Sharing Data – the legalities

1. Sharing Data within – the UK

The sharing of data within the UK is governed by the Data Protection Act 1998.

Schedule 1 to the Data Protection Act lists the data protection principles in the following terms:

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –

(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4. Personal data shall be accurate and, where necessary, kept up to date.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Exemption:
29 – Crime and taxation

(1) Personal data processed for any of the following purposes—
(a) the prevention or detection of crime,
(b) the apprehension or prosecution of offenders, or
(c) the assessment or collection of any tax or duty or of any imposition of a similar nature,
are exempt from the first data protection principle (except to the extent to which it requires compliance with the conditions in Schedules 2 and 3) and section 7 in any case to the extent to which the application of those provisions to the data would be likely to prejudice any of the matters mentioned in this subsection.

(2) Personal data which—
(a) are processed for the purpose of discharging statutory functions, and
(b) consist of information obtained for such a purpose from a person who had it in his possession for any of the purposes mentioned in subsection (1),
are exempt from the subject information provisions to the same extent as personal data processed for any of the purposes mentioned in that subsection.

(3) Personal data are exempt from the non-disclosure provisions in any case in which—
(a) the disclosure is for any of the purposes mentioned in subsection (1), and
(b) the application of those provisions in relation to the disclosure would be likely to prejudice any of the matters mentioned in that subsection.

(4) Personal data in respect of which the data controller is a relevant authority and which—
(a) consist of a classification applied to the data subject as part of a system of risk assessment which is operated by that authority for either of the following purposes—
(i) the assessment or collection of any tax or duty or any imposition of a similar nature, or
(ii) the prevention or detection of crime, or apprehension or prosecution of offenders, where the offence concerned involves any unlawful claim for any payment out of, or any unlawful application of, public funds, and
(b) are processed for either of those purposes,
are exempt from section 7 to the extent to which the exemption is required in the interests of the operation of the system.

(5) In subsection (4)— “public funds” includes funds provided by any [F1 EU] institution; “relevant authority” means—
(a) a government department,
(b) a local authority, or
(c) any other authority administering housing benefit or council tax benefit.

2. Sharing Data within – Europe

There are no restrictions on the transfer of personal data to EEA countries. These are currently the EU countries plus Iceland, Liechtenstein and Norway:

Austria
Belgium
Bulgaria
Croatia
Cyprus
Czech Republic
Denmark
Estonia
Finland
France
Germany
Greece
Hungary
Iceland
Ireland
Italy
Latvia
Liechtenstein
Lithuania
Luxembourg
Malta
Netherlands
Norway
Poland
Portugal
Romania
Slovakia
Slovenia
Spain
Sweden

3. Sharing Data within – the USA

Although the United States of America (US) is not included in the European Commission list, the Commission considers that personal data sent to the US under the voluntary “Safe Harbor” scheme is adequately protected.

4. Sharing Data within – Other

Other non-EEA countries that are deemed to have adequate protection in place:

Andorra
Argentina
Australia
Canada
Faroe Islands
Guernsey
Isle of Man
Israel
Jersey
New Zealand
Switzerland
Uruguay