Office of Data and Innovation Innovation Hub
Custom Google Search
Custom Google Search
CA.gov / Innovation Hub / Data minimization toolkit / External data sharing
Guides and playbooks

External data sharing

Sharing data can help improve services, make informed decisions, and work with partners. But you need to do it carefully. This will protect people’s privacy and keep sensitive information secure. Here is practical advice on sharing data responsibly, especially when external parties request it.

Get ready for external data requests

External partners may ask your department for state-held data. Data sharing risks vary based on who is requesting it. Sharing with state agencies or universities is straightforward because clear processes (like ethical review boards) already exist.

Sharing data with federal agencies can be riskier. These requests can be urgent, complex, and high-stakes, especially if they involve personal or sensitive data. Being prepared is the best way to protect privacy, follow laws, and maintain public trust.

Before you respond to any request, make sure you know:

  • What laws or regulations allow your department to share (or restrict you from sharing) data.
  • The difference between mandatory disclosures (what you must share) and discretionary ones (what you may share but don’t have to).
  • If there are any state laws that give more privacy than federal standards. For example, California's laws about immigration status and health data.

Work with your legal counsel to make a guide or checklist based on the kinds of data you manage.

2. Use formal agreements

Written agreements define the rules before you share data. These documents are sometimes called memoranda of understanding (MOUs) or data use agreements (DUAs). They should:

  • Be reviewed by legal and privacy experts. They may be inside your department or agency.
  • Name the exact data elements you will share.
  • Limit how the data can be used and who can access it.
  • Set clear standards for data storage, security, breach response, and retention.
  • Spell out what happens if the agreement is violated. Include how disputes will be handled.
  • State when you can refuse a request.

Having these in place ahead of time can avoid confusion or rushed decisions later. If you’re sharing data with other state agencies, ODI’s Interagency Data Exchange Agreement Guidebook has templates, examples, and worksheets.

3. Keep a data inventory

An up-to-date data inventory helps you quickly assess risks when you get a data request. It helps you identify datasets to control more tightly or review for future sharing.Also document existing data sharing agreements, including who you’re already sharing with.

Consider reviewing any datasets or metadata your department has already made public. Aggregated or anonymized data (like primary language spoken at home by neighborhood or country of origin) can be used in harmful ways. Reassess what is safe to release.

Map where the data lives can help you make a data inventory.

4. Set up an internal review process

Establish a clear internal escalation process for getting external data sharing requests. This may include:

  • Who gets and logs the request.
  • Which teams need to be looped in (like executives, legal, program, IT, security).
  • Timelines for review and response.
  • Red flags that require escalation (such as spending clause coercion like funding threats or retroactive conditions).

Make the process easy to follow with templates and training materials.

5. Train staff regularly and set regular check-ins

Make sure that frontline staff, data analysts, program managers, and legal teams:

  • Know the legal obligations and protections around data sharing.
  • Understand the risks of sharing too much information.
  • Can recognize informal or ambiguous requests that might bypass safeguards.

Tabletop exercises or scenario planning can help your team practice handling high-risk situations. Have regular check-ins with your legal, program, and privacy teams. Being on the same page helps you act quickly and responsibly when requests come in.

How to respond when an external party asks for data

When you get a data request from an external party, be careful and deliberate. Even if it sounds official, do not assume it is valid without going through your process.

1. Verify the request is real and valid

  • Contact the requesting organization through official communication channels to confirm the request.
  • Ask for written documentation showing legal authority or purpose for the data request.
  • Watch out for vague, overly broad, or informal requests. Flag them immediately for further review.

Legal staff should:

  • Determine if the request is legally enforceable (like through a subpoena or court order).
  • Assess if sharing the data could expose your department to legal, reputational, or operational risk.
  • Identify if the request violates any state laws or policies, particularly in areas like immigration, education, labor, public benefits, finance, or health.

They can also advise on if an existing agreement applies or if you need a new agreement before sharing.

3. Talk to your vendors

Set a clear communication protocol so all requests go through your department. This gives you control and makes sure all actions are legally allowed and aligned with your policies. This proactive coordination helps to reduce risks and stops unauthorized data disclosures.

4. Limit what you share

Follow the principle of minimum necessary:

  • Share only the data elements directly related to the purpose.
  • Do not send full datasets or linked files unless absolutely required.
  • Respond with aggregated, anonymized, or redacted data instead if you can.

Even well-intentioned data requests can accidentally expose sensitive information when shared too broadly.

5. Document every step

Good documentation protects both your department and the people whose data you hold. Keep a secure, well-organized record of:

  • The request and who made it.
  • Any legal review conducted.
  • What data was shared, when, and how.
  • Copies of all communications and approvals related to the request.

This can be crucial if your department is questioned later or needs to conduct an audit.

Know when (and how) to not share data

There are times when you should not share data. For example:

  • The request is not legal.
  • It violates California law or your department’s data-sharing policies.
  • It puts the privacy of individuals or communities at risk.

In these cases, work with your legal counsel to prepare a written reply citing applicable laws or contract provisions. You should have language in your MOUs or DUAs that allows you to limit or refuse data sharing under these conditions.

Conducting risk and necessity assessments
Reviewing vendor contracts
Office of Data and Innovation
Contact us