The UK’s supervisory authority, the Information Commissioner’s Office (ICO), published a new data sharing code of practice (Code), available here, which addresses the requirements for data sharing under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018).
Once approved by Parliament, the Code will become a statutory code of practice. Thereafter, the Code will be used by the ICO when assessing whether organisations have complied with their data protection obligations when sharing personal data. The Code applies to the sharing of personal data between controllers, as well as giving access to personal data to third parties. It does not, however, apply to data sharing with a processor, nor the disclosure of data within an organisation.
The Code contains practical guidance for controllers on how they can share data fairly and lawfully and how they can meet their accountability obligations under the GDPR and the DPA 2018. It also addresses misconceptions regarding data sharing, such as clarifying that data protection laws do not prevent data sharing (as long as the sharing is lawful, fair and proportionate) and that most data sharing does not rely on consent as the lawful basis.
The Code covers the factors organisations need to take into consideration when sharing personal data, such as complying with data protection laws, conducting data protection impact assessments when the sharing is likely to result in a high risk to individuals, and putting in place data sharing agreements as good practice. Additionally, the Code requires organisations to follow the key data protection principles when sharing personal data and ensure: (i) accountability, i.e., being able to demonstrate compliance, (ii) fairness and transparency, (iii) identifying a lawful basis for sharing the personal data prior to sharing, and (iv) processing personal data securely, with appropriate organisational and technical measures in place.
The Code also offers guidance regarding situations where children’s personal data is shared, or in emergencies (such as situations where there is a risk of serious harm to human life). When sharing personal data of children, the Code states that additional care must be taken, and lists the factors organisations should consider when deciding whether to share children’s personal data, such as having a compelling reason and balancing the best interests of the child against the rights of others. In emergencies, organisations should share personal data as is necessary and proportionate.
The ICO also provided in the Code a data sharing checklist and data sharing request and decision templates. This will assist organisations with their initial decision regarding whether to share personal data or not, and with demonstrating accountability.
To supplement the Code, the ICO also launched a data sharing information hub, available here, which aims to provide targeted guidance and practical tools for organisations and businesses. Some of these tools include a data sharing checklist, various templates and toolkits, and practical case studies.
The ICO submitted the Code to the Secretary of State on 17 December 2020 and it is expected to receive approval in February 2021.