Sharing Private Information Without Consent in the UK

As a small business, you handle people’s information every day – from customer contact details and CCTV footage to employees’ HR records and supplier emails.

Sharing private information without consent can quickly land you in legal trouble. But here’s the good news: with a clear understanding of UK privacy and confidentiality rules, plus the right policies and contracts, you can share information lawfully and protect your business from the outset.

In this guide, we’ll explain when you can (and can’t) share personal data without consent, how confidentiality fits in, common risk scenarios, and the practical steps to stay compliant under UK law.

What Counts As “Private Information” Under UK Law?

It helps to separate two key legal concepts you’ll come across in the UK:

• Personal data: Any information that identifies, or could identify, a living individual (for example, a customer’s name, email, phone number, IP address, CCTV image, or a staff member’s performance notes). This is regulated by the UK GDPR and the Data Protection Act 2018.
• Confidential information: Information shared in circumstances importing a duty of confidence (for example, proprietary know-how, pricing, client lists, product roadmaps, or sensitive business plans). This is protected via the common law of confidentiality and your contracts (NDAs, employment contracts, supplier agreements).

Often, the same document can include both personal data and confidential information (for example, a sales pipeline spreadsheet containing client names and deal values). In practice, you need to manage both sets of obligations at the same time.

A useful rule of thumb: if the information relates to an identifiable person, assume the UK GDPR applies. If it’s commercially sensitive or shared under an expectation of confidence, treat it as confidential too.

When Can You Share Personal Data Without Consent?

Consent is only one lawful basis for processing and sharing personal data under the UK GDPR. You can share personal data without consent if another lawful basis applies and the sharing is necessary and proportionate. Common lawful bases for SMEs include:

• Contract: Sharing is necessary to perform a contract with the individual. For example, sharing delivery details with a courier so a customer receives their order.
• Legal obligation: You must share to comply with the law. For example, providing payroll data to HMRC.
• Legitimate interests: You have a genuine business interest that isn’t overridden by the individual’s rights. For example, using a third-party CRM to manage customer relations, or internal fraud prevention. You should carry out a Legitimate Interests Assessment (LIA) to evidence your reasoning.
• Vital interests: In rare cases, sharing is necessary to protect someone’s life.
• Public task: Relevant if you’re exercising official authority or performing a task in the public interest.

If you’re relying on another lawful basis, you don’t need consent – but you do need to follow the UK GDPR principles. That includes being transparent (tell people who you share data with), minimising data (only share what’s necessary), and having appropriate safeguards and contracts in place with recipients.

In your external-facing Privacy Policy, be upfront about what personal data you collect, why you use it, and who you share it with (for example, cloud providers, payment processors, marketing platforms, or logistics partners). If you use overseas processors, you’ll also need a lawful transfer mechanism.

What About Confidential Information That Isn’t “Personal Data”?

Plenty of sensitive business information isn’t “personal data” but still shouldn’t be shared without permission. The law of confidentiality protects information that:

• Has the necessary quality of confidence (it’s not public or trivial),
• Was shared in circumstances importing an obligation of confidence, and
• Was used or disclosed without authority, causing (or risking) detriment.

For small businesses, this usually means you should:

• Mark confidential materials and limit access on a need-to-know basis,
• Include strong confidentiality clauses in your Employment Contract and contractor terms, and
• Use NDAs for pre-contract discussions and a clear Confidential Information definition in your commercial agreements.

Remember, confidentiality obligations can cover both business information and personal data – so your contracts and your data protection framework should work together. If you’ll be sharing personal data with another organisation (for example, a fulfillment partner or analytics provider), put a tailored Data Sharing Agreement or a Data Processing Agreement in place, depending on the roles and responsibilities.

Common Risk Scenarios For Small Businesses

It’s easy to slip into risky practices without realising. Here are typical ways UK SMEs end up sharing private information without consent – and how to navigate them lawfully.

1) Customer Stories, Testimonials And Social Media

Posting screenshots of messages or emails might feel like a quick win for marketing, but those images often contain names, phone numbers, photos, or other personal data. Unless you have a robust lawful basis (and often, explicit permission is the safest route), you could breach privacy laws.

Be especially careful with “private messages” screenshots. Stick to anonymised quotes or get clear permission first, ideally in writing, and keep a record of what was agreed.

2) Staff Communications And BYOD

Work WhatsApp groups, forwarding emails to personal accounts, or using personal devices for business (“bring your own device”) can lead to uncontrolled sharing and security gaps. If you allow personal devices, implement clear rules around access, storage, remote wipe, and offboarding. It’s wise to educate staff and update your internal IT policy so everyone understands what’s okay and what’s not.

Where employees use their own phones for work, set ground rules in a Staff Handbook and consider a policy specifically addressing BYOD to reduce the risk of accidental sharing.

3) Recording Calls, Meetings And CCTV With Audio

Recording in the workplace can capture a lot of personal data (voices, images, opinions) and sometimes sensitive data (for example, about health or union membership). You’ll need a clear lawful basis, signage, privacy information, and a proportionate approach. Audio recording is particularly intrusive and higher risk than video alone.

If you use microphones or want to record conversations, review the rules around CCTV with audio and make sure any recordings are genuinely necessary, limited, and securely stored. Unauthorised or covert recording by staff can raise separate issues under employment and criminal law.

4) References, Background Checks And Third-Party Requests

It’s common to share employee or contractor information when responding to reference requests or when a supplier asks for a contact’s details. Only share what’s necessary, check you have a lawful basis (often legitimate interests, with a fair and transparent process), and ensure you’re not disclosing anything that’s confidential or irrelevant.

5) Using New Tools And Integrations

Connecting your CRM to a marketing platform, or exporting spreadsheets to a third-party app, is still “sharing” under the UK GDPR. Map your data flows and put appropriate contracts in place with providers. For joint ventures or ongoing partner data exchange, a tailored Data Sharing Agreement is usually the best approach.

6) Whistleblowing And Internal Reports

Whistleblowing systems often require careful handling of confidential and sensitive personal data. You should control access, document how reports are handled, and make sure your approach is aligned with data protection law and employment obligations. A structured, transparent process supported by policy helps protect everyone involved.

Practical Steps To Stay Compliant And Reduce Risk

Here’s a practical checklist to keep sharing activities lawful and proportionate:

• Map your data flows: Identify what personal data you collect, who you share it with, and why. Pay special attention to new tools or integrations.
• Pick the right lawful basis: Consent isn’t always needed (or the best choice). Document why another basis applies and ensure the sharing is necessary.
• Minimise what you share: Only share the minimum personal data required for the task, and anonymise where possible.
• Use the right contracts: Put a Data Processing Agreement in place with processors, and use a Data Sharing Agreement for ongoing controller-to-controller transfers.
• Be transparent: Keep your Privacy Policy current and easy to understand. Tell people who you share data with and why.
• Secure your channels: Set access controls, encrypt where possible, and turn off auto-sync to personal devices unless strictly needed.
• Train your team: Short, regular training on privacy and confidentiality prevents most mistakes. Include real examples relevant to your business.
• Plan for incidents: Have a documented Data Breach Response Plan so you can act quickly and lawfully if something goes wrong.

None of this needs to be complicated – but it does need to be deliberate. Addressing these steps early will protect your brand and build trust with customers and staff.

Essential Policies And Contracts To Have In Place

To prevent accidental or unauthorised sharing, it pays to set clear expectations and guardrails in writing. At a minimum, consider:

• Privacy Policy: Explains what you collect, how you use it, and who you share it with. Make sure it covers overseas transfers and your lawful bases. Link it on your website and in sign‑up flows.
• Data Processing Agreement: Required where a supplier processes personal data for you (for example, cloud storage, payroll, marketing platforms). Use a tailored Data Processing Agreement with specific security and audit provisions.
• Data Sharing Agreement: For controller-to-controller sharing with partners, resellers, or affiliates, a Data Sharing Agreement clarifies roles and responsibilities.
• Employment documents: Employment contracts and a Staff Handbook with confidentiality, social media, and IT security rules. If staff use personal devices, address this with clear BYOD requirements.
• Internal IT/communications policy: Set standards for messaging apps, email forwarding, file sharing, and retention. This reduces “informal” sharing on uncontrolled channels.
• Incident response: A tested Data Breach Response Plan so you know who does what in the first hours after a breach.

Depending on your model, you may also need sector‑specific provisions (for example, patient confidentiality for health providers) or additional safeguards for special category data (like biometrics or health information).

Handling Mistakes: Data Breaches, SARs And Complaints

Even with good systems, mistakes can happen. What matters next is responding quickly and lawfully.

What Counts As A Data Breach?

A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Common examples include emailing a spreadsheet to the wrong recipient or posting a customer’s details on social media by mistake.

If a breach is likely to risk people’s rights and freedoms, you’ll need to assess, contain, keep records, and may have to notify the ICO within 72 hours and affected individuals without undue delay. Your Data Breach Response Plan should set out a simple playbook for triage, evidence gathering, decisions, and messaging.

Subject Access Requests (SARs)

People have the right to access their personal data and information about how you use it. If you receive a SAR, you normally have one month to respond. Build a workflow to identify the requester, find the data, apply exemptions where appropriate, and respond in time.

If you don’t yet have a process, our practical guidance on subject access requests outlines the key steps and common pitfalls for UK businesses.

Complaints And Escalations

Take complaints seriously and respond promptly. A quick, empathetic response and a clear plan can prevent escalation to the ICO or litigation. Document what happened, how you’re fixing it, and what you’ve changed to reduce the chance of a repeat.

Where an incident relates to recording or surveillance in the workplace, revisit whether your setup is proportionate and consistent with your privacy notices, particularly if any CCTV with audio is in use.

Employment And Conduct Issues

If an employee shares private information without permission – whether on social media, in a messaging app, or during a dispute – treat it as both a conduct issue and a data incident. Follow a fair process under your disciplinary policy, and consider whether training, access controls, or clearer policies would have prevented the issue.

Key Takeaways

• Sharing private information without consent isn’t automatically unlawful – but you must have a valid lawful basis, minimise what you share, and be transparent.
• Manage both personal data duties under the UK GDPR and confidentiality obligations under contract and common law – they often apply at the same time.
• Risk hot spots for SMEs include social media screenshots, informal messaging, BYOD, and surveillance or recordings in the workplace, especially CCTV with audio.
• Put strong foundations in place: a clear Privacy Policy, the right contracts with providers (for example, a Data Processing Agreement or Data Sharing Agreement), and regular staff training.
• Prepare for the “what if”: keep a tested Data Breach Response Plan and a simple workflow for subject access requests.
• If you’re unsure whether you can share something, pause and get advice – addressing privacy and confidentiality properly now will protect your business as it grows.

If you’d like help putting the right policies and agreements in place, or you need tailored advice on a specific sharing scenario, you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.