The UK's Information Commissioner's Office's new code on data sharing (Code) came into force on 5 October 2021, replacing its 2011 predecessor (published under the Data Protection Act 1998). The Code seeks to provide controllers with clarity and confidence on how to share personal data in compliance with data protection law, pushing the message that the UK GDPR shouldn't stop organisations from sharing data, but instead act as a framework for it. The UK GDPR does not expressly regulate sharing of personal data between controllers, except where they are joint controllers which can create uncertainty.
Although much of the Code restates general ICO guidance, organisations will find value in its optional good practice recommendations (and accompanying examples), which will assist in achieving and demonstrating compliance. It will come as no surprise that demonstrating compliance means more paperwork – in this context the Code strongly encourages carrying out Data Protection Impact Assessments and entering into Data Sharing Agreements. We discuss these and the other key takeaways for controllers operating in the private sector below.
The Code is addressed to Data Protection Officers and those with similar responsibilities, and applies to data sharing between controllers (whether separate or joint). Sharing data within an organisation or with processors is not covered by the Code, since this is covered separately under the UK GDPR.
The Code is a statutory code which means the ICO and courts will take it into account when considering data protection compliance and issues in legal proceedings. Courts will rarely depart from statutory codes unless there is good reason to.
Before starting to share personal data, the Code recommends performing a DPIA even when not legally required (DPIAs are only mandatory under the UK GDPR where processing is likely to result in a high risk to individuals). This is to assist organisations with assessing and documenting the risks of data sharing and to identify where additional safeguards are needed.
The Code explains that the DPIA process can be flexible and scalable, emphasising that it doesn’t need to be a 'bolt-on' process, but can be integrated into existing risk frameworks.
DSAs are different from data processing agreements or addendums to commercial agreements. They are optional (although are strongly recommended in a joint controller scenario) and do not follow a strict format. The Code provides examples of what should be included in a DSA, including: the purpose of the data sharing, what happens at each stage and a set of standards that each party must comply with when transferring data. The Code also encourages use of visual tools, such as flow diagrams that provide a framework for deciding whether or not to share data.
The ICO considers it good practice to have DSAs in place, as they help the parties understand their roles and responsibilities and provide a framework for demonstrating compliance. Importantly the ICO will consider DSAs when assessing any complaint about an organisation's data sharing.
According to the Code, the “importance of accountability cannot be overstated,” emphasising the requirement not only to comply, but also to demonstrate compliance with the law. The Code identifies the following practical ways of showing compliance:
The Code reiterates that organisations must ensure all data sharing is lawful. In addition to identifying a lawful basis and complying with general data protection law, organisations must also consider any other applicable law, industry specific regulation and any internal documentation (eg an organisation's constitutional documents, legal agreements). The Code states that large organisations with complex, large scale processing should consider obtaining legal advice.
The Code explains that even after sharing, the supplying organisation should take reasonable steps to ensure the recipient applies adequate security measures. In practice, this may include, ensuring:
The Code notes that a DPIA can be an effective means of considering these issues and implementing appropriate mitigating measures.
The Code provides helpful guidance on and examples of how to enable individuals to exercise their rights under the UK GDPR in a data sharing scenario.
The Code encourages organisations to inform individuals of any automated decision making or profiling outside the scope of Article 22 as a matter of transparency and good practice.
The Code lists requirements controllers need to consider where there is a change in an organisation's ownership or corporate structure.
The Code explains that recipients of databases and lists must ensure compliance with data protection laws and the integrity of the data supplied. In this context, recipients should make appropriate enquiries to the supplying organisation, and are recommended to enter into a written contract with the supplying organisation which includes the reassurances that the recipient organisation would require. Recipients should also ensure that they meet their Article 14 information provision obligations.
Significantly, we are still waiting for the ICO to finalise the new Direct Marketing Code of Practice (the draft code was published for consultation in January 2020), although the Code deals briefly with thise issue.
Extra care should be taken when sharing children's data - it should only be shared where an organisation can "demonstrate a compelling reason to do so, taking account of the best interests of the child". This reflects the position under the ICO's Age Appropriate Design Code (also known as the Children's Code) which applies to organisations providing goods and services likely to be accessed by children online in the UK. The Code provides a list of points to consider and recommends performing a DPIA to assess and mitigate risks to the rights and freedoms of children.
In addition to the examples provided throughout, the Code has three annexes that organisation may find useful:
In this Code the ICO has sent a clear message that organisations must not only comply with data protection law, but be able to demonstrate compliance. In the context of data sharing this means entering into DSAs and performing DPIAs, even when not strictly required by law.
In particular, the greater the number of individuals affected by the data sharing, and the more complex and high risk the data sharing, the greater the expectation will be on organisations to demonstrate lawful sharing of data. Most organisations are already doing this on an ad-hoc basis. The next step will be to incorporate these and other considerations mentioned in the Code into existing risk frameworks and internal procedures.
Remember, sharing is caring but only if it is in compliance with data protection law, and for that we are here to help!
Stephanie Richter and Gabriel Drewek look at the draft Data Act which is intended to unlock industrial data, clarifying who can create value from data and under what conditions.
1 / 6 观点
Debbie Heywood and Alex Walton look at EU and UK proposals to tackle the big data advantage of the major digital players.
2 / 6 观点
There's a lot going on in the data and digital space in terms of incoming EU legislation. Here is a summary of key proposals which will impact the use of data (personal and non-personal) and likely timelines, as at 10 May 2022.
3 / 6 观点
Anna Taylor and Jo Joyce look at the data sharing requirements for the proposed pensions dashboard and resulting data protection considerations.
4 / 6 观点
Debbie Heywood looks at the recently announced draft Trans-Atlantic Data Privacy Framework to facilitate frictionless EU-US data flows – what does this mean for the UK?
5 / 6 观点
返回