Sharing personal data in databases and lists
At a glance
The transfer of databases or lists of individuals is a form of data sharing, whether for money or other consideration, and whether for profit or not.
It is your responsibility to satisfy yourself about the integrity of the data supplied to you.
You are responsible for compliance with the law for the data you receive, and you have to respond to any complaints about it.
In more detail
- How does data sharing apply to the acquisition or transfer of databases and lists?
- What must we do to ensure the database or list we are receiving is being shared in compliance with the law?
- What else do we need to do?
- How does data sharing interact with direct marketing?
- How does data sharing interact with political campaigning?
How does data sharing apply to the acquisition or transfer of databases and lists?
The transfer of databases or lists of individuals is a form of data sharing, whether for money or other consideration, and whether for profit or not. This section considers data sharing which has not resulted from organisational changes.
Examples of organisations involved in this type of data sharing may include:
- data brokers;
- credit reference agencies;
- marketing agencies;
- franchised businesses;
- separate parts of a business that operate independently from their head office;
- clubs and societies;
- charities and voluntary groups; and
- political parties.
Please note that some of these examples may involve transfers between controllers and processors and are therefore outside the scope of this code.
You will find it beneficial to follow the good practice set out in this code. The due diligence carried out by both the sharing and recipient controllers is crucial to compliance.
We will look at this from the viewpoint of the organisation receiving the database or list. The organisation sharing the data should follow a similar process.
What must we do to ensure the database or list we are receiving is being shared in compliance with the law?
It is your responsibility to satisfy yourself about the integrity of the data supplied to you. You are responsible for compliance with the law for the data you receive, and you have to respond to any complaints about it. You should make appropriate enquiries and checks, including the following:
- confirm the source of the data;
- identify the lawful basis on which it was obtained and that any conditions about that lawful basis were complied with;
- check what individuals were told at the time of handing over their data;
- verify details of how and when the data was initially collected;
- check the records of consent, if you are relying on consent;
- review a copy of the privacy information given at the time of collection of the data;
- check what information was given to individuals in accordance with Article 14 of the UK GDPR - ie privacy information that must be given when data is obtained from a source other than the data subject;
- check that the data is accurate and up to date; and
- ensure that the data you receive is not excessive or irrelevant for your needs.
It is good practice to have a written contract with the organisation supplying you with the data.
What else do we need to do?
You must tell data subjects who you are sharing their data with, and for what purposes. Under Article 13 of the UK GDPR you must give privacy information to data subjects at the same time as collecting the data from them. Under Article 14 of the UK GDPR you must give privacy information to individuals whose data has been shared with you indirectly “…within a reasonable period after obtaining the personal data, but at the latest within one month…”. There are some exceptions to these requirements; for example, you do not need to provide individuals with information they already have. It is your responsibility on receiving the data to be satisfied that this has been done.
How does data sharing interact with direct marketing?
If this form of data sharing is relevant to your data sharing arrangement you should read the ICO’s detailed guidance on direct marketing.
How does data sharing interact with political campaigning?
Political parties, referendum campaigners and candidates use information about voters to help them target their campaign materials more effectively and to raise funds. They may:
- buy lists and databases from organisations such as data brokers; and
- use third parties to send out campaign materials.
This may involve data sharing. Communicating with voters, such as via social media platforms and targeting political messages, may also amount to direct marketing.
You should carry out the checks described earlier in this section in order to satisfy yourself about the integrity of the data supplied to you.
If you use a third-party organisation to send out campaign materials on your behalf using your database, you may be sharing data with that external organisation, which is either a controller or a processor. For the purposes of this code, if you are both controllers you should still be careful to check and monitor what the third party is doing. You are responsible as controller(s) for that data and for compliance with the law. You should read and follow the ICO guidance on the law about both political campaigning and direct marketing.
Further reading
See the Direct marketing code and guidance on the ICO website www.ico.org.uk
See the Political campaigning guidance on the ICO website www.ico.org.uk
See the Guide to Privacy and Electronic Communications Regulations (PECR)