To Share or Not To Share – Checklist
- This lawful basis may be relied upon if processing personal data:
- 'in the exercise of official authority'. This covers public functions and powers that are set out in law; or
- to perform a specific task in the public interest that is set out in law.
- It is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest.
- A specific statutory power to process personal data is not required, but the underlying task, function or power must have a clear basis in law.
- The processing must be necessary. If the task could reasonably be performed, or tasks exercised in a less intrusive way, this lawful basis does not apply.
- Document the decision to rely on this basis to help demonstrate compliance if required. The relevant task, function or power should be specified, and its statutory or common law basis identified.
Here is a link to the Information Commissioner's Office guide to GDPR/lawful basis for processing under public task information - ICO guide
With specific reference to the circumstances of the case, consider:
- Is the sharing justified?
- Does the duty to protect outweigh the duty of confidentiality?
- What are the benefits and risks to the individual of sharing, or not sharing information?
- Are there any other risks from sharing or not sharing?
- Do the benefits outweigh the risks?
- Are there any exemptions in the Data Protection Act 2018 to sharing? (e.g. special category data exemptions)
- Are there other relevant statutory requirements or restrictions? e.g. Adult Support and Protection (Scotland) Act 2007
- Is there an organisational / in house protocol to be respected?
- Are there other similar, relevant, cases which ought to be considered?
- Is the information required relevant to the functions or powers of given role and remit?
- Is there a legal obligation to share? (for example a statutory requirement or a court order)
- Is authorisation required within the organisation to make the decision?
- Should legal advice be sought?
If information is to be shared:
- Has consent been obtained e.g. of the person, an attorney or guardian, or another third party?
- Should any other person be informed ahead of, or after, sharing?
- What information should be shared?
- What is fact and what is opinion?
- How should the information be shared / stored?
- Has the individual been consulted with openness and transparency? If not, reasons should be documented.
- Are there suspicions that alerting the patient to concerns could place them at greater risk?
- Ensure you are giving the information to the right person
- Record the decision and reasoning
- For information shared, record:
- What information was shared and for what purpose.
- Whom it was shared with.
- When it was shared.
- The justification for sharing.
- Whether the information was shared with or without consent.