The Information Commissioner’s Office (the “ICO”) recently published its new Data Sharing Code of Practice (the “code”) as a replacement for the 2011 code. It is a myth that GDPR prevents the sharing of data, it actually does not do such a thing, but that doesn’t mean that data should be shared without caution. As each year passes, more data is collected and shared and clearly, the world of digital data collection and sharing has changed a lot since 2011, so a new code of practice was due and was also an obligation on the ICO in accordance with section 121 of the Data Protection Act 2018.
The code is mainly aimed at organisations that are considered data controllers, data protection officers and individuals who are responsible for data sharing related matters within their organisation. The majority of the code applies to all data controller sharing activities, regardless of scale and context. It is designed to provide an update on previous guidance, clarify misconceptions about the perceived barriers to sharing, and highlight some benefits of data sharing.
The benefits highlighted within the code, are that data sharing can help government and other organisations deliver modern, efficient services, making everyone’s lives easier, and not sharing can have an adverse effect. It suggests that by following the code, not only will a controller have better compliance with the law but the outcome will enhance the protection of data and reduce reputational risks to their organisation.
There are sections reminiscent of previous ICO guidelines; the data protection principles, data protection by design and default, records and documentation, designation of a DPO, data subject rights, complaints handling, and ensuring the security of data sharing activities. However, there are new considerations which are highlighted below.
New considerations for data sharing
Data sharing is not fully defined, although the scope of the code is defined by the Data Protection Act 2018 as “the disclosure of personal data by transmission, dissemination or otherwise making it available”. The code goes into more detail defining sharing into groups:
- Routine data sharing
- Ad hoc or one-off data sharing
- Data pooling
- Data sharing between controllers
- Sharing data with a processor
An example might include organisations pooling information, such as two neighbouring health authorities sharing information about their employees for fraud prevention purposes. Awareness of the type of sharing is important but the goal of the code is for increased accountability and awareness of the implications of data sharing activities.
Data Protection Impact Assessments (DPIAs) are encouraged before embarking on data sharing activities, even when the processing is unlikely to result in a high risk to individuals. The bar is being raised here as DPIAs are compulsory when processing is likely to result in a high risk to individuals. Essentially the code is regarding a DPIA as good practice for any plans for routine data sharing even if there is no indicator of high risk. In addition, the code suggests further questions to be asked such as “could the same outcome be achieved without sharing or anonymising the data?”, “is it fair to share data in the way that is being considered?” and “is the sharing achieving its objective?”.
Further considerations are requested with the strong recommendation for Data Sharing Agreements as a practice for clarity between organisations sharing data. For example, agreements should outline the reasoning behind the sharing initiative and whether necessary, the objectives for sharing and the benefits you hope to bring to individuals and/or society. They should also set out procedures for compliance with individual’s rights.
Why is this important?
Being able to evidence compliance with the code is being held as the standard with which to demonstrate whether your data sharing activities are fair, lawful and accountable for compliance with data protection legislation (“DPL”). Along with the above here are the 10 key takeaways from the code when sharing data:
- Carry out DPIAs even when you are not legally obliged to do so
- Best practice means having a data-sharing agreement in place between each party and data sharing considerations should be part of due diligence processes in relation to third parties, mergers and acquisitions
- The principle of Accountability must be demonstrable by following key data protection principles
- There must be at least one clear lawful basis for the sharing of data and you must ensure the lawfulness of sharing in general
- Transparency, legitimacy and proportionality should all feature
- Processing must be in a manner which ensures its security
- There must be policies and procedures to allow data subjects to express their rights
- Data can be shared in emergencies as long as it is necessary and proportionate to the requirement
- Ethical factors should be considered alongside technical and legal factors
- Data sharing under the Digital Economy Act 2017 must comply with DPL and codes of practice must comply with the Data Sharing Code of Practice
If you regularly share data with other organisations or are embarking on a project which will involve data sharing, you will need to consider the code. If you would like to discuss the content of this blog or want to discuss what your business needs in order to become data protection compliant, we can help. Contact us for a no-obligation chat.