The ICO exists to empower you through information.

Control measure: There are controls in place to ensure that the information shared is adequate for the purpose, accurate and of appropriate quality.

Risk: If information quality is not assured, then there is a risk of inaccurate or unnecessary information sharing. This may result in a data breach or breach of article 5(1)(c) and(d).

Ways to meet our expectations:

  • Minimise shared personal information to agreed data sets or redact and clearly distinguish between fact and opinion.
  • Create a process to assess whether the information shared is as complete as possible (within the bounds of what you have defined and agreed to share).
  • Seek technical advice before sharing information, if different systems are involved.
  • Record information in the same format, abiding by open standards when applicable. 
  • Inform recipients when you amend or update shared information.
  • Implement regular quality checks or verification processes to assess whether shared information is accurate and up-to-date. This applies to all sharing partners.

Options to consider:

  • Include examples in the sharing agreement to show how to record or convert particular data items (eg dates of birth).
  • Establish regular check point meetings between all sharing partners to discuss and confirm information quality check results.

 

Control measure: There are controls in place to ensure that the information shared is not retained for longer than necessary by all parties.

Risk: If there are no controls in place, a party who you share information with for a particular, limited purpose, may end up retaining it after that purpose is complete. This may breach article 5(1)(e).

Ways to meet our expectations:

  • Ensure common retention and disposal arrangements are agreed between all parties prior to sharing information. 
  • Document the agreed retention and disposal arrangements within data sharing agreements.
  • Seek guarantees that recipients will delete, destroy or return shared information:
    • once the purpose is served; 
    • when a relevant retention period expires; or 
    • in the event of a breach, if appropriate.

Options to consider:

  • Request certificates of destruction from sharing partners.
  • Regularly review agreed retention and disposal arrangements during the lifecycle of the agreement.