The legal framework for sharing information and data can be complicated and interconnected. It is individual organisations' responsibility to identify the appropriate lawful basis before they share any personal information.
The primary legislation is:
- The Data Protection Act 2018
- The UK-GDPR
- Human Rights Act 1998
The Local Government Acts and the Localism Act 2011 gives local authorities their main statutory powers to collect and use personal data, but there are many more Acts and legislative frameworks that set out the reasons why data collection is necessary to fulfil specific functions.
Sector specific legislation
There is a wide variety of sector specific legislation and regulations that allow the lawful sharing of personal data. Individual organisations are best placed to provide expertise on legislation relevant to their sector. Contractual arrangements, copyright infringement, and other agreements may also have an impact on the lawfulness of sharing personal information.
Personal data may also be collected for sector specific research purposes, such as finance, education and health. Any personal data obtained or used for research should be limited to the minimum amount of data which is reasonably required to achieve desired outcomes. Wherever possible, any personal data should be made anonymous so that the data subjects cannot be identified. Check your own organisations' procedures on anonymisation.
There is various legislation and frameworks relating to the use of non-personal data for example, health research has its own UK Policy Framework for Health and Social Care Research drafted by the NHS Health Research Authority (HRA). The NHS HRA also provides specific guidance for health researchers on the new data protection principles.