Data Sharing Policy

We share data across the Council and with our partner services to fulfil our statutory responsibilities as a Local Authority.

About the policy

The United Kingdom General Data Protection Regulation (EU 2016/679 (UK GDPR), the Data Protection Act 2018 (the DPA) and the Law Enforcement Directive (EU) 2016/680) and all applicable data protection legislation, collectively referred to as data protection legislation sets out the key principles, rights and obligations which as a Local Authority, we must comply with.  Data protection legislation sets out specific legal bases which allows us to share information for a wide variety of reasons. Further information is available in the Council’s Appropriate Policy Document (pdf, 216 KB) and the Council’s Privacy Notice.

This data protection legislation should never be used as a ‘blocker’ when sharing personal data, especially in times of emergency which require more collaborative working internally and externally.

The examples below show where personal data including ‘special category data’ (data relating to racial/ethnic origin, political opinions, sexuality and sexual life, medical information, religion, trade union membership and genetic/biometric data) can be shared and used in a way that is compliant with data protection legislation without requiring the consent of the individual.

We will always aim to share the minimum data necessary to achieve the purpose required.

Personal data examples

The following are examples of our legal bases relating to the processing of personal data:

• Article 6 (1) (c) of the UK GDPR - Legal Obligation
• Article 6 (1) (e) of the UK GDPR - Public Task
• Article 6 (1) (f) of the UK GDPR - Vital Interest

Special category data examples

The following are examples of our legal bases relating to the processing of special category data:

Substantial public interest

Article 9 (2)(G) of GDPR

We are able to share data, both internally and externally without obtaining consent, if it satisfies the DPA’s definition of ‘substantial public interest’, (Schedule 1, paragraphs 6-28). There are 23 specific definitions and those most relevant in a Local Authority include using data to:

• Fulfil an explicit statutory or government purpose
• Protect the public
• Satisfy external regulators (the Ombudsman, ICO, etc.)
• Better provide support for individuals with a particular disability or medical condition
• Safeguard children and individuals at risk, and
• Safeguard the economic wellbeing of certain individuals

If we are clear on why we need to share data, we will establish how to apply it for our purpose.

Statutory obligation to share data

(Article 9 (2)(B)) of GDPR

The data protection legislation allows us to share data if it is necessary to comply with the obligations set out in law. Local Authorities are given many powers in different Acts of Parliament which can be used in the context of emergency data sharing.

The list below shows some of the most frequently used, but is not exhaustive:

• Care Act 2014, this allows councils to share data to promote individual well-being, prevent the individual need for care and to support and promote the integration of health and social care
• Children’s Act 1989, this allows councils to share data to safeguard and promote the wellbeing of children
• Homelessness Reduction Act 2017, this allows councils to share data as part of taking reasonable steps to help applicants secure accommodation
• Digital Economy Act 2017, this allows councils to disclose information to improve public service delivery or to help reduce debt owed to the Council, and
• Civil Contingencies Act 2004, this allows councils to share data as part of complying with our duty to plan and prepare for, advise about, respond to and recover from emergencies

Other specific legal bases

The UK GDPR also sets out other specific legal bases for sharing ‘special category data’ which can be used in specific scenarios. These include when it is:

• Necessary for the provision of social care or health care treatment or for the management of a health or social care system. This condition is only met if both sharing parties are ‘health and social care professionals using the data to provide direct care to the individual' (Article 9 (2)(H) of GDPR)
• In the public interest in the area of public health. There needs to be a wider public benefit to share the data, not just to us as a council or to the individual. Examples include responding to pandemics or public health monitoring/statistics (Article 9 (2)(I) of GDPR)

If the need to share data corresponds with one of the Article 9 conditions described above, it is likely that this sharing is justified and is serving a larger purpose in our response to an emergency. 

Further information

For any questions regarding the above, please contact the Information Governance Team at: dpo@richmondandwandsworth.gov.uk