Legal framework for sharing data

The legal framework for sharing data can be complicated and overlapping but it is still up to you to identify the legal basis before you share any personal data.

The main legislation is:

  • The Data Protection Act 2018
  • The UK-GDPR
  • and the Human Rights Act 1998.


The Local Government Acts and the Localism Act 2011 give the council its main statutory powers to collect and use personal data, but there are many more Acts that lay out the reasons why data collection is necessary to a specific function.

Sector specific legislation

There will be sector specific legislation or regulations which also protects the personal data you handle in a wider lawful sense for your area and you are best placed to be the expert on that legislation. Remember also that contractual other agreements, or even copyright infringement, may also have an impact on the lawfulness of sharing personal data.

Research Data

Research data for specific sectors, such as finance, education and health, may allow further data use after the personal data has been collected. As always, any personal data obtained or used for research should be limited to the minimum amount of data which is reasonably required to achieve what you need and, wherever possible, any personal data should be made anonymous so that the data subjects cannot be identified. Check for your local procedures on anonymisation or read the ICO guidance.

There are various legislation and frameworks, including those relating to the use of non-personal data for example, health research has its own UK Policy Framework for Health and Social Care Research drafted by the NHS Health Research Authority (HRA). The NHS HRA also provides specific guidance for health researchers on the new data protection principles.

7 Golden rules

The 7 Golden rules to sharing information for practitioners is non-statutory advice that the Government has written for all front-line practitioners and senior managers working with children, young people, parents and carers who are making decisions about sharing personal information. The advice helps to clarify the current legislation around data protection and makes it very clear that information sharing is an essential part of keeping children safe. They can be summarised as:

Golden rules
Obtain consent to share
Liaise if the information is inaccurate or unreliable
Don't share more than is necessary
Ensure the information is shared securely and safely
Necessitate the reason for sharing information
Record what information is shared
Unsure? Check with manager or information specialist
Legitimate reason for sharing information
Establish the requestor's identity
Suspect a breach? Report it immediately

The seven golden rules guidance published by Government expands on the above and includes a helpful flow chart to help you make clear decisions on sharing.

If you are in doubt about the legal basis for sharing or even if you have questions about how you should, contact your Data Protection Officer or Information Governance Team.