Data sharing process

To be able to meet our statutory functions and responsibilities East Dunbartonshire Council (“the Council”) must obtain and use information about individuals.

This personal information, however it is acquired, held, used, released or destroyed, must be dealt with lawfully, fairly and transparently.

The General Data Protection Regulations (“GDPR”) sets out the Council’s Legal responsibilities. Read East Dunbartonshire Council’s Policy for the handling of personal information.

One of the ways in which the Council will use an individual’s personal data is to share it. The Council will always respect the rights of data subjects and will only share personal information where doing so is fair and lawful. This policy sets out the Council’s policies on the sharing of information.

This policy sets out the Council’s decision making process and practices for the sharing of personal information. This data sharing is understood to include both the sharing of personal information with outside organisations and between different function of the Council.

This Policy applies to all Council employees and Elected Members when carrying out business on behalf of the Local Authority.

This policy will be reviewed annually to reflect operational improvements and changes to best practice.

Request to Share Personal Information.

Please complete the form in the documents section below and submit to the Data Protection Officer at the following email address: dpo@eastdunbartn.gov.uk

Please contact the Information Management Team should you wish to discuss the application.

It is often necessary for the Council to share personal information. This sharing is carried out in order to meet the needs of the individuals or to meet statutory responsibilities.

Broadly speaking personal data sharing falls broadly into two categories:

• A one off sharing of the personal information
• A systematic or routine sharing of personal information.

The sharing of information may also fall into two other categories:

• Sharing of personal information between the Council and other
  organisations
• Sharing of personal information between different functions of the Council.

Data sharing with other organisations. This could be:

• A reciprocal exchange of personal data between organisations
• One or more organisations providing data to a third party or parties
• Several organisations pooling information and making it available to each other
• Several organisations pooling information and making it available to a third party or parties
• Exceptional, one-off disclosures of data in unexpected or emergency situations.

Other organisations are those separate from the Council. This could be other Local Authorities, the Police, the NHS, the East Dunbartonshire Health and Social Care Partnership, Scottish Government, Her Majesty’s Revenues and Customs, other departments of Westminster Government or another regulatory body. It also includes MPs, MSPs and MEPs.

Data Sharing within the Council

When different parts of the same organisation make personal information available to each other.

It would be reasonable to assume when considering the term data sharing that it refers to solely to the exchange of personal information between the Council and an external organisation. However, this is not always the case.

The Council processes personal information for clearly established purposes. These reasons for the Council using personal information should be clearly explained to the individual data subject.

It is vital to remember that because one part of the Council holds personal information it is not then freely available to the Council as a whole. Rather, the purpose for which it was obtained must be respected.

It is this use of personal information for a different purpose, which would be considered sharing within the Council.

It is a breach of GDPR to use personal information for another purpose unless strict criteria are met so the decision to share information within the Council must be considered with the same seriousness as a decision to share with an outside organisation.

The Information Commissioner’s Office (ICO) is the United Kingdom’s data protection regulator. Having carried out a consultation exercise the Information Commissioner published a Code of Practice setting out their views on the sharing of personal information.

In the foreword to the Code of Practice the Commissioner states;

“… under the right circumstances and for the right reasons, data sharing across and between organisations can play a crucial role in providing a better, more efficient service to customers in a range of sectors – both public and private. But citizens’ and consumers’ rights under the Data Protection Act must be respected.

Organisations that don’t understand what can and cannot be done legally are as likely to disadvantage their clients through excessive caution as they are by carelessness. But when things go wrong this can cause serious harm. We want citizens and consumers to be able to benefit from the responsible sharing of information, confident that their personal data is being handled responsibly and
securely.”

The benefits of robust data sharing arrangements are:

• Better protection for individuals when their data is shared
• Better public trust by ensuring that legally required safeguards are in place and complied with
• Minimised risk of breaking the law and consequent enforcement action by the ICO or other regulators
• Increased data sharing when this is necessary and beneficial
• Greater trust and a better relationship with the people whose information we want to share
• Reduced reputational risk caused by the inappropriate or insecure sharing of personal data
• A better understanding of when, or whether, it is acceptable to share information without people’s knowledge or consent or in the face of objection
• Reduced risk of questions, complaints and disputes about the way we share personal data.

The decision to share personal information should not be taken likely.

The Council must be able to demonstrate that the sharing is proportionate and fair to the individuals whose personal data will be shared.

• The sharing of personal information must be carried out for a clearly understood and defined purpose
• The sharing of information should be carried out to meet objectives that can only be achieved by sharing the personal information
• Personal information can only be shared where the data subject has consented to the use of the information or there is another legal basis to share.

These grounds to share information are given through the conditions to process in Article 6 of the GDPR:

Consent

The processing is necessary:

• In relation to a contract which the individual has entered into; or
• Because the individual has asked for something to be done so they can enter into a contract.
• The processing is necessary because of a legal obligation that applies to you (except an obligation imposed by a contract)
• The processing is necessary to protect the individual’s “vital interests”
• This condition only applies in cases of life or death, such as where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident
• The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions
• The processing is in accordance with the “legitimate interests” condition
• The ‘legitimate interests’ condition provides grounds to process personal data in a situation where an organisation needs to do so for the purpose of its own legitimate interests or the legitimate interests of the third party that the information is disclosed to.

Special category personal data

GDPR identifies a ‘special category’ of personal information as being particularly sensitive.

Special category personal data is information as to:-

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Processing of genetic data
• Biometric data for the purpose of uniquely identifying a natural person
• Data concerning health
• Data concerning a natural person’s sex life or sexual orientation.

The criteria necessary to use special category personal data are given under Article 9 of GDPR. These are more difficult to meet. In addition to an Article 6 condition, one of the following conditions must apply.

Article 9 GDPR

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited
2. Paragraph 1 shall not apply if one of the following applies:

1. 1. The data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject
   2. Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject
   3. Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
   4. Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects
   5. Processing relates to personal data which are manifestly made public by the data subject
   6. Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
   7. Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject
   8. Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3
   9. Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy
   10. Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies

4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.

Where the recipient of the Council’s personal information will process solely on the Council’s instructions, that recipient will be a data processor. GDPR demands that every data sharing arrangement with a data processor has a contract in place. Sharing personal information with a processor without a contract is a breach of GDPR.

Where the recipient of the Council’s personal information will also take decisions over the personal information that recipient will also be a data controller. The Council should have in place a formal data sharing arrangement to defend the Council.

The Council has put in place an approval process for the sharing of personal information. Service Areas wanting to share any personal information held will seek approval to do so.

An application will be made to the Information Management Team, which will review and consult with the service area and the Council’s Data Protection Officer (DPO) before a decision is taken on the sharing of the personal data.

The Council has prepared two forms to process this application. One form covers systematic and ongoing data sharing agreements. A separate application form covers one off requests to share personal data.

These forms require explicit justification for the sharing of information and serve as the record that the Council’s actions are both fair and lawful.

One off requests to share personal data with the Police will not be dealt with through this approval process. Existing arrangements will remain. This type of request will be treated separately. In these circumstances, a request form will be provided to the Council by the Police and passed to the Information Management Team directly.

East Dunbartonshire Council's forms to share personal data are attached in the documents section of this page.

Requests to share information will be supported by a Privacy Impact Assessment and, where appropriate, a Data Sharing Agreement will be agreed between the Council and the third party organisation.