA.

The documented process should be approved by senior management and made readily available to staff.

* How do I handle subject access requests?, ICO

* Subject access code of practice , ICO

All staff should be briefed on their responsibilities in relation to the identifying, processing and escalating subject access requests on or shortly after appointment with updates at regular intervals thereafter to maintain levels of awareness. Awareness materials might include posters, office wide emails, intranet updates, newsletters.

Staff with specific subject access request responsibilities such as processing, logging or overseeing responses to subject access requests should receive appropriate training in order to allow them to carry out their role effectively.

How do I handle subject access requests? , ICO

Subject access code of practice , ICO

You should periodically review the documented process and, where appropriate, update it to ensure it remains adequate and relevant.

You should have mechanisms in place to regularly monitor and report on agreed performance measures, and apply any recommendations or lessons learned.

Your business should consider maintaining records showing measures and reporting, eg management information/KPI, meeting minutes, emails, etc. Compliance checks and audits could be introduced to demonstrate any reviews of process.

How do I handle subject access requests? , ICO

Subject access code of practice , ICO