Public sector personal data sharing: framework and principles

2. Legislation Framing Data Sharing

GDPR and International Frameworks

In the UK, personal data is protected by the UK General Data Protection Regulation (GDPR) (UK Information Commissioner's Office 2018), the Data Protection Act (DPA) 2018 (UK Public General Acts 2018) and, where data is shared with or concerned with individuals in Europe, the EU GDPR (European Parliament 2016). UK GDPR law is based upon the EU GDPR law, which is one of the strictest privacy and security laws in the world. These GDPR laws set out seven key principles for the processing of personal data:

• Lawfulness, fairness and transparency – data must be processed lawfully, fairly and transparently to the data subject
• Purpose limitation – data must be collected for specified, explicit and legitimate purposes
• Data minimisation – only the minimum data necessary for the specified purpose should be collected or processed
• Accuracy – data must be kept accurate and up to date
• Storage limitation – data must be kept for only as long as necessary for the specified purpose
• Integrity and confidentiality – data processing must be done in a way that ensure appropriate security, integrity and confidentiality
• Accountability – the data controller is responsible for demonstrating compliance with these principles

Full details of these principles can be found in Article 5(1) and Article 5(2) of the UK GDPR and Article 5.1-2 of the EU GDPR law. One of the most important features of GDPR is that it is tied to the location of the citizens or residents whose data is being processed, and not to the location of where that data is itself stored. This means that GDPR applies even if the data is being processed or collected outside of the EU or UK, e.g. if a company outside of Europe processes data of EU or UK citizens or residents GDPR law still applies. The effect of this has been that many countries outside of Europe have also updated, or are in the process of updating, their own data protection laws to mirror that of the GDPR framework. For example, see legislation and work in Japan (Kumazawa 2019, Nishimura 2021, Japan Personal Information Protection Commission 2020), Singapore (Singapore Government 2012, Singapore Personal Data Protection Commission 2019, Singapore Competition and Consumer Commission 2019), Australia (Adams & Allen 2014, Australian Government, n.d.).

In the USA, at the time of writing, they are still in the process of updating laws which previously applied to specific sectors to be cross-sectoral as is seen in GDPR (U.S. Federal Data Strategy 2020). Federal legislation in USA is also supplemented by state level legislation in some cases (e.g. California) (Tierney 2019). The U.S. Federal Data Strategy will be similar to the framework adopted in Canada, where there is both federal and state level guidance for data protection.

As many of these other national data protection legislations align with current GDPR legislation and as this report is focused on data held within the Scottish public sector, the discussion below focuses on the pathways for data sharing that are permissible under GDPR legislation.

GDPR and Personal Data Sharing

Given the widespread impact of GDPR laws, we examine in detail the current laws before then going on to outline how data sharing currently operates under these laws. The first two principles of GDPR (Lawfulness, fairness and transparency; and Purpose limitation) regulate the sharing of personal data across the UK and Europe.

Firstly, data must be processed lawfully, as covered in the first principle. Article 6 of the UK GDPR sets out the six lawful bases, at least one of which must apply when processing personal data:

• Consent is given by the individual for the data to be processed for the specified purpose
• The processing is necessary for a contract the data controller has (or is about to have) with the individual whose data is involved
• The processing is needed because of a legal obligation
• The processing is needed to protect someone's life
• The processing is necessary to perform a public task, be that a task that is in the public interest or one that is part of official functions that are clearly based in law
• The processing is needed for the legitimate interests of the data controller or a third party. Note: This lawful base cannot apply to public authorities' data processing.

The second principle outlined in GDPR is that of purpose limitation. In full, this principle states that personal data will be:

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.^[4]

Taken together these principles considerably limit the scope for different pathways of data sharing. In practice, they mean that one of the following must be done: 1) consent must be obtained from the data subject to allow the processing of their data for this new secondary purpose or 2) the data controller must find another legal basis through which to justify the reuse of the data. In the following sections, we describe pathways for data sharing where the consent of the data subject is not possible. In section five, we provide a brief reflection on options that are used where consent is possible.

When the data being processed is special category data, there are further stipulations set out in the UK GDPR and UK Data Protection Act 2018. First, special category data can only be processed if it meets one of the ten conditions outlined in Article 9 of the UK GDPR, and additional conditions set out in Part 1 and 2 of the DPA 2018. Broadly, these conditions cover data processing for: cases where explicit consent is given; where the data has been made public by the data subject; reasons of substantial public interest; and a variety of sector specific reasons, such as health and social care or research and statistics that have a legal basis. Where reasons of public interest are given, the DPA 2018 outlines 23 public interest conditions, the most appropriate of which should be selected. These conditions are outlined in Box 1

Box 1: Substantial public interest conditions outlined in DPA 2018

The 23 public interest conditions are:

• Statutory and government purposes
• Administration of justice and parliamentary purposes
• Equality of opportunity or treatment
• Racial and ethnic diversity at senior levels
• Preventing or detecting unlawful acts
• Protecting the public
• Regulatory requirements
• Journalism, academia, art and literature
• Preventing fraud
• Suspicion of terrorist financing or money laundering
• Support for individuals with a particular disability or medical condition
• Counselling
• Safeguarding of children and individuals at risk
• Safeguarding of economic well-being of certain individuals
• Insurance
• Occupational pensions
• Political parties
• Elected representatives responding to requests
• Disclosure to elected representatives
• Informing elected representatives about prisoners
• Publication of legal judgments
• Anti-doping in sport
• Standards of behaviour in sport

As well as being able to meet one of the various conditions outlined in the legislation, GDPR also requires deciding if an 'appropriate policy document' is needed (UK Information Commissioner's Office, n.d.c), which in some cases will need to outline why it is not possible to get individuals' consent for the data processing. In addition, across both special category data and personal data processing, a Data Protection Impact Assessment (DPIA) is usually required as the processing of these data types may be of high risk to the individual. A DPIA outlines the purpose and scope of the data processing, identifies risks to the individual and measures what will be taken to mitigate those risks (UK Information Commissioner's Office, n.d.e) and should be made available to the public.

Finally, when data being processed is personal data, ICO's data sharing code of practice based on GDPR specifies that a data sharing agreement must be drawn up that outlines: the parties involved, the purpose of the data sharing (the aim, why the data being shared is key to achieving those aims, the benefits to the data subjects or society), details of the data that will be shared, and justification for the lawful basis of sharing (UK Information Commissioner's Office, n.d.f). The agreement can also include details of liability, any limitations to data use, and details of the duration of the agreement. In the UK, these agreements are kept in publicly searchable lists maintained by each of the data controllers; for example, see lists maintained by the Department for Education (UK Department of Education 2022) or the NHS (NHS Digital 2020). Data sharing agreements must be made with each of the data controllers that are responsible for the data seeking to be shared. As data in Scotland and the UK are not usually stored within one centralized database, this can mean multiple data sharing agreements will be needed with each of the relevant public bodies.