On December 17, 2020, the UK Information Commissioner’s Office (‘ICO’) published its Data Sharing Code of Practice (the ‘Code’) following a public consultation which commenced in 2019. The Code focuses mainly on data sharing among data controllers who are subject to the GDPR and the UK Data Protection Act (‘DPA’) 2018. Data controllers falling within the scope of the ICO’s enforcement powers should take the Code into account when sharing personal data because it will help them comply with their data protection obligations. Due to the detailed way in which the Code covers data sharing in the context of the GDPR, it will also be of wider interest to data controllers in the EU and beyond – even after the end of the Brexit transition period.
Examples of some of the key topics covered in the Code are as follows:
- Data Protection Impact Assessments (‘DPIAs’) – When data controllers are considering sharing personal data, the Code recommends ‘that as a first step you carry out a Data Protection Impact Assessment (DPIA), even if you are not legally obliged to carry one out’. Although DPIAs are only required where the data sharing is likely to result in a high risk to individuals, the ICO considers that in a data sharing scenario it ‘is an invaluable tool to help you assess any risks in your proposed data sharing, and work out how to mitigate these risks’.
- Data sharing agreements – The Code notes that it is good practice to have a data sharing agreement in place, emphasizing that the ICO ‘will take into account the existence of any relevant data sharing agreement when assessing any complaint we receive about your data sharing’. The Code goes on to detail the key items which should be addressed in the data sharing agreement. Examples include:
- information about the purpose of the data sharing initiative (which should be documented ‘in precise terms’);
- procedures for compliance with data subject rights; and
- data governance arrangements: the data sharing agreement should deal with the main practical problems that may arise when sharing personal data, such as ensuring that there are common rules for retention and deletion of shared data.
The Code also describes some appendices and annexes which are ‘likely to be helpful’, such as (i) a model form for seeking individuals’ consent for data sharing, where that is the lawful basis; and (ii) a diagram to show how to decide whether to share personal data.
- Responsibilities after sharing personal data – In a section on ‘security’, the Code explains that the data controller receiving the personal data will take on its own responsibilities for that data. Nevertheless, the disclosing data controller ‘should still take reasonable steps to ensure that the data you share will continue to be protected with adequate security’. For example, the Code notes that the disclosing data controller should (i) ensure that the receiving data controller understands the nature and sensitivity of the information; (ii) take reasonable steps to be certain that security measures are in place; and (iii) resolve any difficulties before sharing the personal data in cases where the receiving data controller has different standards of security, different IT systems and procedures, or different protective marking systems.
- The impact of data sharing on obligations with respect to data subject rights– The Code notes, for example, that (i) data controllers sharing personal data ‘must have policies and procedures that allow individuals to exercise their rights easily, and […] must set these out in [the] data sharing agreement’; and (ii) in a data sharing arrangement it is good practice to provide a single point of contact for individuals, which allows them to exercise their rights over personal data without making multiple requests to several organizations.
- Responsibilities of data controllers receiving databases or lists containing personal data – The Code notes that where a data controller receives such a database or list, it is the data controller’s responsibility to satisfy itself about the integrity of the personal data supplied. The receiving data controller should make appropriate enquiries and checks, including, for example: (i) confirming the source of the personal data; (ii) identifying the lawful basis on which it was obtained and confirming that any conditions surrounding that lawful basis were complied with; and (iii) reviewing a copy of the privacy information given to data subjects at the time of collection of the personal data.
The Code can be found here. The ICO submitted the Code to the UK Secretary of State on December 17, 2020. The Secretary of State will lay the code before Parliament for its approval for 40 days. If there are no objections, it will come into force 21 days after that.
At the same time as publishing the Code, the ICO also launched a ‘Data Sharing Hub’ containing some other resources, such as a page setting out data sharing basics and a page busting data sharing myths.