On January 8, 2024, the Office of the Data Protection Authority (ODPA) published guidance covering data sharing (the Data Sharing Guidance), handling data subject access requests (DSARs) (the DSARs Guidance), as well as environmental, social, and governance (ESG) reporting (the ESG Guidance).

Data sharing

The Data Sharing Guidance provides information on how to share information about people in an appropriate and lawful way and highlights key points to note when sharing data including:

• that there must be a valid reason for the sharing of data;
• if you are relying on consent as the legal basis for sharing personal data, ensure that you have obtained specific, informed, and freely given consent from the individual(s) concerned; and
• data sharing must be done as securely as appropriate for the data involved.

DSAR

The DSARs Guidance confirms that it applies when it is necessary to respond to an individual's DSAR in the circumstances where the requested information includes information about other people. Specifically, the DSARs Guidance details that all decisions must be documented, as companies may be asked to justify how they arrived at the decisions about what information they included, or excluded from, a DSAR response. The DSARs Guidance also contains a flow chart designed to help companies consider all the relevant steps when applying to DSARs.

ESG

The ESG Guidance outlines three aspects to consider at the outset regarding ESG reporting: data collection, risk to individuals, and public disclosure of data. Regarding best practices, among others, the ESG Guidance notes that companies should consider whether it is necessary to conduct a Data Protection Impact Assessment (DPIA) to identify and mitigate potential risks to individual rights when processing personal data for ESG reporting.

You can read the press release and the guidance here.