Sharing personal information with other organisations
Every organisation has a legal responsibility to ensure that their risk assessments are suitable and sufficient.
To identify significant risks, you need to have all the relevant information available.
When you need to share information between organisations, you need to make sure that you adhere to General Data Protection Regulation (GDPR) guidance.
GDPR and the Data Protection Act 2018 set the rules and basis for data management:
- it is legal to share information if the purpose is to protect the health and safety of employees
- it is necessary for organisations to have arrangements in place to ensure that this is done only when necessary, and adheres to GDPR guidance
- it is important that the information kept is accurate and fair
Before sharing information, the organisation holding it must carefully consider:
- how any recipient organisation or department is going to use it
- what the effect on people is likely to be
Your policy needs to be very explicit about this.
It is good practice to get a data-sharing agreement with the recipient organisation.
You can find more information about sharing information on the Information Commissioner’s Office website (external site).
Processing data
Article 6 of the GDPR explains when you are able to share information with other organisations.
You need to have a clear case to allow you to do this, and you must keep a record of:
- your decision
- the reasons behind it
The areas you need to show that you have a lawful reason to share information are:
- consent, the individual gave you permission
- contract, you have a contract with the individual and the processing of data is necessary
- legal obligation, you share data to comply with legislation
- vital interest, you share data to save someone’s life
- public task, you do this to complete a task in the public interest
- legitimate interest, you can process data in your legitimate interest (this cannot override a duty that you may have to protect people’s data)
You can use a checklist from the Information Commission’s Office (ICO) to help you decide if you have a legal reason to process information.