On 17 December 2020 the Information Commissioner’s Office (ICO) published its new Data Sharing Code of Practice following a consultation last year. The Code is a statutory code of practice made under the Data Protection Act 2018. This means that the ICO must take it into account when considering whether organisations have complied with data protection law when sharing personal data. It can also be used in court proceedings and must be taken into account by the courts where relevant. The Code is expected to come into force later this year once it has been approved by the UK Parliament.
Much of the Code restates the existing legal framework that applies to data sharing and it contains relatively few new insights on how organisations should deal with complex data sharing scenarios. However, it is presented in a user-friendly way, contains a number of updated data sharing templates and, for that reason, is likely to be a useful guide to those in the early stages of drawing up new data sharing frameworks.
The Code relates to sharing between controllers including sharing in the context of law enforcement proceedings (for instance when organisations need to share personal data with the police). It does not cover sharing with processors, such as suppliers. For an in depth discussion on the roles of controllers and processors, see Victoria Hordern’s article for DataGuidance.
Note that the Code covers a range of different data sharing issues and scenarios, many of which are not covered in this blog, which is intended to provide a brief snapshot only of some of the Code’s key themes.
1. Do a Data Protection Impact Assessment!
A recurrent theme of the Code is that organisations which are thinking about sharing data should carry out a Data Protection Impact Assessment (DPIA). A DPIA is a form of data protection risk assessment which organisations need to carry out for data processing that is likely to result in a high risk to individuals. The Code recommends it as a flexible and scalable risk assessment tool which can be used for a variety of data sharing scenarios, even where the law does not require a DPIA
The Code also advises that all organisations (even if they are not larger ones) document any data sharing they undertake and review it regularly so, even if you don’t complete a DPIA, it is a good idea to keep a record of all data sharing by your organisation.
2. Revisit your data sharing agreements
Unlike agreements with processors, data sharing agreements with other controllers are not mandatory under data protection legislation (noting, however, that where the parties are acting as joint controllers the GDPR requires them to put an arrangement in place between them which, in practice, is often documented as a written contract).
The Code advises that, while data sharing agreements between controllers are not mandatory it is good practice to have a data sharing agreement as having one can help organisations to demonstrate that they are meeting their accountability obligations under the GDPR. The Code makes clear that:
“the ICO will take into account the existence of any relevant data sharing agreement when assessing any complaint we receive about your data sharing”.
In reality therefore, although data sharing agreements for controller-to-controller sharing are not mandatory (subject to the requirements relating to joint controllers) any organisations engaging in data sharing which is more than one-off or incidental should ensure that they have a data sharing agreement in place. The Code (at pages 25-27) contains a detailed checklist of what should be incorporated in a data sharing agreement.
It is possible, of course, for a data sharing agreement to be incorporated in an agreement dealing with data transfers within a group of organisations.
3. Remember the data sharing rules when sharing personal data in connection with mergers (and other corporate transactions)
The Code considers the implications of data sharing in the context of organisational restructuring. For organisations engaging in data sharing in connection with a merger (for instance, as part of their due diligence) the Code makes the following recommendations (among others):
- Establish the data that is being transferred and the purposes for which the data was originally obtained.
- Establish the lawful bases for sharing the data and ensure that you comply with data processing principles.
- Document the data sharing.
- Seek technical advice before sharing where different systems are involved because of the potential security risk.
- Consider how you will inform individuals about what is happening.
While these guidelines help to identify the relevant data protection considerations in the context of a merger, they are fairly generic and don’t address some of the practical difficulties experienced in corporate restructurings, for instance where consent is required from thousands of individuals to the transfer of their personal data from one party to another.
4. When obtaining databases from third parties, do your data protection due diligence
The Code identifies key checks that should be carried out by organisations which purchase or otherwise obtain databases and contact lists including the following:
- Check what individuals were told when they first handed over their data.
- Verify details of how and when the data was originally collected.
- Review a copy of the privacy information/ privacy notice which was given at the time that the data was collected.
- Check that the data is accurate and up to date.
- Ensure that the data you receive is not excessive or irrelevant for your needs.
The Code also advises that it is good practice for organisations receiving personal data to have a written contract with the organisation supplying the data. Organisations which obtain databases for direct marketing or other purposes should integrate the Code’s recommendations into the due diligence that they carry out on their database suppliers.
5. Take extra care when sharing children’s data
The Code repeats the familiar message that organisations which are processing children’s data need to take extra care.
Organisations should not disclose children’s data unless they can demonstrate a compelling reason to do so, taking account of the best interests of the child. The Code cites safeguarding purposes as one example of a compelling reason for sharing children’s data, therefore placing the bar quite high. Organisations are legally required to carry out a DPIA to assess the risks that arise to children from the sharing of their data. The Code makes clear that this should be done even if there is a compelling reason for sharing their data.
The Code also reflects some of the themes of the new Age Appropriate Design Code by advising that, where appropriate, children’s views should be considered by organisations when designing data sharing arrangements. Similarly any privacy information which is provided to children must be clear and presented in plain and age appropriate language.
Organisations should also carry out due diligence checks on organisations before sharing children’s personal data with them and should not share data where it is reasonably foreseeable that the recipient organisations will use the data in a way that is detrimental to the child or otherwise unfair.
6. You can share data in urgent situations
The Code stresses that data protection law does not prevent organisations from sharing personal data in an emergency but recommends that organisation’s plan for data sharing in emergency situations as far as possible. For instance, an organisation could draw up and implement a Data Disclosure Policy which sets out the process it will go through when responding to requests to share personal data with a third party. Organisations should document any urgent sharing they engage in even if they are not able to do so at the time of the urgent incident.
7. The ICO has updated its data sharing templates
Finally, as mentioned above, the appendix to the Code contains a number of useful templates which update the versions which were in the previous ICO Data Sharing Code. These may be helpful for organisations which do not have established documentation and procedures in place for data sharing. Organisations which were using the old ICO templates should now update them. The updated documents include the following:
For more information on data sharing or putting together a data sharing agreement, please speak to Mairead O’Reilly.
This information is necessarily of a general nature and doesn’t constitute legal advice. This is not a substitute for formal legal advice, given in the context of full information under an engagement with Bates Wells.
All content on this page is correct as of January 18, 2021.