What are the rules under data privacy law when we want to share personal data with another controller?

We have all been waiting with bated breath.

Data Privacy

After months of deliberation and uncertainty it’s finally here – the new Prime Minister draft Data Sharing Code of Practice (or Code). A couple of weeks ago, the Information Commissioner’s Office (or ICO) published the draft Code for public consultation, looking to finally update the existing Data Sharing Code of Practice in line with the GDPR. The draft Code will become a statutory code once finalised.  This means that the ICO will be required to take the Code into account when considering whether you have complied with your data protection obligations in relation to data sharing. The finalised Code can also be used in court proceedings (where relevant).

The new draft Code dives deep into how the principles in the GDPR interact with data sharing between controllers (as well as other new laws and regulations, like the Digital Economy Act 2017). This draft Code does not apply to controllers sharing personal data with processors. For an in depth discussion on controllers and processors, see Victoria Hordern’s article for DataGuidance.

One significant change is a new focus on the ethics of data sharing. The previous code on data sharing published by the ICO sought to answer the question “How do you share personal data?” This draft Code starts a few steps back by asking “SHOULD you share personal data?” It’s clear from the draft Code that the ICO expects you to have fully considered this question before you pick up a pencil to draft your data sharing agreement, or hit “send” on that list of marketing contacts.

The draft Code also indicates what the ICO would expect to be covered in data sharing agreements between controllers. Unlike the provisions required between controllers and processors in Article 28 of the General Data Protection Regulation (or GDPR), the GDPR doesn’t require any form of agreement between controllers sharing personal data with other controllers. (But what about joint controllers under Article 26 GDPR, you may ask? Hold on, we’ll get there.)

The ICO recommends considering data sharing agreements are put in place not only for regular data sharing, but also for any foreseeable one-off data sharing. Beyond simply “good practice” the draft Code positions data sharing agreements as a central way for an organisation to demonstrate its compliance with the overarching data protection principles, found in Article 5 GDPR.

The draft Code sees data sharing agreements as practical documents, which should be tailored to what is actually happening between the parties, rather than hastily completed template documents thrown in a drawer. Most importantly, the ICO expects any agreement to be a living document – encouraging the parties to regularly review not just the terms of the agreement, but also the continued purpose for the data sharing in general, revisiting that original question of should you share (or continue to share) personal data.

The draft Code also contains a list of provisions that the ICO expects parties to cover in their data sharing agreements. For instance, this includes provisions on the purpose of the data sharing, what organisations are involved, the data that will be shared and documenting the lawful basis for sharing.

Finally, those of you looking for clear guidance on joint controllers and the required “arrangements” that they must have in place between them under Article 26 will be disappointed. The draft Code simply reiterates the obligation in the GDPR to have an “arrangement” in place, and to inform individuals of this arrangement. But the Code goes no further as to the form and content of that arrangement. Further insight may become available if/ when the Court of Justice of the EU provides a ruling on the issue.

If you have any questions about your organisation’s data sharing and the draft Code, please get in touch. As we mentioned, the draft Code is currently under consultation. If you care deeply about data sharing, then you have until 9 September to have your say.

This information is necessarily of a general nature and doesn’t constitute legal advice. This is not a substitute for formal legal advice, given in the context of full information under an engagement with Bates Wells.

All content on this page is correct as of August 2, 2019.