Ad-Hoc Data Sharing Requests
Your organisation has received a request for information from another organisation who are a separate data controller for example the police, the local council or a utility company requesting information about one of your customers… what do you do?
Depending on your organisation, you may come across these types of requests fairly frequently. It could be a utility company requesting a customer’s forwarding address to chase an unpaid bill or it may be the police requesting CCTV footage as part of an investigation. These requests should be treated as ‘ad-hoc’ data sharing requests as they are a one-time only data share that will not be ongoing once it has been completed.
Ad-hoc data sharing requests are different to Subject Access Requests (SAR) and should not be put through the same process. A SAR is the data subject (or their nominated representative) asking for a copy of their own data using Article 15 of the UK GDPR. Ad-hoc request is between controllers without the data subject being involved and are not processed under Article 15.
Examples of ad-hoc requests include:
◉ The police asking for CCTV footage using Schedule 2, Part 1 (2) of the Data Protection Act 2018 (Crime and Taxation).
◉ A company requesting a job reference for a staff member who has applied for a new job
◉ A utility company asking for a forwarding address to chase a debt owed by the data subject
As explained above, ad-hoc requests are only between data controllers and as the disclosing data controller, there are a number of considerations to keep in mind when you receive one of these requests.
What to consider
The requesting organisation should be making a few things clear including:
◉ What information they want
◉ Why they want it
◉ How it would prejudice their work if they do not receive the information
◉ A description/justification of the lawful basis being relied upon for the data sharing between the controllers
◉ They should include whether the data subject is already aware of the request or if they are not to be informed (and why)
It would then be up to your organisation to consider the request. You may need to ask for more information from the controller to understand why they want the data as they may have asked for a lot of details about the data subject, but not have fully justified how it would be useful to them.
When considering whether to disclose the information you should consider:
◉ Who created the data? Did you receive the data via another third party who would need to be informed of this request?
◉ Is the requested information proportional and necessary to meet the reason for the request?
◉ Can you determine and justify a lawful basis for sharing the information?
◉ Are there any restrictions on the use of the data which may prevent you from sharing it?
In terms of documentation, you should be keeping a log of these requests. As best practice, this log should give each request a reference number, record the details of the request itself, whether the information was disclosed or not and who within your organisation approved this at a minimum.
Ideally, you will have a Data Sharing Policy/Procedure in place which describes the steps you would take when handling these requests. You could also have a specific policy for ad-hoc requests as depending on the information being asked for, it may require senior staff to approve the disclosure.
Furthermore, your Privacy Notice should identify that the organisation may give effect to ad-hoc data requests and that some limited information may be shared, pursuant to data protection laws, for purposes of crime prevention and detection, law enforcement, national security, substantial public interests, for recovery of debts owed, for overriding safeguarding and welfare needs with appropriate authorised professionals.
Many of these requests are not time-sensitive but, in some cases, you may need to consider disclosing the information in an emergency situation. The ICO Data Sharing Code of Practice states ‘An emergency includes:
◉ Preventing serious physical harm to a person;
◉ Preventing loss of human life; protection of public health;
◉ Safeguarding vulnerable adults or children;
◉ Responding to an emergency;
◉ Or an immediate need to protect national security.’
When considering sharing in an emergency, you should consider the risks of not providing the information too, as it may be more harmful to the data subject to withhold the information than to disclose it.
It is therefore very important that you have a policy on ad-hoc data sharing and a procedure which is ingrained into the workforce through training and awareness. You don’t want people having to make it up as they go along, nor do you want an inconsistent approach. A procedure provides structure and supports the need for accountability and compliance.
You may find that some organisations make regular ad-hoc requests in which case you should really have a data-sharing agreement with them.
If you choose to disclose the data, you should do so in a safe and secure manner (as you would with a SAR), you don’t want to cause a data breach in the process of helping another controller!
Once closed, keep all documentation on file until the end of its retention period.
Written by Carrie James