The ICO's views on data sharing

The UK's Information Commissioner's Office's new code on data sharing (Code) came into force on 5 October 2021, replacing its 2011 predecessor (published under the Data Protection Act 1998). The Code seeks to provide controllers with clarity and confidence on how to share personal data in compliance with data protection law, pushing the message that the UK GDPR shouldn't stop organisations from sharing data, but instead act as a framework for it. The UK GDPR does not expressly regulate sharing of personal data between controllers, except where they are joint controllers which can create uncertainty.

Although much of the Code restates general ICO guidance, organisations will find value in its optional good practice recommendations (and accompanying examples), which will assist in achieving and demonstrating compliance. It will come as no surprise that demonstrating compliance means more paperwork – in this context the Code strongly encourages carrying out Data Protection Impact Assessments and entering into Data Sharing Agreements. We discuss these and the other key takeaways for controllers operating in the private sector below.

Audience and scope

The Code is addressed to Data Protection Officers and those with similar responsibilities, and applies to data sharing between controllers (whether separate or joint). Sharing data within an organisation or with processors is not covered by the Code, since this is covered separately under the UK GDPR.

Legal status

The Code is a statutory code which means the ICO and courts will take it into account when considering data protection compliance and issues in legal proceedings. Courts will rarely depart from statutory codes unless there is good reason to.

DPIA by default

Before starting to share personal data, the Code recommends performing a DPIA even when not legally required (DPIAs are only mandatory under the UK GDPR where processing is likely to result in a high risk to individuals). This is to assist organisations with assessing and documenting the risks of data sharing and to identify where additional safeguards are needed.

The Code explains that the DPIA process can be flexible and scalable, emphasising that it doesn’t need to be a 'bolt-on' process, but can be integrated into existing risk frameworks.

Data Sharing Agreements

DSAs are different from data processing agreements or addendums to commercial agreements. They are optional (although are strongly recommended in a joint controller scenario) and do not follow a strict format. The Code provides examples of what should be included in a DSA, including: the purpose of the data sharing, what happens at each stage and a set of standards that each party must comply with when transferring data. The Code also encourages use of visual tools, such as flow diagrams that provide a framework for deciding whether or not to share data.

The ICO considers it good practice to have DSAs in place, as they help the parties understand their roles and responsibilities and provide a framework for demonstrating compliance. Importantly the ICO will consider DSAs when assessing any complaint about an organisation's data sharing.

Demonstrating accountability

According to the Code, the “importance of accountability cannot be overstated,” emphasising the requirement not only to comply, but also to demonstrate compliance with the law. The Code identifies the following practical ways of showing compliance:

• having a data protection policy that adopts a “data protection by design and default” approach
• ensuring accurate Article 30 records of processing
• recording the lawful basis for processing, information provided to individuals, any consents obtained, and any personal data breaches.

Lawfulness

The Code reiterates that organisations must ensure all data sharing is lawful. In addition to identifying a lawful basis and complying with general data protection law, organisations must also consider any other applicable law, industry specific regulation and any internal documentation (eg an organisation's constitutional documents, legal agreements). The Code states that large organisations with complex, large scale processing should consider obtaining legal advice.

Sharing data securely

The Code explains that even after sharing, the supplying organisation should take reasonable steps to ensure the recipient applies adequate security measures. In practice, this may include, ensuring:

• the recipient understands the nature and sensitivity of the data
• the DSA (if entered into) includes agreed security standards
• any differences between the parties are addressed eg differences in security standards, IT systems, procedures and marking systems.

The Code notes that a DPIA can be an effective means of considering these issues and implementing appropriate mitigating measures.

Individuals' rights

The Code provides helpful guidance on and examples of how to enable individuals to exercise their rights under the UK GDPR in a data sharing scenario.

• Information rights: the Code recommends identifying a single point of contact in the DSA and noting this in the privacy information given to individuals. Ultimately individuals have the right to choose who they approach to exercise their rights, but this can streamline the process.
• Erasure, rectification and restriction of processing: the Code recommends controllers have clear lines of communication and implement policies and procedures targeted at handling them.
• Automated processing: where automated processing as described under Article 22 occurs, the Code explains that entities must: (i) give individuals specific information about the processing; (ii) explain their rights to challenge a decision and request human intervention; (iii) ensure measures are in place to prevent errors, bias and discrimination in systems; and (iv) where processing includes profiling, inform individuals of their right to object under Article 21.

The Code encourages organisations to inform individuals of any automated decision making or profiling outside the scope of Article 22 as a matter of transparency and good practice.

Mergers, acquisitions and reorganisations

The Code lists requirements controllers need to consider where there is a change in an organisation's ownership or corporate structure.

• Before the change: data sharing must be considered as part of the due diligence process – the Code provides a list of broad points to consider, including: (i) identifying the purpose for which the data was originally obtained; (ii) establishing a lawful basis for the sharing; (iii) considering the data processing principles, among others.
• After the change: the Code provides a checklist of governance issues to consider, including: (i) checking data records are current and accurate; (ii) documenting what is done with the data; (iii) complying with a consistent retention policy; and (iv) ensuring appropriate security measures are in place.

Databases and marketing lists

The Code explains that recipients of databases and lists must ensure compliance with data protection laws and the integrity of the data supplied. In this context, recipients should make appropriate enquiries to the supplying organisation, and are recommended to enter into a written contract with the supplying organisation which includes the reassurances that the recipient organisation would require. Recipients should also ensure that they meet their Article 14 information provision obligations.

Significantly, we are still waiting for the ICO to finalise the new Direct Marketing Code of Practice (the draft code was published for consultation in January 2020), although the Code deals briefly with thise issue.

Children's data

Extra care should be taken when sharing children's data - it should only be shared where an organisation can "demonstrate a compelling reason to do so, taking account of the best interests of the child". This reflects the position under the ICO's Age Appropriate Design Code (also known as the Children's Code) which applies to organisations providing goods and services likely to be accessed by children online in the UK. The Code provides a list of points to consider and recommends performing a DPIA to assess and mitigate risks to the rights and freedoms of children.

Resources

In addition to the examples provided throughout, the Code has three annexes that organisation may find useful:

• Annex A: a step-by-step guide to deciding whether to share personal data
• Annex B: a data sharing request form template
• Annex C: a list of case studies.

What's next?

In this Code the ICO has sent a clear message that organisations must not only comply with data protection law, but be able to demonstrate compliance. In the context of data sharing this means entering into DSAs and performing DPIAs, even when not strictly required by law.

In particular, the greater the number of individuals affected by the data sharing, and the more complex and high risk the data sharing, the greater the expectation will be on organisations to demonstrate lawful sharing of data.  Most organisations are already doing this on an ad-hoc basis. The next step will be to incorporate these and other considerations mentioned in the Code into existing risk frameworks and internal procedures.

Remember, sharing is caring but only if it is in compliance with data protection law, and for that we are here to help!