GDPR and data sharing

Practical insights and inspiration for achieving better public service outcomes. Data lies at the heart of what we do. This collection seeks to help local public service organisations unlock the potential of data, whilst protecting the people and communities that they are there to serve.

There is no shortage of useful reference, case studies and advice on the General Data Protection Regulation which came into force in 2018. It is a valuable tool in terms of putting citizens and their data at the heart of information management and data collection. It links closely to good data ethics, but also requires strong information governance policies and practices to ensure efficient compliance. Public services have a responsibility to set an example in how personal data is managed and used (if the public sector cannot be bothered, why should the private sector?).

There are also of course strong business drivers – whether consumer, customer, citizen, service user, etc., if they lose trust in how public bodies use and hold their personal data they are unlikely to allow it to be collected, shared or stored, and that will undermine digital transformation and the service improvement and efficiencies that go alongside.

The citizen expects their public services to use data to:

keep them and their family safe
stop any invasion of privacy and intrusion
protect them from exploitation

GDPR compliance helps with this but is not enough. For citizens to truly be in control of their data much needs to change within our public services, and also in the data maturity and awareness of citizens (does anyone really read the many ‘accept these terms’ if they want to access information or services on the Web?).

This is changing over time, and as systems become more automated, data safety is a differentiator, a marketing opportunity, a way of growing trust and business in a digital world with increased digital risks to consumers.

It is helpful in any data sharing project to begin by setting out the principles and purposes of sharing (to support joint working, for example). What outcomes are desired and how can these be measured? In particular, this should consider how sensitive data (commercial or personal) will be handled and shared if required.

Perhaps the most common area for data sharing is between health and social care, or in complex safeguarding situations (vulnerable adults or children). Other areas include tackling crime and its causes, and tackling (or avoiding) some of the issues associated with ‘troubled families’. Data sharing across public service boundaries can result in more timely intervention and the avoidance of bigger and more costly social problems to resolve, especially where solutions lie across a range of public service organisations.

Other examples of sharing data are less sensitive or complex and may simply be to support joint service delivery for economies of scale or efficiencies, found across many local public services or with suppliers who are taking on a part of the challenge of public service delivery.

“Data sharing across the public sector will be key – e.g. to support child and adult safeguarding, sustainable transformation plans for health and social care, or strategic economic plans.
Data sharing will therefore need to be delivered operationally (e.g. to connect people with technology) and strategically (e.g. setting up new arrangements like an office of data analytics, delivering on ML, AI and predictive analytics). This will mean improving behaviours, technology and governance.”
Neil Crump, Chair of STP and Worcester Office of Data Analytics, Worcestershire County Council

Creating a culture for information sharing requires a range of ingredients beyond the IT. Many organisations find data sharing hard because they don’t naturally have an open culture when it comes to data, or they worry about security and privacy perhaps because their IT or information practices are immature. A starting position is to produce an information sharing protocol that defines as openly as possible, within legal and commercial restrictions, how information sharing can operate.

Here are some examples to guide the development of shared policies and principles:

Ensure a principle of ‘capture once and share’ is applied in the context of partnership working in general and joint working data needs specifically
Capture data as close to the source as possible, avoiding duplication of data capture of the same data in different organisations
Always share where it can reduce data duplication, rekeying data and the cost of information input and maintenance
Ensure that all sharing partners sign up to common responsibilities and standards regarding Information management, agreed protocols and principles, as well as the regulatory environment
Ensure all the organisations participating in an information sharing agreement manage and design information systems and websites around the user need, not just the priorities, operational efficiency and preferences of the service organisation
Whilst the principle of sharing is to ensure that information is as open and accessible as possible, at the same time each organisation will need to address and describe data security, confidentiality, integrity, legality and reliability of the information and how this is maintained.
All organisations agree that unauthorised access and/or modification to information will be prevented. Ideally, joint auditing of this would be undertaken to demonstrate a common approach and delivery
Establish a joint agreement on the legal framework within which information sharing occurs, as well as shared information security policies, acknowledging the personal information belongs to the individual.
Implement identity management by partners on a consistent basis to ensure all partners can only access electronic information in an appropriate fashion where it is being shared. Each organisation will maintain an information publishing schema
Each organisation will maintain a documented information ownership register, so there is clarity on who is responsible for ensuring published information, it’s accuracy, GDPR compliance etc., and that this is reviewed
Information should be stored by each participating organisation in such a way that makes it easy to retrieve, and, where any duplication is necessary, mechanisms are in place to ensure data consistency and accuracy are retained across related data sense.
Data classifications, attributes, when the data was created, where it is stored and how it is transmitted, will be established in a consistent fashion across partners. Ensure that processes are in place for this common information market archive and ultimately destruction
Each organisation will work together to both share and to jointly develop information skills in their organisations, ensuring a consistent approach to informational management responsibilities, employee responsibilities as well as governance. This includes the principle that information management is everybody’s responsibility, and the training, awareness, communications and systems for information management and use are shared appropriately.