The data sharing code (“Code”), published by the UK Information Commissioner’s Office (“ICO”), enters into force today (5 October 2021) following its publication on 14 September 2021. The Code is a statutory code of practice made under section 121 of the Data Protection Act 2018 and seeks to provide a guide for organisations about how to share personal data in compliance with data protection law.
Overview and status of the Code
The Code aims to provide practical guidance to organisations on how to share data fairly and lawfully, and how to meet accountability obligations, including ‘clearing up misconceptions about data sharing and barriers to sharing’.
The Code is not new law, but a statutory Code of Practice under the Data Protection Act 2018. The Code contains optional good practice recommendations, to help organisations adopt an effective approach to data protection compliance. These recommendations do not have the status of legal requirements but the ICO must take the code into account when considering whether an organisation has complied with its data protection obligations when sharing data. Further, the Code can also be used in evidence in court proceedings, and the courts must take its provisions into account wherever relevant.
Summary of key practical steps for organisations
- Data sharing between controllers – the Code focuses on the sharing of personal data between controllers, it does not cover the sharing of personal data between controllers and processors.
- DPIAs – when deciding to share data, controllers must consider whether the data sharing achieves a benefit and is necessary, as well as considering overall compliance with data protection law. The Code recommends that as a first step, a Data Protection Impact Assessment (DPIA) is carried out, even where there is no legal requirement to do so, to assist with assessing any risks with the proposed data sharing, and work out how to mitigate these risks.
- Data Sharing Agreements – The Code states that it is good practice (and mandatory for joint controllers) to have a data sharing agreement in place which sets out: the purpose of the data sharing; what happens to the data at each stage; standards for sharing; and the roles and responsibilities of each party. The Code provides practical examples of what should be included in a the data sharing agreement, including a model form for seeking individuals’ consent for data sharing (where that is the lawful basis); a diagram to show how to decide whether to share data; and a data sharing request form. The ICO will take into account the existence of any relevant data sharing agreement when assessing any complaint received.
- Accountability – The Code states that the “importance of accountability cannot be overstated”. Organisations involved in data sharing arrangements are responsible for compliance with the UK GDPR and DPA 2018, and must be able to demonstrate that compliance. This includes measures such as implementing a data protection policy which adopts a “data protection by design and default” approach, maintaining relevant documentation (e.g. Article 30 records, Data Sharing Agreements, DPIAs) and adopting additional measures as necessary.
- Fairness and transparency in data sharing – the Code reminds Controllers that individuals must always be treated fairly and their data should not be used in ways that would have unjustified adverse effects on them. Any sharing of personal data must be reasonable and proportionate and individuals must know what is happening to their data. Transparency is key and before sharing data, individuals must be provided with information about the use of their personal data in a way that is accessible and easy to understand. The Code recommends that as part of fairness and transparency considerations, ethical factors should be taken into consideration when deciding whether to share personal data; including considering “whether it is right to share it”.Security – the Code is clear that when data is shared with another organisation, that organisation will take on their own legal responsibilities for the data, including its security. However, the Code recommends that the sharing organisation should still take reasonable steps to ensure that the data it shares will continue to be protected with adequate security by the recipient organisation, including: ensuring that the recipient understands the nature and sensitivity of the information; taking reasonable steps to be certain that security measures are in place, including ensuring that an agreed set of security standards are incorporated into the data sharing agreement; and resolving any difficulties before personal data is shared in cases where each organisation has different standards of security etc.
- Data Subject Rights – a data sharing arrangement, must contain policies and procedures that allow data subjects to exercise their individual rights easily and details of how to exercise these rights must be set out in the privacy information issued to individuals. Where data is shared between multiple organisations, the Code recommends that it is good practice to provide a single point of contact for individuals, which allows them to exercise their rights over the data that has been shared, without making multiple requests to several organisations. Where the data sharing arrangement involves solely automated processing, the Code is clear that additional steps need to be taken, including, carrying out a DPIA, explaining to individuals about their rights to challenge a decision and request human intervention; and ensuring measures are in place to prevent errors, bias and discrimination in systems.
- M&A Transactions – The Code provides guidance on data sharing arising from a merger or acquisition or other change in organisational structure, where this results in a transfer data to a different or additional controller. The Code provides a list of considerations when sharing data in these circumstances, including:
- ensuring that the data sharing is considered as part of the due diligence carried out;
- establishing what data is being transferred;
- identifying the purposes for which the data was originally obtained;
- establishing a lawful basis for sharing the data;
- ensuring compliance with the data processing principles – especially lawfulness, fairness and transparency;
- documenting the data sharing;
- seeking technical advice before sharing data where different systems are involved; and
- considering when and how to inform data subjects about what is happening.
- Sharing personal data in databases and lists – the Code contains recommendations in relation to the transfer of databases or lists of individuals. The Code states that it is the responsibility of the recipient to satisfy itself about the integrity of the data supplied and to make appropriate enquiries and checks, including: to confirm the source of the data; identify the lawful basis on which it was obtained and that any conditions about that lawful basis were complied with; check what individuals were told at the time of handing over their data; verify details of how and when the data was initially collected; check the records of consent (if consent is relied upon); review and check the privacy information given at the time of collection of the data; check that the data is accurate and up to date; and ensure that the data received is not excessive or irrelevant.
- Children’s data – The Code is clear that extra care must be taken when sharing children’s data. Children’s data should only be shared where it can be demonstrated that there is a compelling reason to do so, taking account of the best interests of the child. A DPIA should be used to assess and mitigate risks to the rights and freedoms of children, which arise from the data sharing; and due diligence checks should be carried out on the recipient organisation.
Please get in touch with any member of the UK data protection team if you have any questions about the Code and it impact on your organisation.