Is this type of data sharing legal?

Yes! But it must be done ethically and securely, in accordance with federal and state laws and regulations.

The federal Privacy Act of 1974, 5 U.S.C. § 552a (2000), is the omnibus “code of fair information practices” that regulates the collection, maintenance, use, and dissemination of personal information. The Privacy Act is designed to balance the government’s need to maintain information about individuals with the rights of individuals to be protected against unwarranted disclosure of personal information (i.e., any data element that can be used to identify the individual like names, Social Security numbers, and addresses). FERPA and HIPAA are the federal laws governing education and health information, respectively.  Each of these federal laws include exemptions or exceptions that permit public agencies to share data for purposes of research, audit and evaluation, provided that appropriate data security policies and procedures are in place, and that identifying data are either not shared (de-identified research files are created) or if shared they are not redisclosed (governed by a business agent agreement or other contract).

For more information, see IDS Legal Issues: Finding a Way Forward and our repository of federal guidance on data sharing.