Data Sharing Code of Practice: How to share responsibly

April 23rd, 2024 Posted in Compliance, Data Protection

In 2021, The Information Commissioner’s Office (the “ICO”) published its new Data Sharing Code of Practice (“the Code”) as a replacement for the 2011 code. It is a myth that the UK GDPR prevents the sharing of data, it actually does no such thing, but that does not mean that data should be shared without appropriate controls in place.

This article will give you an overview of data sharing, the aim of the Code, and its benefits. But what happens when a situation arises where it is not clear cut as to whether you can share personal data? This article will help your organisation understand data sharing best practices within the UK GDPR, and the steps to take to make an informed decision when it comes to sharing personal data.

What is the aim of the Data Sharing Code of Practice?

Clearly, a lot has changed in the world since 2011, and that includes the digital landscape. It has been covered many times, so we do not need to dive into the finer details of technological advancements in the past 30 years or so and why the global pandemic created a huge shift in the digital world, but the way we collect and share data has evolved exponentially.

As a result, guidelines needed to change, which prompted the ICO to review the Code to provide individuals, businesses, and organisations the confidence to share data in a fair, safe, and transparent way.

Data sharing is not fully defined, although the scope of the Code is defined by the Data Protection Act 2018 as “the disclosure of personal data by transmission, dissemination or otherwise making it available”, The Code goes into more detail defining sharing into groups:

1. Routine data sharing
2. Ad hoc or one-off data sharing
3. Data pooling
4. Data sharing between controllers
5. Sharing data with a processor

An example might include organisations pooling information, such as two neighbouring health authorities sharing information about their employees for fraud prevention purposes. Awareness of the type of sharing is important but the goal of the Code is for increased accountability and awareness of the implications of data sharing activities.

Who is the Data Sharing Code of Practice aimed at?

The Code is mainly aimed at organisations that are considered data controllers, data protection officers and individuals who are responsible for data sharing related matters within their organisation. Most of the Code applies to all data controller sharing activities, regardless of scale and context. It is designed to clarify misconceptions about the perceived barriers to sharing and highlight some benefits of data sharing.

The benefits highlighted within the Code, are that data sharing can help government and other organisations deliver modern, efficient services, making everyone’s lives easier, and not sharing can have an adverse effect. It suggests that by following the Code, not only will a controller have better compliance with the law, but the outcome will enhance the protection of data and reduce reputational risks to their organisation.

Assessing whether you can share personal data

Sometimes it will be clear when organisations can share personal data. For example, data sharing between medical professionals such as GPs and consultants or secondary schools with universities for the purpose of university admissions or a financial institution with the police to support a white-collar crime investigation are all obvious examples where data sharing is permissible.

However, it is not always clear cut. For instance, it was recently sadly reported that a student at a UK University took their own life and, although the university had concerns about the student’s mental health, it would appear that they considered that they could not share this information with the student’s family, due to the restrictions imposed by the data protection legislation.

Whilst it may be an unpleasant topic to discuss, it is a very necessary one. This incident raises important questions in relation to what information can and cannot be shared and with whom in the event of a mental health crisis. In order to help someone sensitively and lawfully, should these circumstances arise, it is extremely important for organisations, businesses, and educational institutes to prepare for such scenarios and have policies and processes in place to govern their data sharing.

What steps should organisations take?

Policies and Procedures

As a first step, it is vital to have appropriate policies and procedures in place that set out the organisation’s approach to such situations. The documentation should set out the roles and responsibilities of key employees, specifying what actions should be taken, when and by whom. It should also provide guidance on how to reach decisions on the following:

What to share (having assessed that it is necessary to share)
With whom to share (bearing in mind who would be in a position to help)
How much to share (keeping in mind the data minimisation principle)
When to share (identifying the appropriate time to share)
How to share (keeping in mind the requirement to apply appropriate technical and organisational measures)
Who to contact if there are any concerns from a data protection e.g. DPO or ICO

In all cases, the sharing should be necessary, fair, lawful, justified and proportionate for the purpose. The Information Commissioner’s Office (“ICO”) provides several useful checklists which can aid the thought process. Annex A: data sharing checklist | ICO

Lawful Basis

As with all processing activities involving personal data, it is necessary to identify a lawful basis for the sharing. It is helpful to list options, together with explanations, within your policies and procedures, as this will help with making decisions, as the need arises. For example, if there is a real and genuine concern that the individual is likely to imminently harm themselves or commit suicide, the lawful basis for sharing is likely to be vital interests under Article 6 of the UK GDPR. However, as data about a person’s mental health is special category personal data, a condition under Article 9 of the UK GDPR will also need to be satisfied and, depending on the circumstances, this condition may also be vital interests.

Privacy notices

In addition to ensuring that policies and procedures are in place and that the lawful bases have been identified and documented, organisations need to ensure that privacy notices accurately reflect any data sharing activity clearly and transparently. They should explain what information will be collected, for what purpose, what lawful basis will apply, who will have access to the data, who it will be shared with and how long it will be kept. This will ensure that data subjects are fully aware of how their personal data will be handled in all circumstances.

Training

Once the above documentation has been drafted and approved, it is important that all employees are made aware of the content of them and receive training on the same to ensure that they are all familiar with what steps they need to take in different circumstances. Employees should also be asked to confirm in writing that they have read and understood the policies and procedures, after having been given an opportunity to ask any questions they may have.

Accurate Records

It is also incredibly important that records about data subjects are accurate and kept up to date as this will aid effective sharing and mitigate the likelihood of issues arising down the line. For example, organisations should ensure next of kin details for their employees are kept up to date, in case of emergencies. The same goes for schools who may need to share personal data of a 16–18-year-olds with a parent/guardian due to safeguarding concerns; parental details should be kept up to date. Also, if medical records are not kept up to date and are passed on from a GP to a surgeon, an individual could suffer serious harm. These examples highlight the importance of robust records management.

That said, organisations may not know very much, if anything about the nature of the relationship between individuals and if this is the case, it may not be appropriate, for example, to share full details with the next of kin in a mental health crisis. It may be more appropriate to share the full story with emergency services and let them decide, as the professionals in this field, what level of detail to provide to the next of kin.

Sharing Data Responsibly in an emergency

In the context of a medical emergency such as a mental health crisis, the circumstances may require urgent action. There may be little time to ponder because every minute lost could increase the risk to someone’s wellbeing. Whilst many organisations may be reluctant to share personal data for fear of breaching the data protection legislation the ICO highlights that:

“The key point is that the UK GDPR and the DPA 2018 do not prevent you from sharing personal data where it is appropriate to do so.”
Therefore, if the purpose of sharing is to protect someone at risk and that the sharing is necessary, fair, lawful, justified and proportionate for that purpose, an organisation will not be criticised for proceedings with that sharing. The ICO has published the following guidance on this subject:
Information sharing in mental health emergencies at work | ICO

Data Sharing Register

Once the decision has been made to share personal data, a record of it will need to be inserted into a data sharing register detailing:

– The date the personal data was shared;
– The justification for sharing including the lawful basis for sharing;
– Details of what personal data was shared;
– The purpose of the sharing;
– With whom the personal data was shared;
– Whether consent was obtained for the sharing;
– Details of any Data Sharing Agreement entered into (if applicable);
– Details of any exemption relied upon and;
– Details of any sharing with the police.

Data Sharing Agreements

Often there is data sharing between organisations in commercial contexts. For instance a broadband or energy provider may share personal data with a property management company in relation to tenants (or vice-versa). In such circumstances, we would always recommend that parties put clear contractual provisions in place within data sharing agreements (other appropriate agreements e.g. service agreements) to set out roles and responsibilities to ensure each party understands what its obligations are in respect of the data sharing. Positions on liabilities and indemnities in respect of any data sharing should also be included in such agreements for certainty, in the event things go wrong.

Accountability

Records of all documentation including, policies and procedures, training sessions, employee confirmations, privacy notices and completed data sharing registers should be retained to comply with the accountability principle. This will demonstrate to the ICO that appropriate measures have been implemented to ensure that personal data is being processed in accordance with the law. To learn more about accountability in relation to GDPR, download our free Guide to GDPR Accountability.

Useful Resources

The ICO has published useful guidance on how to share data responsibly and many organisations may find the guidance on busting data sharing myths particularly useful, along with the case studies and examples and the Data Sharing Code.

Case studies and examples | ICO

About this code | ICO

Get support with data sharing

If you regularly share data with other organisations or are embarking on a project which will involve data sharing, you will need to consider the data sharing code of practice. If you would like to discuss what your business needs in order to become GDPR compliant, we can help. Contact us for a no-obligation chat.

Evalian is committed to protecting and respecting your privacy. By proceeding with your inquiry, you agree to the terms of our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

10 Key Points Data Sharing
10 Key Points Data Sharing
  1. Carry out DPIAs even when you are not legally obliged to do so
  2. Best practice means having a data-sharing agreement in place between each party and data sharing considerations should be part of due diligence processes in relation to third parties, mergers and acquisitions
  3. The principle of Accountability must be demonstrable by following key data protection principles
  4. There must be at least one clear lawful basis for the sharing of data and you must ensure the lawfulness of sharing in general
  5. Transparency, legitimacy and proportionality should all feature
  6. Processing must be in a manner which ensures its security
  7. There must be policies and procedures to allow data subjects to express their rights
  8. Data can be shared in emergencies as long as it is necessary and proportionate to the requirement
  9. Ethical factors should be considered alongside technical and legal factors
  10. Data sharing under the Digital Economy Act 2017 must comply with DPL and codes of practice must comply with the Data Sharing Code of Practice

 

Sandra May

Written by Sandra May

Sandra is an experienced senior data protection consultant and is a designated DPO for Evalian™ clients. Sandra spent much of her career as a litigation lawyer and over the last ten years has been focusing on specialising in data protection. Sandra's qualifications include BCS Practitioner Certificate in Data Protection, ISEB Certificate in Data Protection, as well as being a FCILEx (Fellow of the Chartered Institute of Legal Executives).