Cabinet Office Homepage

Data Protection Act 1998: Guidance for Cabinet Office Staff

Standards and Best Practice Handbook for Government Departments

15. Data Sharing

Issue

The second data protection principle states that “personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes”. If a department proposes to share personal data, whether between different units within the department, or by sharing with an outside body, that principle must be complied with. The data sharing must be legitimised by a Schedule 2 condition (and Schedule 3 where necessary).

2. “Joined-up government” implies that greater and better use should be made by government departments of the personal data which they hold. This includes sharing it with other departments, in order to provide better tailored services for members of the public, and also to verify that the data held is accurate. This must be balanced however with the need to ensure that people’s personal data is being processed securely and in accordance with their rights.

Standards

3. Data sharing must always be legitimised by a Schedule 2 condition and, if applicable, a Schedule 3 condition. Data subjects should be informed of the processing, where appropriate. Data sharing should only take place where the aims cannot be achieved by other, less intrusive, means. Although the first and second data protection principles are important here, the Data Protection Act is not the only consideration when sharing personal data, and the requirement for vires, the law of confidence and the Human Rights Act must also be taken into account.

Recommended best practice

4. Where personal data has been acquired by a department for one purpose, it can be shared within the department to be used for a different purpose, provided that the secondary purpose is not inconsistent with, or in contradiction to the primary purpose, or the processing is not expressly prohibited. Personal data should not be passed to another department if the data subject would not have anticipated such a transfer, unless a Schedule 2 condition (and where appropriate a Schedule 3 condition) can be identified. When departments intend to share personal data, it is vital that they check any governing statutes or other statutory provisions which may restrict what they propose to do.

5. Some data sharing is specifically authorised in legislation; for example the Department for Work and Pensions can share specified data through:

The Tax Credits Act 1999
The Welfare Reform and Pensions Act 1999
The Television Licences (Disclosure of Information) Act 2000, and
The Social Security Fraud Act 2001.

6. Schedule 2 specifically authorises processing where it is necessary:

1. for the administration of justice,
2. for the exercise of any functions conferred on any person by or under any enactment,
3. for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or
4. for the exercise of any other functions of a public nature exercised in the public interest by any person.

7. Departments are likely to be able to justify some data sharing under the above conditions. The data subject should not be left unaware that the data sharing is taking place, and departments may have to inform them of the processing, as required by Schedule 1 Part II paragraph 2(1). Where, however, the data sharing is for certain purposes, such as combating crime, the fair processing conditions would not require the data subject to be informed.

Data Protection Handbook [PDF, 710KB]

[Top]