GDPR and Data Sharing Policy

We share data across the Council and with our partner services to fulfil our statutory responsibilities as a Local Authority.

About the policy

The General Data Protection Regulations (GDPR) and Data Protection Act (DPA) 2018 allow us to share information for a wide variety of reasons: these are known as our ‘legal bases to process data’.

This data protection legislation should never be used as a ‘blocker’ when sharing personal data, especially in times of emergency which require more collaborative working internally and externally.

The examples below show where personal data including ‘special category data’ (data relating to racial/ethnic origin, political opinions, sexuality and sexual life, medical information, religion, trade union membership and genetic/biometric data) can be shared and used in a way that is compliant with GDPR/DPA without requiring the consent of the data subject.

We will always aim to share the minimum data necessary to achieve the purpose required.

Substantial public interest

Article 9 (2)(G) of GDPR

We are able to share data, both internally and externally, if it satisfies the Data Protection Act’s definition of ‘substantial public interest’, (Schedule 1, paragraphs 6-28). There are 23 specific definitions and those most relevant in a Local Authority include using data to:

• Fulfil an explicit statutory or government purpose
• Protect the public
• Satisfy external regulators (the Ombudsman, ICO, etc.)
• Better provide support for individuals with a particular disability or medical condition
• Safeguard children and individuals at risk, and
• Safeguard the economic well-being of certain individuals

If we are clear on why we need to share data, we will establish how to apply it for our purpose.

Statutory obligation to share data

(Article 9 (2)(B)) of GDPR

GDPR allows us to share data if it is necessary to comply with the obligations set out in law. Local Authorities are given many powers in different Acts of Parliament which can be used in the context of emergency data sharing.

The list below shows some of the most frequently used, but is not exhaustive:

• Care Act (2014), this allows councils to share data to promote individual well-being, prevent the individual need for care and to support and promote the integration of health and social care
• Children’s Act (1989), this allows councils to share data to safeguard and promote the wellbeing of children
• Homelessness Reduction Act (2017), this allows councils to share data as part of taking reasonable steps to help applicants secure accommodation
• Digital Economy Act (2017), this allows councils to disclose information to improve public service delivery or to help reduce debt owed to the Council, and
• Civil Contingencies Act (2004), this allows councils to share data as part of complying with our duty to plan and prepare for, advise about, respond to and recover from emergencies.

Other specific legal bases covered under GDPR

GDPR also sets out other legal bases for sharing ‘special category data’ which can be used in specific scenarios. These include when it is:

• necessary for the provision of social care or health care treatment or for the management of a health or social care system. This condition is only met if both sharing parties are ‘health and social care professionals using the data to provide direct care to the individual (Article 9 (2)(H) of GDPR)
• in the public interest in the area of public health. There needs to be a wider public benefit to share the data, not just to us as a council or to the individual. Examples include responding to pandemics or public health monitoring/statistics (Article 9 (2)(I) of GDPR)

If the need to share data corresponds with one of the Article 9 conditions described above, it is likely that this sharing is justified and is serving a larger purpose in our response to an emergency. 

Further information

For any questions regarding the above, please contact the Information Governance Team at: dpo@richmondandwandsworth.gov.uk