PETs Adoption Guide

Good practices for sharing and processing data

Whether you are using emerging PETs or not, there are best practices that should be followed to ensure data is shared and processed securely and responsibly. Using an individual PET does not in itself guarantee an improvement in privacy unless accompanied by a good overall privacy and security design, and appropriate governance arrangements. Examples of good practice include:

Data sharing agreement

As per the ICO's guidance, a data sharing agreement is a document setting out the purpose of data sharing between parties, covering what happens to the data at each stage, and setting standards for how data is used. A data sharing agreement can help the parties involved better understand each of their roles and responsibilities.

Whilst it is not a legal requirement to create a data sharing agreement, it can help organisations demonstrate that they are meeting their accountability obligations under UK GDPR.

Depending on the specific use case, it may be the case that you and other parties are acting as joint controllers over the data being shared, which comes with additional legal obligations under UK GDPR. You should consult the ICO's guidance for advice on this.

Specific legal issues apply when sharing personal data across national boundaries.

Cybersecurity standards

Organisations storing or handling sensitive data must meet sufficiently high standards of security, through an appropriate balance of technical, procedural and personnel controls.

Relevant organisational standards for your organisation, or a partner that you are sharing data with, include ISO27001, or at a more basic level the National Cyber Security Centre's (NCSC's) Cyber Essentials certification.

For analysing your approach to protecting a specific bulk data set, the NCSC provides an excellent good practice guide to protecting bulk personal data.

It's worth noting that analytics environments which bring together large amounts of data for analysis or to train a model may well need a different approach to security than operational environments, for example as data scientists may well need more flexible access to sensitive data sets than operational teams.

Making data available via APIs

Making data accessible via Application Programming Interfaces (APIs) can enable data to be shared in a more efficient, automated, and secure way, for example by limiting sharing of data to the specific records that are required. Organisations should seek to implement authenticated APIs rather than sharing datasets as spreadsheets via email, for example.

Access controls and auditing infrastructure

Access control systems and logging infrastructure should be in place so that data access can be restricted and monitored.

Click here to return to the Adoption Guide.

All content is available under the Open Government License v3.0 except where otherwise stated.