Cardiff Data Sharing Agreements - City Law

Technology and Data Wales 3 Minutes Read ยท published February 12, 2026 Flag of Wales

Cardiff, Wales public bodies must lawfully share personal data with third parties under the UK GDPR and the Data Protection Act 2018. This guide explains the legal bases commonly used for council data sharing, practical contract and governance steps, enforcement pathways and how to report concerns in Cardiff. It is aimed at officers preparing or reviewing data sharing agreements, legal teams advising partner organisations, and residents seeking clarity about how their data is shared and enforced.

Legal basis for third-party sharing

Local authorities typically rely on one or more lawful bases when sharing personal data: legal obligation, public task, consent, or legitimate interests where appropriate. For special category data an additional condition is required (for example, substantial public interest or explicit consent). Organisations should document the chosen legal basis and carry out any required impact assessments before sharing.

Always record the legal basis and retention period in the agreement.

Key contract and governance elements

  • Data sharing agreement or memorandum of understanding defining purpose, data items, lawful basis and retention.
  • Roles and responsibilities: controller(s), processor(s), and named data protection lead.
  • Technical and organisational measures required to protect data during transfer and processing.
  • Retention schedules and secure deletion or return requirements.
  • Audit, breach notification processes and dispute resolution steps.

Penalties & Enforcement

Enforcement for unlawful processing or inadequate data sharing is primarily exercised by the Information Commissioners Office (ICO) under UK data protection law; local disciplinary or contractual sanctions may apply to council staff or contractors. The ICO publishes guidance and enforcement powers for data sharing, including monetary penalties where appropriate.[1]

  • Monetary penalties: ICO fines can reach up to 17.5 million or 4% of annual global turnover for the most serious breaches, as set out by the ICO; local council-imposed fines for procedural breaches are not specified on the cited page.
  • Escalation: ICO uses a range of tools from advice and remedial steps to fines and enforcement notices; specific council escalation for repeat or continuing offences is not specified on the cited page.
  • Non-monetary sanctions: enforcement notices, orders to stop processing, audits, and mandatory remedial actions; council disciplinary or contractual remedies may include suspension of access, termination or other employment measures.
  • Enforcer and complaints: primary regulator is the ICO; local implementation and complaints handling is managed by Cardiff Councils Information Governance or Data Protection Officer (see Resources).
  • Appeal and review: decisions by the ICO can be challenged to the First-tier Tribunal (Information Rights); specific time limits for appeals are not specified on the cited page.
If a data breach affects residents, notify the ICO according to statutory timescales and local policy.

Applications & Forms

Cardiff Council commonly uses internal templates and information sharing agreement documents for formalising third-party arrangements; if no public form is available, contact the councils Information Governance team to request templates or approval steps.

Operational steps and good practice

  • Conduct a Data Protection Impact Assessment (DPIA) where sharing poses high risk to individuals.
  • Use a written data sharing agreement specifying purpose, lawful basis, retention and security.
  • Log data flows and subject access request procedures to ensure compliance with transparency duties.
  • Provide a named contact for data subjects and an escalation point for incidents or complaints.
Keep records of processing and data sharing decisions for accountability.

Common violations

  • Sharing beyond stated purpose or without a lawful basis.
  • Missing contractual controls when a third party acts as a processor.
  • Insufficient technical safeguards during transfer (unencrypted or insecure channels).

FAQ

Who enforces data sharing rules for Cardiff Council?
The Information Commissioners Office is the statutory regulator; Cardiff Councils Information Governance team handles local oversight and internal complaints.
Do I always need a written data sharing agreement?
Yes, best practice and ICO guidance recommend a written agreement that documents purpose, lawful basis, responsibilities and security measures.
How do residents report suspected unlawful sharing?
Residents can raise a complaint with Cardiff Councils Data Protection Officer and report concerns to the ICO if unsatisfied with the local response.

How-To

  1. Identify the purpose and legal basis for sharing personal data.
  2. Complete a DPIA if the sharing is likely to pose high risk to individuals.
  3. Draft and sign a data sharing agreement specifying roles, security and retention.
  4. Implement technical controls and document the processing in records.
  5. Monitor compliance and report any breaches to the ICO and affected individuals where required.

Key Takeaways

  • Document the legal basis and retention in every data sharing agreement.
  • Use DPIAs for high-risk sharing and enforce technical protections.
  • Report enforcement concerns to the ICO and follow local council complaint routes.

Help and Support / Resources

  1. [1] Information Commissioners Office  Data sharing guidance for organisations

Categories

General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data