Questions to ask when sharing data between two data controllers (from the ICO Data Sharing Code of Conduct):
- What is the sharing meant to achieve?
- What information do we need to share?
- Could we achieve the objective without sharing the data or by anonymizing it?
- What risks does the data sharing pose to individuals?
- Is it right to share data in this way?
- What would happen if we did not share the data?
- Are we allowed to share the information?
- Who requires access to the shared personal data?
- When should we share it?
- How should we share it?
- How can we check the sharing is achieving its objectives?
- Do we need to review the DPIA?