ICO publishes Data Sharing Code of Practice
Many companies need to share personal data with other organisations, be this reciprocal or one-way, a regular activity or ad hoc.
Data protection law has never stopped you doing this, however you do need to make sure your data sharing is lawful and transparent, and keep top of mind other core data protection principles.
The ICO recently published a new Data Sharing Code of Practice. At 88-pages it’s detailed and covers the steps the Regulator would expect organisations to have covered off.
It’s worth noting the Code focuses on controller-to-controller data sharing, it doesn’t cover:
- sharing personal data with processors. The contractual requirements for controller-to-processor relationships are set out in GDPR Article 28. Also see Getting your supplier contracts right.
- sharing data within your organisation.
To give you a snapshot of the Code, here’s our quick 10-point data sharing checklist.
- Necessity: do you really need to share personal data? Consider whether the same objective could be achieved in a different way or whether the data could be anonymised. You need to be able to demonstrate the sharing of personal data is necessary.
- Transparency: do people know their data is being shared? Have you told them, how did you tell them and is this sufficient? There shouldn’t be any surprises!
- Lawful basis: clearly identify a lawful basis for sharing and meet the relevant conditions for this basis. For example, if you’re relying on legitimate interests, have you conducted an assessment? See our Legitimate Interests Guidance.
- Data minimisation: can you reduce the amount of personal data you’re sharing? Does the other organisation only need a specific sub-set?
- Security: agree appropriate technical and organisational measures to protect the personal data, both in transit and at rest. This includes the secure transfer of, and/or access to, the data. Also be sure to have procedures in place for dealing with a potential data breach. It’s worth noting the Code says, ‘Organisations that you share data with take on their own legal responsibilities for the data, including its security. However you should still take reasonable steps to ensure that the data you share will continue to be protected with adequate security by the recipient organisation.’
- Individual rights: implement appropriate policies and procedures so people can easily exercise their privacy rights.
- Retention and destruction: have you decided how long the personal data needs to be kept for? Do you have arrangements in place for data destruction when this period ends? See our Retention Guidance.
- International transfers: is the personal data being shared with an organisation based outside the UK or EEA? It’s important to consider the compliance of any international transfers, especially in our post-Brexit world. See the ICO’s guidance on data protection at the end of the transition period.
- Data Sharing Agreements: do you need an agreement in place to cover the data you’re sharing? This could be a separate agreement, or could be covered by the inclusion of specific data protection elements within other contractual terms. The Code includes details of what such an agreement should include.
- DPIA: should you conduct a Data Protection Impact Assessment (DPIA)? Even if the sharing doesn’t fall under the mandatory requirement to carry out an assessment, it may be a good idea to conduct one anyway. A DPIA will help you to cover off all of the above points. See our DPIA guide.
Other data sharing points to consider
If you’re planning to share children’s data, proceed with extreme care. You need to assess how to protect children from the outset. You’ll need a compelling reason to share data relating to under 18s. My advice – definitely conduct a DPIA.
Mergers & acquisitions
If you’re engaged in a merger or acquisition, or another change in your company’s structure, which means you’ll have to share data, it’s crucial to consider this sharing as part of your due diligence. It may be necessary to conduct a DPIA to assess the risks this transfer represents.
Sharing data lists
Data lists are often shared by data brokers, credit reference agencies, political parties, marketing agencies and so on. The ICO’s code makes it clear, ‘you are responsible for compliance with the law for the data you receive, and for data that is shared on your behalf. You must make appropriate enquiries and checks in respect of the data, including its source and any consent given.’
In an emergency
We’ve all heard the tales about people being scared they’ll be breaching data protection rules if they share personal data with paramedics, doctors or others in emergency situations. The message from the ICO is clear, ‘in an emergency you should go ahead and share data as is necessary and proportionate.’
Why is the code important?
If someone raises a concern with the ICO about your sharing of data, the Regulator will take into account this Data Sharing Code when assessing whether you have complied with data protection law or not.
Philippa Donn, December 2020
Data protection team overstretched? Find out more about our Privacy Manager Service.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.