Discovering that your personal information has been shared without your permission can be deeply upsetting. In the case of more sensitive information, the impact of such an incident can be significant and long-lasting, affecting your health, your financial situation, and your personal relationships.
Unfortunately, this is a prospect we all have to be concerned about and understanding your rights can give you peace of mind when sharing or storing data online. This post will answer the question ‘can personal data be shared without permission?’ and cover the lawful bases for the use of personal information.
The exponential growth of digital services means many of us are sharing more of our information with an ever-larger number of companies and organisations. As we do so, the risks of our information being shared in ways we would not agree to increase, and the potential outcomes become more severe.
Thankfully, the UK has introduced strict data protection regulations in recent years. The UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 both impose extensive and detailed requirements on organisations that store or process personal data.
Can personal data be shared without permission?
On this basis, you may be asking: can personal data be shared without permission? That is to say, do organisations need your consent, in every case, to share your data with others? The simple answer to this question is no. In fact, the UK’s data protection regulations do not require organisations to have your consent in order to share your personal information.
Nevertheless, these regulations do require organisations to specify a lawful basis for doing so. No organisation can simply share your personal data because they choose to do so – they must have a specific reason that is supported by the UK’s data protection regulations.
In this post, we’ll explain the different ways that organisations can justify sharing your personal data in order to explain can personal data be shared without permission answering the question ‘can personal data be shared without permission?’ We’ll also look at the steps you can take if you feel your personal data has been shared in an inappropriate manner.
The lawful bases for sharing personal data
The UK GDPR sets out six lawful bases for the use of personal information. It is important to note that an organisation must be able to justify the lawful basis it chooses to use. The lawful basis an organisation chooses must fit the kind of data they are processing and the ways they are processing it – including if they are sharing this data with others.
The six lawful bases are:
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
As you can see, consent is simply one lawful basis among others. If an organisation does not get your consent for sharing your data, that does not necessarily mean they are acting unlawfully by sharing it. Answering the question ‘can personal data be shared without permission?’
However, if they don’t have your consent, they must have some other lawful basis for doing so. What is more, an organisation must inform you of both the uses they are making of your data and the lawful basis they are using as their reason for doing so.
Let’s look in more detail at each of these lawful bases.
This is, in some ways, the most obvious of the lawful bases. In this case, the organisation simply asks for your permission to use your data in specific ways. They must be clear about how they intend to use your data, and you must be required to opt-in rather than opt-out. So, for instance, an organisation cannot use a pre-checked box to indicate your consent, expecting you to manually uncheck it if you refuse.
Further, consent should be a “genuine free choice”, as the Information Commissioner’s Office (ICO) guidance puts it. If your consent is required as a condition of service, it may be the case that this does not actually count as a lawful basis for processing data. This is particularly significant if the person requesting your consent is in a position of power – for instance, your employer. If you do not feel that you can refuse consent, then it is not a free choice, and may not be a valid lawful basis.
If the use of your personal information is necessary for fulfilling a contract, this may constitute a lawful basis. A common example of this is when you purchase something from an online store. When you make a purchase, you engage in a contract with the seller. In order to uphold their part of the contract, the seller needs to send you the item you’ve purchased. As a result, they will need your address, and may also need to share it with a courier to make the delivery.
There are many legal obligations that organisations need to fulfil, and some of these will require sharing personal data. For instance, your employer may need to share your details with HMRC for tax purposes. Similarly, an organisation will be justified in sharing your information if a court order obliges them to do so.
This refers to cases where data needs to be shared in order to prevent loss of life – whether this is yours or someone else’s. For instance, if you suffer a life-threatening injury, it will likely be necessary that your medical information is shared with the hospital treating you.
This refers to cases where the data is used as part of carrying out a task “in the public interest” or as an exercise of some official authority. While in many cases this legal basis will be relied upon by public authorities – e.g., a government agency – some private companies can use this basis if their tasks have some public function, such as a private utility company.
This is the broadest and most flexible lawful basis, covering a range of possible situations. For that reason, it’s also the most difficult to specify when it comes to the kinds of data processing it can be used to justify.
The legitimate interest basis, in general terms, is largely used for cases where an organisation is using your data in a way that you would reasonably expect. These uses should be relatively risk-free and be unlikely to have a significant impact on you. The legitimate interest basis can be used, for instance, to avoid making repeated and intrusive requests for consent in cases where the individual is unlikely to object.
The key thing to bear in mind is that organisations relying on the legitimate interests basis must have, in the ICO’s words, “some clear and specific benefit or outcome in mind” in using your data. What is more, they must balance these interests against those of the individual whose data is being processed, and they must be able to justify their decision.
The impact of the misuse of personal data
As you can see from the above, there are a variety of reasons that companies or organisations may be allowed to share your personal data without your consent. Answering the question ‘can personal data be shared without permission?’ However, while some of these are designed for quite specific circumstances, others are far broader.
Nevertheless, an organisation must have some lawful basis for the information processing they do, including sharing your personal data. They must explicitly state what this lawful basis is, in a clear and easily understandable way. Generally speaking, they cannot change the lawful basis for their data processing – especially if they are processing on the basis of consent.
These safeguards on the use of your personal data are essential, given the impact that any data protection breach can have on those affected. As we’ve mentioned above, the consequences of your data being shared inappropriately can be enormous.
On this basis, you should also be aware that the GDPR enshrines your right to seek compensation if your data has not been properly safeguarded – for instance, if it has been processed without a lawful basis. This is particularly important to know if the misuse of your data has had some significant negative consequences for you, such as:
- Financial losses
- Emotional distress
- Reputational damage
- Loss of control
We hope this post has answered the question ‘can personal data be shared without permission?’ and given you a better understanding of your rights when it comes to data protection. If you have been the victim of a data breach that has led to any of these issues, you should consider seeking compensation. But in order to do so, it’s vital that you have the support of experienced solicitors.
HNK Solicitors can support your data breach claim
Here at HNK Solicitors, we have extensive experience in data breach cases. We’ve helped many clients secure compensation to help offset the damage caused by the misuse of their personal information. In one recent case, we were able to secure £7,500 for a client after a letter containing sensitive information was sent to an incorrect address.
Thanks to the expertise of our dedicated team of data breach solicitors, we can help you to seek the compensation you deserve. If you think you may be entitled to compensation as a result of a data breach, get in touch today. We offer free consultations to discuss the specifics of your case, and if we do think you are eligible for compensation, we can offer to take up the claim on your behalf on a no-win, no-fee basis.
To arrange a consultation, fill out the form on our website to request a call back. Alternatively, call us on 0151 203 1104 or email us at firstname.lastname@example.org.