Although not all organizations rely on data sharing as a core process to their business models, most organizations need to share some amount of personal information to operate efficiently. For example, data is often shared with third-parties who supply tools for HR processes. In many cases, employee personal information is entered and stored on the third party’s servers, where the use and protection of that information is out of the employer’s control.
Whether data sharing is a key operation or passive transfer, organizations should determine if sharing of data is permitted, consider the privacy and compliance implications involved in data sharing, and ensure appropriate protections are in place for shared data.
Purpose: To share or not to share
- Identify what is the purpose or objective of sharing data that contains personal information.
- Consider whether the objective can be achieved without data sharing.
- Consider whether the types of personal information being shared would be reasonably expected by individuals to whom the information relates.
- Tip: Unreasonable or unexpected sharing of personal data could be considered an unfair or deceptive act. These practices are overseen by the Federal Trade Commission.
- Ensure that the organization has the authority to share the data.
- Tip: In some instances, an organization may be required to obtain consent from individuals. Without consent, some data sharing arrangements may violate contractual or regulatory obligations.
- Identify what data will be shared, which organizations will be involved in the sharing arrangement, and who needs to be informed of the arrangement.
Agreements: Get commitments in writing
- Agree on common retention periods for the data.
- Tip: Be sure the data sharing arrangements meets or exceeds the privacy commitments originally made to individuals.
- Specify the deletion or destruction processes and what will trigger erasure.
- Include specific data security requirements.
- Tip: Reasonable data security is a constantly evolving standard. It is good practice to include specific technical capabilities. This can be done by reference to a specific data security standard such as ISO or NIST, including an organization's security policies as an addendum to the agreement, or listing out specific data security practices.
- Be sure data breach notifications from third parties will be provided promptly enough for the organization to be able to notify its own users.
- Build in contractual limitations to who in the third-party organization can access the shared data and for what purposes.
- Tip: The purposes for use by a third party shouldn’t exceed the scope of consent originally given by the individuals.
Security: Beyond contractual obligations
- Obtain a copy of the third party’s data security policy. This policy should generally include commitments related to:
- Network operations
- Data storage
- Data access
- Data transmission and encryption
- Audits and/or Standards
- Data Breach and Incident Response
- Identify which of the third party’s security practices are less stringent than the organization’s, and consider whether additional security requirements are needed.
- When appropriate, conduct a site visit to the third-party organization to verify security practices.
- Tip: More organizations are being held accountable for security failures of third parties in data sharing arrangements. Depending on the quantity and sensitivity of data being shared, due diligence may include a site visit to or audit of the location where the data will be processed or stored.
- Know the third party’s mandatory disclosure requirements (e.g. court orders, warrants, contractual obligations, etc.), and consider whether any would be inconsistent with the organization’s policies.
- Set a timeline for regular review or update to security requirements as a technology advances.