London Data Sharing Agreements and DPIAs - City Law

Technology and Data England 3 Minutes Read · published February 02, 2026 Flag of England

In London, England, local authorities and agencies must follow UK data protection law and regulator guidance when sharing personal data with third parties. Practical compliance relies on properly drafted data sharing agreements and documented Data Protection Impact Assessments (DPIAs) to demonstrate lawful processing, minimise risk, and record roles and responsibilities for controllers and processors. The Information Commissioner's Office (ICO) publishes practical guidance on data sharing for organisations; follow that guidance when preparing agreements and assessments. ICO data sharing guidance[1]

Use a written data sharing agreement and record a DPIA where processing is high risk.

Penalties & Enforcement

Primary enforcement for data protection in London is by the ICO under the UK GDPR and Data Protection Act 2018. Local councils and the Greater London Authority must also maintain information governance teams or Data Protection Officers to manage agreements and complaints. Enforcement measures, appeal routes and time limits are described below.

  • Statutory fines: the ICO can impose fines under UK GDPR of up to "" not specified on the cited page if not shown verbatim on the linked ICO pages; however, the ICO guidance sets out significant administrative penalties for serious breaches—see the ICO pages cited below for current amounts.[2]
  • Escalation: the ICO uses a graduated approach from advice and warnings to enforcement notices and monetary penalties; specific first/repeat/continuing offence bands are not all set out on a single municipal page and may vary by case (not specified on the cited page).[2]
  • Non-monetary sanctions: enforcement notices, compliance orders, prohibitions on processing, requirements to rectify or erase data, and referral to courts where appropriate are used by the ICO.
  • Enforcer and complaints: report concerns or make a complaint to the ICO via the official complaints route or contact your local authority information governance team for internal review and remedy. ICO complaints and concerns[3]
  • Inspections: the ICO conducts assessments and audits; local authority information governance teams may perform internal audits or spot checks under local policy (check your council's published policy).
If a breach is suspected, act quickly to contain it and notify the ICO where required.

Applications & Forms

The ICO provides DPIA guidance and templates for organisations to use when assessing high-risk processing; councils may publish internal data sharing agreement templates or forms on their websites. For official ICO DPIA guidance and template resources see the ICO DPIA page cited below. If a specific municipal form for data sharing is required by a London borough, that form will appear on the borough's official site (not specified on the cited page if absent).

ICO DPIA guidance and template[2]

Common Violations and Typical Outcomes

  • Unlawful sharing without legal basis: potential enforcement notice and fines.
  • Missing or inadequate data sharing agreement: remedial directions and requirement to execute a compliant agreement.
  • No DPIA for high-risk processing: requirement to complete a DPIA and possibly suspension of processing.
Document decisions and lawful bases clearly in the agreement and DPIA record.

How to Draft a Third-Party Data Sharing Agreement

  • Identify parties, roles (controller/processor), lawful basis and purpose.
  • Specify data categories, retention periods and security measures.
  • Include audit, breach notification, liability and termination clauses.
  • Set review dates and responsibilities for record keeping and DPIA updates.

FAQ

Do London councils need a DPIA before sharing personal data with a contractor?
Yes, where processing is likely to result in a high risk to individuals you must complete a DPIA; follow ICO DPIA guidance to assess and record risks.
Who enforces data sharing compliance in London?
The Information Commissioners Office (ICO) is the statutory regulator for data protection; local authority information governance teams manage internal compliance and complaints.
Where do I find a template data sharing agreement?
Many councils publish templates on their official websites; the ICO provides guidance and DPIA templates to help structure agreements and assessments.

How-To

  1. Map the data: list categories, sources and intended recipients.
  2. Confirm lawful basis and document it in the agreement and DPIA.
  3. Draft contractual terms covering security, breach notification and audit rights.
  4. Conduct and record a DPIA if the processing is high risk; implement mitigation steps.
  5. Sign the agreement, log it with your records management system and schedule reviews.
Keep agreements under active review and record each decision made about data sharing.

Key Takeaways

  • Always use a written data sharing agreement that names roles and lawful basis.
  • Do a DPIA for high-risk processing and keep mitigation records.
  • Report serious breaches to the ICO and use local complaint routes first where appropriate.

Help and Support / Resources

    Categories

    General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data