Recording violent or aggressive incidents

Information and guidance on how to correctly share personal information with other organisation

Sharing personal information with other organisations

Every organisation has a legal responsibility to ensure that their risk assessments are suitable and sufficient. To identify significant risks, you need to have all the relevant information available.

When you need to share information between organisations, you need to make sure that you adhere to General Data Protection Regulation (GDPR) guidance.

GDPR and the Data Protection Act 2018 set the rules and basis for data management. 

  • It is legal to share information if the purpose is to protect the health and safety of employees.
  • It is necessary for organisations to have arrangements in place to ensure that this is done only when necessary, and adheres to GDPR guidance.
  • It is important that the information kept is accurate and fair.

Prior to sharing information, the organisation holding it must consider carefully how any recipient organisation or department is going to use it, and what the effect on people is likely to be. Your policy needs to be very explicit about this. It is good practice to get a data-sharing agreement with the recipient organisation.

You can find more information about sharing information on the Information Commissioner’s Office website (external site).

Processing data

Article 6 of the GDPR explains when you are able to share information with other organisations. You need to have a clear case to allow you to do this, and it’s very important that you keep a record of your decision and the reasons behind it.

You need to be able to demonstrate that you have a lawful reason to share information under:

  • consent – the individual gave you permission
  • contract – you have a contract with the individual and the processing of data is necessary
  • legal obligation – you share data to comply with legislation
  • vital interest – you share data to save someone’s life
  • public task – you do this to complete a task in the public interest
  • legitimate interest – you can process data in your legitimate interest. However, this cannot override a duty that you may have to protect people’s data

You can use a questionnaire from the Information Commission’s Office (ICO) to help you decide if you have a legal reason to process information.