Governing data sharing activities can be a challenge – so how are organisations setting themselves up to overcome this and deliver benefits?

What constitutes a data share?

The ICO defines a data share¹ as “the sharing of personal data between organisations that are controllers. It includes when you give access to data to a third party, by whatever means. Data Sharing can take place in a routine, scheduled way or on a one-off basis.”

What are some of the barriers to sharing data?

Our work across both public and private sector has given us first-hand experience of organisations’ ambitions to share data to improve services, innovate and benefit customers and citizens. On the other hand, we have also seen how sharing data can be fraught with several complex challenges that are often thought to outweigh the benefit such as legal and regulatory constraints, resource limitations, and fear of reputational damage or enforcement action.

What are the key considerations when assessing a data share?

Any decision to share data should consider a range of impacts including its Purpose, Legalities, Security and Operational Risk. Effective governance therefore requires a defined policy and evaluation process developed through engagement with multiple stakeholders.

Decisions to relocate an organisation’s data assets cannot be made ‘off-the-cuff’ without incurring high levels of risk or delay. A data sharing strategy, backed with a defined policy and case approval process, is key to maintaining delivery pace while mitigating risk. One option is to establish a governance forum, consisting of members from Data Protection, Security, Architecture, Legal and Data and Analytics who can review and approve requests using a risk-based approach, for example:

• Low Risk: If an incident (such as loss, corruption, or theft) was unlikely to occur, it will have little impact on the organisation’s ability to function or the customer and citizen themselves;
• Medium Risk: If an incident was likely to occur, it will have a meaningful impact on the organisation’s ability to function or the customer and citizen themselves; and
• High Risk: If an incident was highly likely to occur, it will have a catastrophic impact on the organisation’s ability to function or the customer and citizen themselves.

This risk-based approach can then be used to determine the level of governance required for a data share: low risk shares require the least governance, and high risk shares require the most. The following topics should be used to consider the risk level of a data share:

• Purpose & Value: Is there a clearly defined reason and benefit to wanting to share this data?
• Security Risk: Does the share cause an increase in security risk beyond risk appetite? Is the method of transfer used secure enough for the sensitivity of the data being shared?
• Ethics: Is there an ethical reason why this data should or should not be shared?
• Legal Risk: Is there legal justification that allows the organisation to share data?
• Operational Risk: Are customers or citizens adversely impacted if the organisation does or doesn’t share the data?
• Data Protection Risk: Has a Data Protection Impact Assessment been completed for any personal data being shared?
• Architecture: Does the share of data lead to unacceptable additional architectural vulnerabilities or complexities?
• Data Governance: Does the Data Owner approve the change? If the share causes a change of ownership, does the owner accept accountability?
• Cost: What is the cost impact of sharing the data?

Based on these insights, what should your organisation be thinking about to better govern data shares and manage risk more effectively?

Consider the following key steps to enhancing the capability to scale data shares whilst maintaining governance and control:

• Create a Data Sharing Policy or add to an existing policy to set out clear responsibilities, approach and fundamental principles for the management of data shares within your organisation and with third parties. Consider what your approach will be to sharing sensitive personal data about children or vulnerable/protected individuals and the steps you will take if there is an urgent situation or emergency to share data.
• Undertake a data discovery exercise to understand what data you share with third parties and maintain a record of; what data is being shared, the scale of the share (how much and how often), the legal and lawful basis for doing this, the transfer method used, and the governance in place.  A simple Excel spreadsheet may be appropriate to capture this information in the first instance but as your capability matures you may want to consider technologies that allow you to easily manage and maintain this log of information.
• Conduct a review of your Data Sharing Agreements (DSAs) to understand if you have all the necessary agreements in place and that they comply with UK GDPR, DPA 2018 and your Data Sharing Policy. Put plans in place to address any gaps in compliance.
• Upskill your organisation to improve your colleagues’ knowledge on what they can and cannot do when sharing data and how to do it securely and in-line with the Data Sharing Policy. This could include Data Sharing Champions, online learning, roadshows, and intranet guidance.
• Establish a team to provide co-ordination and support to functions within your organisation, to improve the governance and management of data shares. In our experience, a central team is critical to roll-out this change. As new ways of working become business as usual, the structure and responsibilities of the central team should be reviewed to establish whether a federated model is more appropriate.
• Develop a Monitoring and Compliance Framework to monitor your organisation’s compliance with the Data Sharing Policy, UK GDPR, and any other relevant regulations you are governed by.

References:

1. https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/data-sharing-a-code-of-practice/data-sharing-covered-by-the-code/